Method Lists And Server Groups - Cisco Catalyst 2960 series Configuration Manual

• Commands --Provides information about the EXEC mode commands that a user issues. Command
accounting generates accounting records for all EXEC mode commands, including global configuration
commands, associated with a specific privilege level.
• Connection --Provides information about all outbound connections made from the network access
server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and
rlogin.
• System --Provides information about system-level events.
• Resource --Provides "start" and "stop" records for calls that have passed user authentication, and provides
"stop" records for calls that fail to authenticate.
• VRRS --Provides information about Virtual Router Redundancy Service (VRRS).
System accounting does not use named accounting lists; only the default list for system accounting can
Note
be defined.
Once again, when a named method list is created, a particular list of accounting methods for the indicated
accounting type are defined.
Accounting method lists must be applied to specific lines or interfaces before any of the defined methods are
performed. The only exception is the default method list (which is named "default"). If the aaa accounting
command for a particular accounting type is issued without specifying a named method list, the default method
list is automatically applied to all interfaces or lines except those that have a named method list explicitly
defined (A defined method list overrides the default method list). If no default method list is defined, then no
accounting takes place.
This section includes the following subsections:

Method Lists and Server Groups

A server group is a way to group existing LDAP, RADIUS, or TACACS+ server hosts for use in method lists.
The figure below shows a typical AAA network configuration that includes four security servers: R1 and R2
are RADIUS servers, and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS
servers. T1 and T2 make up the group of TACACS+ servers.
Using server groups, a subset of the configured server hosts can be specified and use them for a particular
service. For example, server groups allows R1 and R2 to be defined as separate server groups, and T1 and T2
as separate server groups. This allows either R1 and T1 to be specified in the method list or R2 and T2 in the
method list, which provides more flexibility in the way that RADIUS and TACACS+ resources are assigned.
Server groups also can include multiple host entries for the same server, as long as each entry has a unique
identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing
different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words,
this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP
address. If two different host entries on the same RADIUS server are configured for the same service--for
example, authorization--the second host entry configured acts as fail-over backup to the first one. Using this
example, if the first host entry fails to provide accounting services, the network access server tries the second
host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the
order they are configured.)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Information About Configuring Accounting
1005