Configuring Ani - Foundry Networks Switch and Router Installation And Configuration Manual

Configuring TACACS+ Accounting
Foundry devices support TACACS+ accounting for recording information about user activity and system events.
When you configure TACACS+ accounting on a Foundry device, information is sent to a TACACS+ accounting
server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS+ Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a
Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
BigIron(config)# aaa accounting exec default start-stop tacacs+
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring TACACS+ Accounting for CLI Commands
You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands
require accounting. For example, to configure the Foundry device to perform TACACS+ accounting for the
commands available at the Super User privilege level (that is; all commands on the device), enter the following
command:
BigIron(config)# aaa accounting commands 0 default start-stop tacacs+
An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an
Accounting Stop packet is sent when the service provided by the command is completed.
NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed
before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
• 0 – Records commands available at the Super User level (all commands)
• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Records commands available at the Read Only level (read-only commands)
Configuring TACACS+ Accounting for System Events
You can configure TACACS+ accounting to record when system events occur on the Foundry device. System
events include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
BigIron(config)# aaa accounting system default start-stop tacacs+
Syntax: aaa accounting system default start-stop radius | tacacs+ | none
Configuring an Interface as the Source for All TACACS/TACACS+ Packets
You can designate the lowest-numbered IP address configured an Ethernet port, POS port, loopback interface, or
virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3 Switch. Identifying
a single source IP address for TACACS/TACACS+ packets provides the following benefits:
• If your TACACS/TACACS+ server is configured to accept packets only from specific links or IP addresses, you
can use this feature to simplify configuration of the TACACS/TACACS+ server by configuring the Foundry
device to always send the TACACS/TACACS+ packets from the same link or source address.
• If you specify a loopback interface as the single source for TACACS/TACACS+ packets, TACACS/TACACS+
servers can receive the packets regardless of the states of individual links. Thus, if a link to the TACACS/
TACACS+ server becomes unavailable but the client or server can be reached through another link, the client
or server still receives the packets, and the packets still have the source IP address of the loopback interface.
December 2000
Securing Access to Management Functions
3 - 27