10.2.5 Accounting using RADIUS/TACACS +
This section describes RADIUS and TACACS+ accounting methods.
- <Structure of this section>
(1) Specifying Accounting
By configuring RADIUS or TACACS+ and aaa accounting, you can set up the Switch to send accounting information to the RADIUS or TACACS+ server whenever a user logs in or logs out from a remote operation terminal. Accounting information will also be sent to the TACACS+ server at every command input to the Switch.
Two types of accounting can be configured: login accounting for sending login and logout events to the server, and command accounting for sending command input events. Command accounting is supported only by TACACS+.
For each type of accounting, you can select either start-stop mode which sends both START and STOP accounting notices, or stop-only mode which sends STOP notices only. For command accounting, you can choose to report all entered commands or only configuration commands. Normally, records are sent to each RADIUS or TACACS+ server in turn, as long as each server is available and until accounting is successful, but you can also choose to broadcast accounting records to all the servers regardless of success or failure.
(2) Accounting Flow
The following figure shows the processing sequence when the system is configured to send accounting notices to a TACACS+ server in START-STOP transmission mode for both login accounting and command accounting.
|
|
![[Figure Data]](./GRAPHICS/ZU108070.GIF)
In this figure, when a user successfully logs in from a remote operation terminal, accounting information such as user data and timestamps is sent from the Switch to the TACACS+ server. In addition, command accounting information is forwarded before and after every command executed by the user. Finally, when the user logs out, information such as the duration of the session is sent.
The following figure shows the processing sequence when the system is configured to send accounting notices to a TACACS+ server in START-STOP transmission mode for login accounting, and in STOP-ONLY transmission mode for command accounting.
|
|
![[Figure Data]](./GRAPHICS/ZU108080.GIF)
Compared to the example shown in "10-26 TACACS+ accounting sequence (login command accounting START-STOP transmission mode)", the accounting operation for login and logout is the same. However, if STOP-ONLY is specified for command accounting, the Switch sends accounting information such as the command information entered to TACACS + server only prior to entering the command.
(3) Accounting Notes
When you configure RADIUS or TACACS+ accounting and aaa accounting, or change the IPv4 device address using the interface loopback command, accounting events being sent or received, unsent events, and statistical records are cleared and the accounting sequence follows the new settings.
If numerous users are entering commands and logging in and out in succession, some accounting events might not be logged due to the large volume of generated events.
To avoid overloading the Switch, servers, and network with a large volume of accounting events, ALAXALA Networks Corporation recommends that you set STOP-ONLY mode for command accounting. Take care not to specify a RADIUS or TACACS+ server that is likely to be unreachable.
If you clear the accounting statistics using the clear accounting operation command, the service will recommence recording statistics about accounting events sent to the servers only when the accounting events that were being sent to a server when the clear accounting command was executed have been successfully transmitted.
If you are using a DNS server to resolve host names, communication with the server can take a long time. For this reason, ALAXALA Networks Corporation recommends that you specify the RADIUS and TACACS+ servers by IP address.