Configuring tacacs+ accounting on the client side, Client-side tacacs+ accounting overview, Conditions for conformance – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Configuring TACACS+ accounting on the client side

Once the fundamentals of TACACS+ authentication support are configured on the client, a variety of
options are available for tracking user activity.

Client-side TACACS+ accounting overview

The TACACS+ protocol supports accounting as a function distinctly separate from authentication. You
can use TACACS+ for authentication only, for accounting only, or for both. With a TACACS+ server you
can track user logins and the commands users execute during a login session by enabling login
accounting, command accounting, or both.

If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.

• When login accounting is enabled, the switch sends a TACACS+ start accounting packet with

relevant attributes to the configured TACACS+ server when the user logs in, and a stop accounting
packet when the session terminates.

• When command accounting is enabled, the switch sends a TACACS+ stop accounting packet to

the server when the command execution completes. No TACACS+ start accounting packet is sent for
command accounting. Most configuration commands, show commands and non-configuration
commands such as firmware download will be tracked. Commands received through the NetConf
interface will also be tracked. For a listing of commands that are not accounted for, refer to

TACACS

+ Accounting Exceptions

on page 725.

If a TACACS+ server is used for both authentication and accounting, the switch first attempts to connect
to the TACACS+ server that was successfully used for authentication when sending accounting packets
to the server. If the TACACS+ server cannot be reached, the switch attempts to send the packets to the
next server on the list. Note that there is no fail back in this case. When the first TACACS+ server
becomes reachable again, the accounting packets continue to be sent to the second TACACS+ server.

If authentication is performed through some other mechanism, such as the switch-local database, a
RADIUS, or an LDAP server, the switch will attempt to send the accounting packets to the first
configured TACACS+ server. If that server is unreachable, the switch will attempt to send the
accounting packets to subsequent servers in the order in which they are configured.

Conditions for conformance

• Only login and command accounting is supported. System event accounting is not supported.
• You can use a TACACS+ server for accounting regardless of whether authentication is performed

through RADIUS, LDAP, TACACS+, or the switch-local user database. The only precondition is the
presence of one or more TACACS+ servers configured on the switch.

• No accounting can be performed if authentication fails.
• In command accounting, commands with partial timestamp cannot be logged. For example, a

firmware download command issued with the reboot option will not be accounted for, because there
is no timestamp available for completion of this command.

Firmware downgrade considerations

Before downgrading to a version that does not support TACACS+ accounting, you must disable both
login and command accounting or the firmware download will fail with an appropriate error message.

Configuring TACACS+ accounting on the client

By default, accounting is disabled on the TACACS+ client (the switch) and you must explicitly enable
the feature. Enabling command accounting and login accounting on the TACACS+ client are two distinct

Configuring TACACS+ accounting on the client side

Network OS Administrator’s Guide

289

53-1003225-04