Configuring Accounting For Network Access - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 17
Applying AAA for Network Access
In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
Note
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the
Configuring Accounting for Network Access
The FWSM can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP
traffic that passes through the FWSM. If that traffic is also authenticated, then the AAA server can
maintain accounting information by username. If the traffic is not authenticated, the AAA server can
maintain accounting information by IP address. Accounting information includes when sessions start
and stop, username, the number of bytes that pass through the FWSM for the session, the service used,
and the duration of each session.
To configure accounting, perform the following steps:
If you want the FWSM to provide accounting data per user, you must enable authentication. For more
Step 1
information, see the
FWSM to provide accounting data per IP address, enabling authentication is not necessary and you can
continue to the next step.
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want accounted. For steps, see the
page
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note
To enable accounting, enter the following command:
Step 3
hostname(config)# aaa accounting match acl_name interface_name server_group
Note
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
"Adding an Extended Access List" section on page 13-6
"Enabling Network Access Authentication" section on page
13-6.
If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Catalyst 6500
Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for
more information.
Configuring Accounting for Network Access
to create an access list on the FWSM.
17-3. If you want the
"Adding an Extended Access List" section on
17-13
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
