aaa accounting for a VPN

[eclidad]

Hi,

I'd like to use aaa to keep track of usage on our VPN. I'm not seeing records go to our RADIUS server when users login and logout. I do get them when I telnet to the router to look at the config. This is what we have.

aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius

radius-server host 192.168.3.20 auth-port 1645 acct-port 1646
crypto map clientmap client authentication list userauthen

The VPN is on FastEthernet0/1 which goes to a cable modem. We do not need PPP, SLIP, etc. on this port. What's missing in my incantation to see these records?

Thanks,
- Joel

 

[IPKONFIG]

Direct from CCO:

aaa accounting
To enable, disable, or view TACACS+, or RADIUS user accounting (on a server designated by the aaa-server host command), use the aaa accounting command in global configuration mode. To disable these functions use the no form of this command.

aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag

no aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag

aaa accounting {include | exclude} service interface-name server-tag

no aaa accounting {include | exclude} service interface-name server-tag

Syntax Description
exclude
Create an exception to a previously stated rule by excluding the specified service from accounting. The exclude parameter allows the user to specify a service or protocol/port to exclude to a specific host or hosts.

foreign-ip
Specify the IP address of the hosts you want to access the local-ip address. Use 0 to mean all hosts. the foreign-ip address is always on the lowest security-level interface.

foreign-mask
Specify the network mask of foreign-ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

interface-name
Specify the interface name from which users require authentication. Use interface-name in combination with the local-ip address and the foreign-ip address to determine where access is sought and from whom.

include
Create a new rule with the specified service to include.

local-ip
Specify the IP address of the host or network of hosts that you want to be authenticated or authorized. Set this address to 0 to mean all hosts and to let the authentication server decide which hosts are allowed access. The local-ip address is always on the highest security-level interface.

local-mask
Specify the network mask of local-ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

server-tag
Specify the AAA server group tag defined by the aaa-server host command.

service
The services/access method that should be accounted for. Accounting is provided for all services, or you can limit it to one or more services. Possible values are enable, http, serial, ssh, telnet, or protocol/port. Use enable to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.



"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts