Securing the Corporate Network

Chapter Description

This sample chapter from Cisco Secure Internet Security Solutions explains how dial-in users can be authenticated using the local database. As an example, the chapter includes a basic AAA configuration. Next, the chapter takes an in-depth look at the AAA authentication process using a TACACS+ server. Finally, the chapter explores how IPSec can be used to secure VPNs coming into the network through the Internet.

AAA Accounting Setup

Sometimes a corporation wishes to keep track of which resources individuals or groups use. Examples of this include when the IS department charges other departments for access, or one company provides internal support to another company. For whatever reason you choose, AAA accounting gives the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered.

Although accounting is generally considered a network management or financial management issue, it is looked at briefly here because it is so closely linked with security. One security issue that accounting can address is creating a list of users and the time of day they choose to dial into the system. If, for example, the administrator knows that a worker logs onto the system in the middle of the night, this information can be used to further investigate the purpose of the login.

Another reason to implement accounting is to create a list of changes occurring on the network, who made the changes, and the exact nature of the changes. Knowing this information helps in the troubleshooting process if the changes cause unexpected results.

AAA accounting is started with the aaa accounting command. Note that AAA accounting is currently supported only on TACACS+ and RADIUS servers. The full syntax of the aaa accounting command follows:

aaa accounting event-type {default | list-name}
  {start-stop | wait-start | stop-only | none} method1 [method2]

event-type can be one of the event types shown in Table 10-6.

Table 10-6 AAA Accounting Event Types

Event Type


command {level}

Applies to all commands for the optionally specified level


Applies to all outbound connections, including LAT, PAD, and so on


Runs accounting for all user shell EXEC commands


Runs accounting for all network-related service requests such as PPP and ARAP


Runs accounting for system-related events that are not associated with users, for example, a reload command

As with AAA authentication, either the keyword default or a list name is used. Next, the trigger is entered. The trigger specifies what actions cause accounting records to be updated. The list of possible triggers and their meanings is shown in Table 10-7.

Table 10-7 AAA Authentication Triggers




Stops accounting on this interface.


The accounting record is sent as soon as a session begins. This is in contrast to wait-start. Another accounting record (which includes the session statistics) is sent as soon as the session ends.


A record is sent only when the session ends. This record includes the session statistics.


The accounting record is sent when an acknowledgment is received from the server that a session has started. This is in contrast to start-stop. Another accounting record (which includes the session statistics) is sent as soon as the session ends.

The parameters method1 and method2 have only two possible values: tacacs+ and radius. Using tacacs+ uses a TACACS+ server, while radius uses a RADIUS server.

An example of using AAA accounting follows:

aaa new-model
!Set up for AAA

tacacs-server host
!The TACACS+ server is at

tacacs-server key mysecretkey
!Use the encrypted keys

aaa accounting exec start-stop tacacs+
!Start accounting whenever an exec command is issued
6. Using All AAA Services Simultaneously | Next Section Previous Section