Cisco ACNS Software Configuration Guide for Locally Managed Deployments, Release 5.5
Chapter 18: Configuring AAA Accounting on Standalone Content Engines
Download this chapter
Chapter 18: Configuring AAA Accounting on Standalone Content Engines Chapter 18: Configuring AAA Accounting on Standalone Content Engines
Download the complete book
Cisco Software Configuration Guide for Locally Managed Deployments, Release 5.5(PDF)Cisco Software Configuration Guide for Locally Managed Deployments, Release 5.5(PDF) (PDF - 26 MB)
give_us_feedback

Table Of Contents

Configuring AAA Accounting on Standalone Content Engines

About AAA Accounting

About System Accounting

About EXEC Shell Accounting

About Command Accounting

Configuring AAA Accounting Settings on Standalone Content Engines

Displaying the AAA Accounting Configuration for Standalone Content Engines

Displaying and Clearing AAA Accounting Statistics on Standalone Content Engines


Configuring AAA Accounting on Standalone Content Engines

Collectively, authentication, authorization, and accounting are often referred to as AAA. AAA accounting is the action of keeping track of administrative user activities for system accounting purposes.

This chapter describes how to configure AAA accounting for standalone Content Engines that are running the ACNS 5.4.x software and later releases. This chapter contains the following sections:

About AAA Accounting

Configuring AAA Accounting Settings on Standalone Content Engines

Displaying the AAA Accounting Configuration for Standalone Content Engines

Displaying and Clearing AAA Accounting Statistics on Standalone Content Engines

Note Transaction monitoring (recording information about end users' content requests) is tracked in the ACNS software transaction logs. Transaction monitoring is independent of AAA accounting that tracks administrative user activities. For more information on transaction monitoring, see the "Monitoring Transactions with Standalone Content Engines" section on page 21-27.

For complete syntax and usage information for the CLI commands used in this chapter, see the Cisco ACNS Software Command Reference, Release 5.5 publication. For information about configuring AAA accounting for Content Engines that are registered with a Content Distribution Manager, see the Cisco ACNS Software Configuration Guide for Centrally Managed Deployments, Release 5.5.

About AAA Accounting

AAA accounting tracks the activities of an administrative user, and can be used for system accounting purposes (for example, as an audit trail, basis for billing for connection time or the resources used [bytes transferred], reporting purposes, or security purposes). In the ACNS 5.2 software and later releases, AAA accounting is supported with TACACS+; RADIUS is not currently supported.

The TACACS+ protocol allows effective communication of AAA information between Content Engines and a central server. TACACS+ uses TCP for reliable connections between clients and servers. Content Engines send authentication and authorization requests, as well as accounting information, to the specified TACACS+ server. By configuring AAA accounting with TACACS+, you can store this AAA information in a central database.

You can activate AAA accounting for four different types of events. (See Table 18-1.)

Table 18-1 Types of Events Supported for AAA Accounting 

Type of Event
Description and More Information
Corresponding Content Engine CLI Command

System event

System accounting for all system-level events that are not associated with administrators, such as reloads. See the "About System Accounting" section.

aaa accounting system default {start-stop |
stop-only} tacacs

Exec shell and
login/logout events

EXEC shell accounting for EXEC processes (user shells). See the About EXEC Shell Accounting for more information.

aaa accounting exec default {start-stop |
stop-only | wait-start} tacacs

Normal (nonsuperuser)
administrative CLI
commands

Command accounting for all CLI commands that are executed on the Content Engine by an administrator who has normal privileges. See the "About Command Accounting" section for more information.

aaa accounting commands 0 default
{start-stop | stop-only | wait-start} tacacs

Superuser
administrative CLI
commands

Command accounting for all CLI commands that are executed on the Content Engine by a superuser. See the "About Command Accounting" section for more information.

aaa accounting commands 15 default
{start-stop | stop-only | wait-start} tacacs


AAA accounting and transaction monitoring are independent of each other:

With administrative login requests, an administrator is logging in to the Content Engine for configuration, monitoring, or troubleshooting purposes. The administrator is using the predefined superuser administrative account, or another administrative account that has been created on the Content Engine. The Content Engine processes the administrative login request using one or more of the following login authentication methods: the local database, an external RADIUS server, or an external TACACS+ server. This chapter describes how to configure AAA accounting for administrative login requests and activities. For information about how to configure AAA authentication and authorization (administrative login authentication and authorization on the Content Engine), see Chapter 17, "Configuring Administrative Login Authentication and Authorization on Standalone Content Engines."

