Cisco PIX 500 Series Configuration Manual page 373

Chapter 19 Applying AAA for Network Access
If you want the security appliance to provide accounting data per user, you must enable authentication.
Step 1
For more information, see the
want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want accounted. For steps, see the
page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note
Step 3 To enable accounting, enter the following command:
hostname(config)# aaa accounting match acl_name interface_name server_group
where the acl_name argument is the access list name set in the access-list command.
The interface_name argument is the interface name set in the nameif command.
The server_group argument is the server group name set in the aaa-server command.
Note
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
OL-12172-03
"Enabling Network Access Authentication" section on page
If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
Configuring Accounting for Network Access
"Adding an Extended Access List" section on
Cisco Security Appliance Command Line Configuration Guide
19-3. If you
19-15