Configuring Accounting For Network Access - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Accounting for Network Access
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
If you want the security appliance to provide accounting data per user, you must enable authentication.
Step 1
For more information, see the
want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want accounted. For steps, see the
page
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note
Step 3
To enable accounting, enter the following command:
hostname(config)# aaa accounting match acl_name interface_name server_group
Note
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
Cisco Security Appliance Command Line Configuration Guide
19-12
"Enabling Network Access Authentication" section on page
16-5.
If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
Chapter 19
Applying AAA for Network Access
"Adding an Extended Access List" section on
19-3. If you
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
