10.3.6 Account function
The Switch use the accounting functionality described below to record the results of authentication operations.
- <Structure of this section>
(1) Account log
MAC-based authentication accounting logs contain information about the use of MAC-based authentication services on the Switch. You can display the log information by using the show mac-authentication logging operation command.
The following table describes the events recorded as accounting log information.
|
Event |
Time |
MAC address |
VLAN ID |
Port number |
Message |
|---|---|---|---|---|---|
|
Successful authentication |
Time when authentication succeeded |
OK |
OK |
OK |
Authentication success |
|
Authentication status cleared |
Time when authentication status was cleared |
OK |
OK # |
OK # |
Authentication cleared |
|
Failed authentication |
Time when authentication failed |
OK |
OK # |
OK # |
Reason for failed authentication |
Legend: OK: Recorded
#: Might not be output depending on the message contents.
The Switch can store a maximum of 2100 lines of MAC-based authentication accounting log information. Upon reaching this limit, the switch starts overwriting the existing accounting information in order from the oldest.
(2) Recording RADIUS Servers to Accounting Features
You can enable the accounting functionality for the RADIUS server by using the aaa accounting mac-authentication configuration command. The accounting functionality records the following information:
-
Authentication information. The following information is recorded when authentication is successful:
Server timestamp, MAC address, VLAN ID
-
De-authentication information. The following information is recorded when the authentication status of a terminal is cleared:
Server timestamp, MAC address, VLAN ID, elapsed time between successful authentication and authentication cancellation
(3) Logging Credentials to RADIUS Servers
If you are using RADIUS authentication, the accounting functionality of the RADIUS server records the success or failure of authentication attempts. Note that the information that is recorded differs between RADIUS server implementations. For details, see the documentation for the RADIUS server deployed in your network.
(4) Logging Operations to syslog Servers
You can output the operation logs for MAC-based authentication to a syslog server. These operation logs include the MAC-based authentication accounting logs. The following figure shows the format of log output to the syslog server.
|
|
![[Figure Data]](./GRAPHICS/ZU208525.GIF)
You can start and stop output to syslog by using the mac-authentication logging enable and logging event-kind aut configuration commands.