When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).
Accounting Methods and Types AAA accounting methods configure user activities to track within a secured access device. Accounting methods gather data from TACACS+ and RADIUS packets and log it into a file stored on the access device. The security server comes around each day and collects the data into a central AAA accounting database. Table 8-5 explains how the two work.
Notice that the only accounting methods are the security protocols themselves. This is because accounting data is, by default, collected for the entire device. The reason for the two methods is that the accounting data must travel either in TACACS+ or RADIUS packets to the server (AAA accounting isn’t done without servers).
AAA has five accounting secured entity types, slightly different from those for authorization. Table 8-6 explains them.
The system accounting keyword only collects a default set of variables. It cannot be configured to collect only certain events. The reason for this is that a system event simply happens—a user does not request permission to cause it. An example system event would be a network interface going down at 11:32:28 Tuesday, January 9, 2005. AAA accounting does not automatically associate the system event with a security transaction, but comparing accounting and authorization logs for that date and time would make it easy for a system administrator to figure out who the culprit was.
Like authorization, AAA accounting named method lists must be applied to all network interfaces they are meant to secure, and then applied to an indicated accounting type. For example, the MyRouter(config)# aaa accounting network tacacs+ command configures IOS to keep track of all SLIP, PPP connections made over a network interface that are authorized using TACACS+.
AAA Accounting Method
Logs accounting information on TACACS+ in the CiscoSecure ACS database
Logs accounting information on RADIUS in the CiscoSecure ACS database
Table 8-5. AAA Accounting Uses One Method per Security Protocol
AAA Accounting Type
Applies method to network connections, usually a PPP connection, but methods can also be named for logins, SLIP, or ARAP connections.
Provides information on all User EXEC mode terminal
sessions within the access device’s IOS environment. EXEC
accounting information can be collected by user, date, and start and stop times.
Provides information on any commands issued by users who are members of an IOS Privileged EXEC mode. Command accounting information can be collected by user, date, and start and stop times.
Provides information on all outbound connections attempted from the secured access device in sessions made using the Telnet, rlogin, TN270, PAD, and LAT terminal protocols.
Provides information about system-level events, such as reboots.
Table 8-6. AAA Accounting Types that Track Asset Usage for Five Secured Entity Types
Accounting is a little more complicated in how it tracks requests, though. AAA accounting relies on so-called accounting notices to gather data. An accounting notice is a special packet notifying the accounting method of an event. This information is recorded in the accounting log file for upload to the appropriate security server. One of three AAA accounting keywords must be used to specify exactly when during the service request process the notices are to be sent. The terminology can get a bit confusing, but Figure 8-13 will help you visualize how the three work:
Stop-only For minimal accounting. Has RADIUS or TACACS+ send a stop recording accounting data notice at the end of the requested service. Stop-only accounting is good only for tracking who went where. This is important information for security purposes.
Start-stop For more accounting. Has RADIUS or TACACS+ send a start accounting notice at the beginning of the requested service and a stop accounting notice at the end of the service. Start-stop accounting yields the elapsed time of a connection.
Wait-start For maximum accounting. Has RADIUS or TACACS+ wait until the start notice is received by AAA accounting before the user’s request process begins. Most regard wait-start as overkill and an inconvenience to users, so its use is limited to very sensitive services.
Figure 8-13. AAA accounting can use any of the three methods to track user activity.
To select a method, include any one of the three keywords as arguments to the root aaa accounting command in the configuration statement. The three options give differing levels of accounting control. For example, if an administrator requests entry into a secured device’s User EXEC mode, the stop-only process records only the end of the administrator’s session within User EXEC mode. The start-stop process records the beginning and the end of the session. The wait-start process ensures that no connection is made prior to the accounting notice having been received and acknowledged.
The following example shows an AAA accounting configuration. Lines 2, 3, and 4 show all three AAA functions being configured together, the normal practice in the real world.
The accounting commands are woven in with the others, to give you an idea of how statements really look. As configured here, full start-stop accounting records will be logged for all network connections made by the network team through any of the 16 asynchronous ports on the device, MyRouter.
Exactly what gets logged depends on how the named method list WeWillBillYou is configured. Most network managers, at a minimum, would use the network command to account for connection times. Generally speaking, the command-oriented parameters exec and commands are useful only for security audits.
RADIUS and TACACS+ Attributes
A security protocol is largely defined by the attributes it supports. After all, they define the raw material used to operate the user-based security system. RADIUS and TACACS+ are separate protocols packaged into the AAA command structure within IOS. The major differences between the two come into play inside the user database, where each user has a security profile containing attributes that define what that person may do. As separate technologies, RADIUS and TACACS+ have their own attributes.
RADIUS is an open standard under the auspices of the IETF and defines nearly 60 attributes. We won’t list them all here, but Table 8-7 shows several to help you see what’s involved in user-based security.
Seventeen RADIUS attributes are so-called vendor-proprietary attributes. These are items that vendors can customize to extend functionality within their products. Table 8-8 shows a few Cisco extensions to give you an idea of what vendors like to customize.
The name of a person’s user profile account. For example, Anne Marie’s username might be "amarie."
The secret pass code created by the person.
The encrypted value returned during the challenge-handshake exchange. This is the username mixed with a random number called a challenge.
The IP address of the access server requesting authentication. (Recall that NAS stands for network access server, the same thing as an access server.)
The physical port number on the access server. This includes the various types of interfaces possible, such as asynchronous terminal lines, synchronous network lines, ISDN channels, and other types of interfaces.
The service requested or granted—for example, an administrator might request the enable command in IOS in order to enter the Privileged EXEC command mode.
The TCP port with which the user is to be connected—for example, port 80 for HTTP Web browsing.
A unique accounting identifier used to match start and stop notices in an accounting log file.
The number of seconds the user remained connected.
The way the user was authenticated, whether by RADIUS, the local user database, TACACS+, or Kerberos.
Table 8-7. RADIUS Attributes Used to Enforce User-Based Security
Cisco-Specific RADIUS Attribute
Specifies a time interval or event that forces the user to create a new password.
The Cisco device will bypass all routing tables and send packets directly to a specified IP address. For example, IP-Direct might be used to make sure a user’s WAN connection goes through a firewall.
Specifies the maximum number of seconds any session may be idle.
Table 8-8. Cisco Extensions to the RADIUS Standard
TACACS+ has over 50 attributes (attribute-value pairs). While TACACS+ and RADIUS both support the three AAA functions, TACACS+ is more sophisticated. For example, it has attributes such as Tunnel-ID to help secure VPN connections. This is why internetworks that use RADIUS for authenticating dial-in users will frequently use TACACS+ for authorization and accounting. Table 8-9 shows example TACACS+ attributes to give you a feel for the protocol.
The sampling of AV pairs in Table 8-9 shows two areas in which TACACS+ is stronger than RADIUS. First, TACACS+ offers stricter internal security than RADIUS by locking down commands and access lists. The first thing a hacker would do upon breaking into an IOS device would be to make new entries into its access lists, which makes file transfers possible. These AV pairs not only help to stop hackers, they also let the network manager specify which devices, IOS commands, or access lists individual administrators may work with. Locking out certain team members helps avoid configuration errors.
The second area in which TACACS+ is stronger is protocol support. For example, TACACS+ has AV pairs to enhance security of VPNs, which are exploding in popularity. As would be expected, TACACS+ also has accounting attributes to go along with the areas where it expands beyond RADIUS. For example, the cmd= xAV pair lets you keep track of which IOS commands an administrator uses while working on a device. This can be useful information for diagnosing how a configuration error was made.