TACACS+ is designed to use the Authentication, Authorization, and Accounting (AAA)
framework for device administration. Authentication confirms the user's identity
while authorization determines access to resources. To keep track of the services
provided during the user's session, accounting keeps a record of when services were
initiated and terminated, as well as any services in progress.
TACACS+ Accounting can be used as an auditing tool. The TACACS+ accounting records
contain all information used in authorization records, as well as
accounting-specific information such as start and stop times and resource usage
information. There are three types of TACACS+ accounting records:
The firewall uses the TACACS+ accounting client to communicate with your TACACS+
accounting server using the RFC 8907 protocol for connection and session
establishment with the accounting server as well as the accounting packets that are
sent or received from the server. The TACACS + accounting client uses an accounting
server profile that you select and the server profile can contain more than one
accounting server.
The client selects the first server in the list where it can successfully establish a
connection and receive accounting records. The connection is cached until the client
is unable to send accounting records to the connected accounting server. If the
client cannot connect to the cached server, it attempts to connect to the next
accounting server in the server profile. If the client is unable to connect to any
of the servers in the server profile, it logs the failure as an error.
You can configure a TACACS+ server profile for either
authentication or accounting but you cannot use the same profile for both
authentication and accounting. If you need to use the same TACACS+ server for
accounting and authentication, you must configure two profiles containing the same
server information, then configure one profile for authentication and the second
profile for accounting.
The TACACS+ accounting client supports the following arguments:
If you use TACACS+ for Device Administration, all TACACS+
client devices must be configured to send an accounting start packet for each
command that is entered regardless of how the commands were authorized. The Command
Accounting packet must include the
service
and
cmd
arguments and if necessary, the
cmd-arg
arguments described in
Section 8.2 of RFC 8907.