With content requests, end users (web clients) are using their browsers or media players on their desktops to request content that is served through the Content Engine. The Content Engine tracks end users' access to content that is served through the Content Engine, and records information (for example, which user is accessing what content and for how long) about these content requests in the ACNS software transaction logs. For information about configuring content authentication and authorization, see Chapter 10, "Configuring Content Authentication and Authorization on Standalone Content Engines." For information about the ACNS software transaction logs, see the "Monitoring Transactions with Standalone Content Engines" section on page 21-27.

About System Accounting

System accounting provides information about all system-level events (for example, a system reboot). You can access system accounting information through the TACACS+ server's accounting log file. This log file uses the following report format for this type of accounting information: 

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#

EventTime#TaskId#Timezone#SystemService#SystemAccountingEvent#EventReason

The following are some examples of the system accounting report that is available on the TACACS+ server: 

Wed Apr 14 08:37:14 2004 172.16.0.0 unknown unknown 0.0.0.0 start start_time=1081909831

task_id=2725   timezone=PST    service=system  event=sys_acct  reason=reload

Wed Apr 14 10:19:18 2004 172.16.0.0 admin   ttyS0   0.0.0.0 stop stop_time=1081915955

task_id=5358   timezone=PST    service=system  event=sys_acct  reason=shutdown

About EXEC Shell Accounting

EXEC shell accounting is used to report the events of an administrator logging in and out of the EXEC shell through Telnet, FTP, or SSH (SSH Version 1 or Version 2). This type of accounting provides information about user EXEC terminal sessions (user shells) events, including username, date, start and stop times, and the IP address of the accessed server (for example, the IP address of the FTP server).

The EXEC shell accounting information can be accessed through the TACACS+ server's accounting log file. This log file uses the following report format for this type of accounting information: 

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#

EventTime#TaskId#Timezone#Service

The following are some examples of the EXEC shell accounting report that is available on the TACACS+ server: 

Wed Apr 14 11:19:19 2004 172.16.0.0 super10 pts/0  172.31.0.0 start

start_time=1081919558 task_id=3028    timezone=PST    service=shell

Wed Apr 14 11:19:23 2004 172.16.0.0 super10 pts/0 172.31.0.0

stop  stop_time=1081919562  task_id=3028    timezone=PST    service=shell

Wed Apr 14 11:22:13 2004 172.16.0.0 normal20 pts/0 via5.abc.com  start

start_time=1081919732 task_id=3048    timezone=PST    service=shell

Wed Apr 14 11:22:16 2004 172.16.0.0 normal20 pts/0 via5.abc.com  stop

stop_time=1081919735 task_id=3048    timezone=PST    service=shell

Wed Apr 14 11:25:29 2004 172.16.0.0 admin ftp via5.abc.com start start_time=1081919928

task_id=3069    timezone=PST    service=shell

Wed Apr 14 11:25:33 2004 172.16.0.0 admin  ftp  via5.abc.com  stop  stop_time=1081919931

task_id=3069    timezone=PST    service=shell

About Command Accounting

The Content Engine records information about each CLI command that is executed on the Content Engine (whether in EXEC mode or configuration mode) that is executed. The accounting record for each command includes the following information:

The syntax of the executed command.

The username of the administrator who executed the particular CLI command.

The privilege level of the administrator who executed the particular CLI command.

Normal privileges (privilege level of 0) allows restricted access to the Content Engine, and superuser privileges (privilege level of 15) allows unrestricted access to the Content Engine for monitoring, configuration, or troubleshooting purposes. The command account reports the same privilege level for all configuration and EXEC mode CLI commands that are executed by a particular administrator.

The recorded privilege level of the CLI commands is the same as the logged-in user's privilege level:

Administrators with superuser privileges will log a privilege level of 15 in the accounting record.

Administrators with normal privileges will log a privilege level of 0 in the accounting record.

The date and time that each CLI command was executed.

