beautypg.com

Radius accounting, Configuring radius accounting for cli commands – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 71

background image

Command authorization and accounting for console commands

The Brocade device supports command authorization and command accounting for CLI commands
entered at the console. To configure the device to perform command authorization and command
accounting for console commands, enter the following.

device(config)#enable aaa console

Syntax: [no] enable aaa console

CAUTION

If you have previously configured the device to perform command authorization using a RADIUS
server, entering the enable aaa console command may prevent the execution of any subsequent
commands entered on the console. This happens because RADIUS command authorization
requires a list of allowable commands from the RADIUS server. This list is obtained during
RADIUS authentication. For console sessions, RADIUS authentication is performed only if you
have configured Enable authentication and specified RADIUS as the authentication method (for
example, with the aaa authentication enable default radius command). If RADIUS authentication
is never performed, the list of allowable commands is never obtained from the RADIUS server.
Consequently, there would be no allowable commands on the console.

RADIUS accounting

Brocade devices support RADIUS accounting for recording information about user activity and system
events. When you configure RADIUS accounting on a Brocade device, information is sent to a RADIUS
accounting server when specified events occur, such as when a user logs into the device or the system
is rebooted.

Configuring RADIUS accounting for Telnet/SSH (Shell) access

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user
establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the
user logs out.

device(config)#aaa accounting exec default start-stop radius

Syntax: aaa accounting exec default start-stop [ radius | tacacs+ | none ]

Configuring RADIUS accounting for CLI commands

You can configure RADIUS accounting for CLI commands by specifying a privilege level whose
commands require accounting. For example, to configure the Brocade device to perform RADIUS
accounting for the commands available at the Super User privilege level (that is; all commands on the
device), enter the following command.

device(config)#aaa accounting commands 0 default start-stop radius

An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command,
and an Accounting Stop packet is sent when the service provided by the command is completed.

Command authorization and accounting for console commands

FastIron Ethernet Switch Security Configuration Guide

71

53-1003088-03

See also other documents in the category Brocade Computer Accessories: