[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Accounting

Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting. Perform the following steps:

Specify AAA new model as the accounting method for your router.host1(config)#aaa new-model
Enable TACACS+ accounting on the router, and configure accounting method lists. For example:host1(config)#aaa accounting exec default start-stop tacacs+ host1(config)#aaa accounting commands 0 listX stop-only tacacs+ host1(config)#aaa accounting commands 1 listX stop-only tacacs+ host1(config)#aaa accounting commands 13 listY stop-only tacacs+ host1(config)#aaa accounting commands 14 default stop-only tacacs+ host1(config)#aaa accounting commands 15 default stop-only tacacs+
(Optional) Specify that accounting records are not generated for users without explicit user names.host1(config)#aaa accounting suppress null-username
Apply accounting method lists to a console or lines. For example:host1(config)#line console 0 host1(config-line)#accounting commands 0 listX host1(config-line)#accounting commands 1 listX host1(config-line)#accounting commands 13 listY host1(config-line)#exit host1(config)#line vty 0 4 host1(config-line)#accounting commands 13 listY

Note that Exec accounting and User Exec mode commands accounting for privilege levels 14 and 15 are now enabled for all lines and consoles with the creation of their default method list, as shown in Step 2.

aaa accounting commands

Use to enable TACACS+ accounting and capture accounting information for a specific JUNOSe privilege level on the router and to create accounting method lists.
Specify the JUNOSe privilege level (0 through 15) for which to capture accounting information.
Specify default to configure the default method list, or configure a named method list. The default method list is used by lines and consoles unless a named method list is configured for them.
Specify stop-only to send a stop accounting notice at the end of a process and tacacs+ as the accounting protocol.
Examplehost1(config)#aaa accounting commands 12 listX stop-only tacacs+
Use the no version to delete the accounting method list.
See aaa accounting commands

aaa accounting exec

Use to enable TACACS+ accounting and capture accounting information for User Exec terminal session on the router and to create accounting method lists.
Specify default to configure the default method list, or configure a named method list. The default method list is used by lines and consoles unless a named method list is configured for them.
Specify start-stop to send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a successful process. Specify tacacs+ as the accounting protocol.
Examplehost1(config)#aaa accounting exec default start-stop tacacs+
Use the no version to delete the accounting method list.
See aaa accounting exec

aaa accounting suppress null-username

Use to prevent JUNOSe software from generating accounting records for users who do not have explicit usernames.
Examplehost1(config)#aaa accounting suppress null-username
Use the no version to generate accounting records for users with null usernames.
See aaa accounting suppress null-username

aaa authentication enable default

Use to allow privilege determination to be authenticated through the TACACS+ server. This command specifies a list of authentication methods that are used to determine whether a user is granted access to the privilege command level.
The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
Requests sent to a TACACS+ server include the username that is entered for login authentication.
If a default authentication routine is not set for a function, the default is none, and no authentication is performed.
If the authentication method list is empty, the local enable password is used.
Examplehost1(config)#aaa authentication enable default tacacs+ radius
Use the no version to empty the list.
See aaa authentication enable default

aaa authentication login

Use to set AAA authentication at login. This command creates a list that specifies the methods of authentication.
Once you specify aaa new-model as the authentication method for vty lines, an authentication list called “default” is automatically assigned to the vty lines. To allow users to access the vty lines, you must create an authentication list and either:
- Name the list “default.”
- Assign a different name to the authentication list, and assign the new list to the vty line using the login authentication command.
The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
The router traverses the list of authentication methods to determine whether a user is allowed to start a Telnet session. If a specific method is available but the user information is not valid (such as an incorrect password), the router does not continue to traverse the list and denies the user a session.
If a specific method is unavailable, the router continues to traverse the list. For example, if tactacs+ is the first authentication type element on the list and the TACACS+ server is unreachable, the router attempts to authenticate with the next authentication type on the list, such as radius.
The router assumes an implicit denial of service if it reaches the end of the authentication list without finding an available method.
Examplehost1(config)#aaa authentication login my_auth_list tacacs+ radius line none
Use the no version to remove the authentication list from your configuration.
See aaa authentication login

aaa new-model

Use to specify AAA new model as the authentication method for the vty lines on your router.
If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line.
Examplehost1(config)#aaa new-model
Use the no version to restore simple authentication (login and password).
See aaa new-model

accounting

Use to specify accounting method lists used on a console or vty line. Consoles and lines are initially configured with the default method list for all accounting service types (for example, Exec, Commands).
Specify exec to capture accounting information for User Exec terminal sessions or commands to capture accounting information for User Exec mode commands at the indicated JUNOSe privilege level (0 through 15).
Specify the name of the method list to be applied to the line or console.
To disable accounting for a line or console, specify a nonexisting accounting method list name (for example, noAccounting).
Examplehost1(config)#accounting commands 12 listY
Use the no version to restore the default method list.
See accounting

line

Use to open or configure console or vty lines.
You can specify a single line or a range of lines. The range is 0 though 29 for vty lines, 0 for the console line.
Examplehost1(config)#line vty 6 10 host1(config-line)#
Use the no version to remove a line or a range of lines from the configuration. Lines that you remove will no longer be available for use by telnet, FTP, or SSH. When you remove a vty line, the router removes all lines above that line. For example, no line vty 6 causes the router to remove lines 6 through 19. You cannot remove lines 0 through 4.
See line

login authentication

Use to apply an authentication list to the vty lines you specified on your router.
Examplehost1(config-line)#login authentication my_auth_list
Use the no version to specify that the router should use the default authentication list.
See login authentication

tacacs-server host

Use to add or delete a host to or from the list of TACACS+ servers.
You can optionally specify a nondefault port number, a host-specific key, a single connection and a timeout interval.
Use the primary keyword to assign the host as the primary host.
If a timeout value is specified, it overrides the global timeout value set with the tacacs-server timeout command for this server only.
You can configure additional hosts by using this command. The designated primary host is always the first in the search order; the remaining hosts are contacted in the order in which they were created. If the primary host is deleted, or if you modify the primary host without specifying the primary keyword, the next host in the search order becomes the primary host. The search order is maintained when the NAS is reloaded.
Examplehost1(config)#tacacs-server host 192.168.1.27 port 10 timeout 3 key your_secret primary host1(config)#no tacacs-server host 192.168.1.27
Use the no version to delete the host from the list of TACACS+ servers.
See tacacs-server host

tacacs-server key

Use to set or reset the authentication encryption key value shared by all TACACS+ servers that do not have a server-specific key set up by the tacacs-server host command.
This key must match the key configured on the TACACS+ process.
Leading spaces are ignored; however, spaces at the end of the key are recognized. If you use spaces in the key, do not enclose the key in quotation marks.
Examplehost1(config)#tacacs-server key &# 889khj
Use the no version to reset a key value shared by all TACACS+ servers.
See tacacs-server key

tacacs-server source-address

Use to set or reset an alternative source address to be used for TACACS+ server communications.
Existing connections are not affected by this command.
Examplehost1(config)#tacacs-server source-address 192.168.134.63
Use the no version to remove the address.
See tacacs-server source-address

tacacs-server timeout

Use to set the interval in seconds that the server waits for the server host to reply. The specified interval is shared by all TACACS+ servers that do not have a server-specific timeout set up by tacacs-server host command.
The timeout interval is between 1 and 300. The default is 5 seconds.
Examplehost1(config)#tacacs-server timeout 15
Use the no version to reset the timeout to the default.
See tacacs-server timeout

[Contents] [Prev] [Next] [Index] [Report an Error]