The command accounting information can be accessed through the TACACS+ server's accounting log file. This log file uses the following report format for this type of accounting information: 

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#

EventTime#TaskId#Timezone#Service#PrivilegeLevel#CLICommand

The following are some examples of the command accounting report that is available on the TACACS+ server: 

Wed Apr 14 12:35:38 2004 172.16.0.0 admin ttyS0 0.0.0.0 start start_time=1081924137

task_id=3511 timezone=PST service=shell -lvl=0 cmd=logging console enable 

Wed Apr 14 12:35:39 2004 172.16.0.0 admin ttyS0 0.0.0.0 stop stop_time=1081924137

task_id=3511   timezone=PST service=shell priv-lvl=0 cmd=logging console enable

In addition to command accounting, the Content Engine records any executed CLI command in the system log (syslog). The message format is as follows: 

ce_syslog(LOG_INFO, CESM_PARSER, PARSER_ALL, CESM_350232,

"CLI_LOG %s: %s \n", __FUNCTION__, pd->command_line);

Configuring AAA Accounting Settings on Standalone Content Engines

When configuring AAA accounting on a standalone Content Engine, keep these important points in mind:

The Content Engine sends AAA accounting information only to the TACACS+ server, and does not send it to the console or to any other device.

AAA accounting through RADIUS is not currently supported.

By default, AAA accounting is disabled on a Content Engine. To enable and configure AAA accounting on a standalone Content Engine, you must use the Content Engine CLI. (Currently, this feature cannot be configured through the Content Engine GUI.)

When activating AAA accounting, there are three command options to indicate when TACACS+ accounting is to occur: stop-only, start-only, and wait-start.

Caution The ACNS software displays the following warning message if the wait-start option
is configured.

Warning: The device may become non-responsive if it
cannot contact a configured TACACS+ server.

The administrator is asked to confirm the configuration in an indefinite loop until the
administrator enters yes" to the following prompt:

Are you sure you want to proceed? [yes]

Table 18-2 describes the stop-only, start-only, and wait-start options.

Table 18-2 AAA Accounting stop-only, start-only, and wait-start Command Parameters 

Parameter
Description
Content Engine CLI Command

start-stop

The Content Engine sends the TACACS+ accounting server a start record accounting notice at the beginning of a process and a stop record at the end of the process.

The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was acknowledged by the TACACS+ accounting server.

aaa accounting {commands | exec |
system} default start-stop tacacs

stop-only

The Content Engine sends a stop record accounting notice at the end of the specified activity or event to the TACACS+ accounting server.

aaa accounting {commands | exec |
system} default stop-only tacacs

wait-start

The Content Engine sends both a start and a stop accounting record to the TACACS+ accounting server. However, the requested user service does not begin until the TACACS+ accounting server acknowledges the start accounting record. A stop accounting record is also sent.

aaa accounting {commands | exec}
default wait-start tacacs


To configure a standalone Content Engine to use TACACS+ to support AAA accounting, follow these steps:

Step 1 Make sure that at least one TACACS+ server is configured for the standalone Content Engine.

Before you can configure the AAA accounting settings for a standalone Content Engine, you must first configure a TACACS+ server for the Content Engine. For example, you must specify the TACACS+ key and hostname or IP address of the TACACS+ server to which the Content Engine will send its AAA information. The Content Engines does not have a predefined TACACS+ server configuration.

a. Specify the TACACS+ key on the Content Engine. 

ContentEngine(config)# tacacs key key

key is the secret key that the Content Engine will use to communicate with the TACACS+ server. There is no default. Be sure the same TACACS+ key is also specified on the TACACS+ server.

For example, to specify abc as the key, enter: 

ContentEngine(config)# tacacs key abc

b. Specify a specific TACACS+ server as the accounting server.

Explicitly specify the primary TACACS+ server; otherwise, the Content Engine makes its own decision. You can configure one primary TACACS+ server and two backup TACACS+ servers. TACACS+ uses port 49 as a standard port for communication.

To specify one or more TACACS+ servers, enter: 

ContentEngine(config)# tacacs server ip_addr [primary]

In this example, the TACACS+ server with the IP address 172.16.50.1 is explicitly configured as the primary server through the use of the primary option: 

ContentEngine(config)# tacacs server 172.16.50.1 primary

In this example, the TACACS+ server with the IP address 172.16.50.2 is configured as a backup server. This server is configured as a backup server because the primary keyword is not specified. 

