Home > Articles > Cisco Network Technology > General Networking > Securing the Corporate Network

Securing the Corporate Network

Chapter Description

This sample chapter from Cisco Secure Internet Security Solutions explains how dial-in users can be authenticated using the local database. As an example, the chapter includes a basic AAA configuration. Next, the chapter takes an in-depth look at the AAA authentication process using a TACACS+ server. Finally, the chapter explores how IPSec can be used to secure VPNs coming into the network through the Internet.

AAA Accounting Setup

Sometimes a corporation wishes to keep track of which resources individuals or groups use. Examples of this include when the IS department charges other departments for access, or one company provides internal support to another company. For whatever reason you choose, AAA accounting gives the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered.

Although accounting is generally considered a network management or financial management issue, it is looked at briefly here because it is so closely linked with security. One security issue that accounting can address is creating a list of users and the time of day they choose to dial into the system. If, for example, the administrator knows that a worker logs onto the system in the middle of the night, this information can be used to further investigate the purpose of the login.

Another reason to implement accounting is to create a list of changes occurring on the network, who made the changes, and the exact nature of the changes. Knowing this information helps in the troubleshooting process if the changes cause unexpected results.

AAA accounting is started with the aaa accounting command. Note that AAA accounting is currently supported only on TACACS+ and RADIUS servers. The full syntax of the aaa accounting command follows:

aaa accounting event-type {default | list-name}
  {start-stop | wait-start | stop-only | none} method1 [method2]

event-type can be one of the event types shown in Table 10-6.

Table 10-6 AAA Accounting Event Types

Event Type

Description

command {level}

Applies to all commands for the optionally specified level

connection

Applies to all outbound connections, including LAT, PAD, and so on

exec

Runs accounting for all user shell EXEC commands

network

Runs accounting for all network-related service requests such as PPP and ARAP

system

Runs accounting for system-related events that are not associated with users, for example, a reload command


As with AAA authentication, either the keyword default or a list name is used. Next, the trigger is entered. The trigger specifies what actions cause accounting records to be updated. The list of possible triggers and their meanings is shown in Table 10-7.

Table 10-7 AAA Authentication Triggers

Trigger

Description

none

Stops accounting on this interface.

start-stop

The accounting record is sent as soon as a session begins. This is in contrast to wait-start. Another accounting record (which includes the session statistics) is sent as soon as the session ends.

stop-only

A record is sent only when the session ends. This record includes the session statistics.

wait-start

The accounting record is sent when an acknowledgment is received from the server that a session has started. This is in contrast to start-stop. Another accounting record (which includes the session statistics) is sent as soon as the session ends.


The parameters method1 and method2 have only two possible values: tacacs+ and radius. Using tacacs+ uses a TACACS+ server, while radius uses a RADIUS server.

An example of using AAA accounting follows:

aaa new-model
!Set up for AAA

tacacs-server host 172.30.1.50
!The TACACS+ server is at 172.30.1.50

tacacs-server key mysecretkey
!Use the encrypted keys

aaa accounting exec start-stop tacacs+
!Start accounting whenever an exec command is issued
6. Using All AAA Services Simultaneously | Next Section Previous Section