accounting

Configures the server type and interval at which interim accounting updates are sent to the server. Up to 2 accounting servers can be configured.

This feature tracks user activities on the network, and provides information, such as resources used and the usage time. This information can be used for audit and billing purposes.

TACACS accounting tracks user activity and is useful for security audit purposes.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

accounting [access-method|auth-fail|commands|server|session]
accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}
accounting [auth-fail|commands|session]
accounting server [<1-2>|preference]
accounting server preference [authenticated-server-host|authenticated-server-number|
authorized-server-host|authorized-server-number|none]
accounting server <1-2> [host|retry-timeout-factor <50-200>|timeout]
accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
accounting server <1-2> timeout <3-5> {attempts <1-3>}

Parameters

accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}
access-method Configures TACACS accounting access mode. The options are: console, SSH, Telnet, and all.
all Configures TACACS accounting for all access modes
console Configures TACACS accounting for console access only
ssh Configures TACACS accounting for SSH access only
telnet Configures TACACS accounting for Telnet access only
accounting [auth-fail|commands|session]
auth-fail Enables accounting for authentication fail details. This option is disabled by default.
commands Enables accounting of commands executed. This option is disabled by default.
session Enables accounting for session start and stop details. This option is disabled by default.
accounting server preference [authenticated-server-host|authenticated-server-number|
authorized-server-host|authorized-server-number|none]
server Configures a TACACS accounting server
preference Configures the accounting server preference (specifies the method of selecting a server, from the pool, to send the request)
authenticated-server-host Sets the authentication server as the accounting server. This is the default setting.

This parameter indicates the same server is used for authentication and accounting. The server is referred to by its hostname.

authenticated-server-number Sets the authentication server as the accounting server

This parameter indicates the same server is used for authentication and accounting. The server is referred to by its index or number.

authorized-server-host Sets the authorization server as the accounting server

This parameter indicates the same server is used for authorization and accounting. The server is referred to by its hostname.

authorized-server-number Sets the authorized server as the accounting server

This parameter indicates the same server is used for authorization and accounting. The server is referred to by its index number.

none Indicates the accounting server is independent of the authentication and authorization servers
accounting server <1-2> retry-timeout-factor <50-200>
server <1-2> Configures an accounting server. Up to 2 accounting servers can be configured
retry-timeout-factor <50-200> Sets the scaling factor for retry timeouts
  • <50-200> – Specify a value from 50 - 200. The default is 100.

A value of 100 indicates the time gap between two consecutive retires remains the same irrespective of the number of retries.

A value lesser than 100 indicates the time gap between two consecutive retries reduces with each successive retry.

A value greater than 100 indicates the time gap between two consecutive retries increases with each successive retry.

accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2> Configures an accounting server. Up to 2 accounting servers can be configured
host <IP/HOSTNAME> Configures the accounting server‘s IP address or hostname
secret [0 <SECRET>| 2 <SECRET>| <SECRET>] Optional. Configures a common secret key used to authenticate with the accounting server
  • 0 <SECRET> – Configures a clear text secret key
  • 2 <SECRET> – Configures an encrypted secret key
  • <SECRET> – Specify the secret key. This shared secret should not exceed 127 characters.
port <1-65535> Optional. Configures the accounting server port (the port used to connect to the accounting server)
  • <1-65535> – Specify the TCP accounting port number from 1 - 65535. The default port is 49.
accounting server <1-2> timeout <3-5> {attempts <1-3>}
server <1-2> Configures an accounting server. Up to 2 accounting servers can be configured
timeout <3-5> Configures the timeout for each request sent to the TACACS accounting server. This is the time allowed to elapse before another request is sent to the TACACS accounting server. If a response is received from the server within this time, no retry is attempted.
  • <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.
attempts <1-3> Optional. Specifies the number of times a transmission request is attempted. This is the maximum number of times a request is sent to the TACACS accounting server before getting discarded.
  • <1-3> – Specify a value from 1 - 3. The default is 3.

Examples

nx9500-6C8809(config-aaa-tacacs-policy-test)#accounting auth-fail
nx9500-6C8809(config-aaa-tacacs-policy-test)#accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#accounting server preference 
authorized-server-number
nx9500-6C8809(config-aaa-tacacs-policy-test)#show context
aaa-tacacs-policy test
 accounting server preference authorized-server-number
 accounting auth-fail
 accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#

Related Commands

no (aaa-tacacs-policy-config-mode-command) Resets values or disables commands