Configuring radius accounting, Configuring radius accounting for cli commands – Brocade Virtual ADX Administration Guide (Supporting ADX v03.1.00) User Manual

96

Brocade Virtual ADX Administration Guide

53-1003249-01

Configuring RADIUS security

2

NOTE

If you have previously configured the device to perform command authorization using a RADIUS
server, entering the enable aaa console command may prevent the execution of any subsequent
commands entered on the console.

NOTE

This happens because RADIUS command authorization requires a list of allowable commands from
the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS
authentication is performed only if you have configured Enable authentication and specified RADIUS
as the authentication method (for example, with the aaa authentication enable default radius
command). If RADIUS authentication is never performed, the list of allowable commands is never
obtained from the RADIUS server. Consequently, there would be no allowable commands on the
console.

Configuring RADIUS accounting

Brocade Virtual ADX devices support RADIUS accounting for recording information about user
activity and system events. When you configure RADIUS accounting on a Brocade Virtual ADX,
information is sent to a RADIUS accounting server when specified events occur, such as when a
user logs into the device or the system is rebooted.

Configuring RADIUS accounting for Telnet or SSH (Shell) access

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user
establishes a Telnet or SSH session on the Brocade Virtual ADX, and an Accounting Stop packet
when the user logs out.

Virtual ADX(config)#aaa accounting exec default start-stop radius

Syntax: aaa accounting exec default start-stop radius | tacacs+ | none

Configuring RADIUS accounting for CLI commands

You can configure RADIUS accounting for CLI commands by specifying a privilege level whose
commands require accounting. For example, to configure the Brocade Virtual ADX to perform
RADIUS accounting for the commands available at the Super User privilege level (that is; all
commands on the device), enter the following command.

Virtual ADX(config)#aaa accounting commands 0 default start-stop radius

An Accounting Start packet is sent to the RADIUS accounting server when a user enters a
command, and an Accounting Stop packet is sent when the service provided by the command is
completed.

NOTE

If authorization is enabled, and the command requires authorization, then authorization is
performed before accounting takes place. If authorization fails for the command, no accounting
takes place.

Syntax: aaa accounting commands privilege-level default start-stop radius | tacacs | none

The privilege-level variable can be one of the following:

•

0 – Records commands available at the Super User level (all commands)