ContentEngine(config)# tacacs server 172.16.50.2

For more information about configuring a TACACS+ server for standalone Content Engines, see the "Specifying TACACS+ Authentication Settings for Standalone Content Engines" section on page 17-12.

Step 2 Activate accounting for system events and indicate when accounting is to take place using the aaa accounting system default {start-stop | stop-only | wait-start} tacacs global configuration command.

Note See Table 18-2 for a description of the start-stop, stop-only, and wait-start options of the aaa accounting global configuration commands.

In this example, the Content Engine is configured to record all system activities. The command also configures the Content Engine to send the TACACS+ server a stop record accounting notice at the end of the specified activity or event. 

ContentEngine(config)# aaa accounting system default stop-only tacacs

Step 3 Activate accounting for EXEC mode processes and indicate when accounting is to take place by using the aaa accounting exec default {start-stop | stop-only | wait-start} tacacs global configuration command.

In this example, the Content Engine is configured to record all user EXEC sessions. The command also configures the Content Engine to send the TACACS+ server a start record accounting notice at the beginning of a process and a stop record at the end of the process. 

ContentEngine(config)# aaa accounting exec default start-stop tacacs

Step 4 Activate accounting for all CLI commands at the normal privilege level (privilege level of 0) and indicate when accounting is to take place by using aaa accounting commands 0 default {start-stop | stop-only | wait-start} tacacs global configuration command.

In this example, the Content Engine is configured to record all CLI commands executed by an administrator who logged in to the Content Engine with an account that has normal privileges (privilege level of 0). The command configures the Content Engine to send the TACACS+ server a start record accounting notice at the beginning of a process and a stop record at the end of the process (the process being each CLI command that is executed by an administrator who has restricted privileges (privilege level of 0). 

ContentEngine(config)# aaa accounting commands 0 default start-stop tacacs

Step 5 Activate accounting for all commands at the superuser privilege level and indicate when accounting is to take place by using the aaa accounting commands 15 default {start-stop | stop-only | wait-start} tacacs global configuration command.

In this example, the Content Engine is configured to record all CLI commands that are executed by a superuser. The command configures the Content Engine to send the TACACS+ server a start record accounting notice at the beginning of a process and a stop record at the end of the process (the process being each CLI command that is executed by a superuser (one with a privilege level of 15). 

ContentEngine(config)# aaa accounting commands 15 default start-stop tacacs

Step 6 Verify the AAA accounting configuration. 

ContentEngine# show aaa accounting                                                                                                            

Accounting Type   Record event(s)  Protocol                                                                                          
------------------------------------------------------------------                                                                                                  
Exec shell          start-stop             TACACS+ 

Command level  0    start-stop             TACACS+ 

Command level 15    start-stop             TACACS+ 

System              stop-only              TACACS+

Displaying the AAA Accounting Configuration for Standalone Content Engines

To display the current AAA configuration for a standalone Content Engine, enter the show aaa accounting EXEC command: 

ContentEngine# show aaa accounting

Accounting Type   Record event(s)  Protocol

----------------------------------------------------

Exec shell        unknown          unknown

Command level  0  unknown          unknown

Command level 15  unknown          unknown

System            start-stop       TACACS+

This command displays the AAA accounting configuration for the following accounting types:

EXEC shell (accounting for EXEC processes [user shells])

Command level for administrators with normal privileges (privilege level of 0)

Command level for administrators with superuser privileges (privilege level of 15)

System (accounting for all system-level events not associated with administrators, such as reloads)

Displaying and Clearing AAA Accounting Statistics on Standalone Content Engines

To display AAA accounting statistics on a standalone Content Engine, enter the show statistics tacacs EXEC command: 

ContentEngine# show statistics tacacs

 TACACS+ Statistics

 -----------------------------------------------

 Authentication:

   Number of access requests:                 0

   Number of access deny responses:           0

   Number of access allow responses:          0


 Authorization:

   Number of authorization requests:          0

   Number of authorization failure responses: 0

   Number of authorization success responses: 0


 Accounting:

   Number of accounting requests:             0

   Number of accounting failure responses:    0

   Number of accounting success responses:   15

To clear the TACACS+ accounting statistics on the Content Engine, enter the clear statistics tacacs EXEC command.