Configuring Accounting For Network Access - Cisco PIX 500 Series Configuration Manual

Configuring Accounting for Network Access

Downloaded access lists have two spaces between the word "access-list" and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, "79AD4A08" is
a hash value generated by the security appliance to help determine when access list definitions have
changed on the RADIUS server.
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 series concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 series concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per-server basis, using the acl-netmask-convert
command, available in the aaa-server configuration mode. For more information about configuring a
RADIUS server, see
information about the acl-netmask-convert command, see the Cisco Security Appliance Command
Reference.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance from the
RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute
number 11) as follows:
filter-id= acl_name
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the
appliance.
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Cisco Security Appliance Command Line Configuration Guide
19-14
"Identifying AAA Server Groups and Servers" section on page
"Adding an Extended Access List" section on page 16-5
Chapter 19 Applying AAA for Network Access
13-9. For more
to create an access list on the security
OL-12172-03