Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

1441

Consider the following when creating a user role:

• Only the system administrator and user-defined roles inherited from the system administrator can create roles

and usernames. Only the system administrator, security administrator, and roles inherited from these can use

the

role command to modify command permissions. The security administrator and roles inherited by

security administrator can only modify permissions for commands they already have access to.

• Make sure you select the correct role you want to inherit.

NOTE: If you inherit a user role, you cannot modify or delete the inheritance. If you want to change

or remove the inheritance, delete the user role and create it again. If the user role is in use, you

cannot delete the user role.

AAA Accounting Commands

AAA Accounting enables tracking of services that users are accessing and the amount of network resources being consumed by those

services. When you enable AAA Accounting, the network server reports user activity to the TACACS+ security server in the form of

accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server.

As with authentication and authorization, you must configure AAA Accounting by defining a named list of accounting methods, and then

applying that list to various interfaces.

aaa accounting

Enable AAA Accounting and create a record for monitoring the accounting function.

C9000 Series

Syntax

aaa accounting {commands {level | role role-name | dot1x | exec | rest |

suppress | system} {name | default} {start-stop | wait-start | stop-only}

{radius | tacacs+}

To disable AAA Accounting, use the no aaa accounting {commands {level | role role-name |

dot1x | exec | rest | suppress | system} {name | default} {start-stop | wait-

start | stop-only} {radius | tacacs+} command.

Parameters

system Enter the keyword system to send accounting information of any other AAA

configuration.

exec Enter the keyword exec to send accounting information when a user has logged in to

EXEC mode.

dot1x Enter the keyword dot1x to send accounting information when a dot1x user has logged

in.

commands {

level

role

role-name

Enter the keyword command then a privilege level for accounting of commands executed

at that privilege level or enter the keyword role then the role name for accounting of

commands executed by a user with that user role.

dot1x Enter the keyword dot1x for dot1x events.

name

| default Enter one of the following:

• For name, enter a user-defined name of a list of accounting methods.

• For default, the default accounting methods used.

start-stop Enter the keywords start-stop to send a “start accounting” notice at the beginning of

the requested event and a “stop accounting” notice at the end of the event.

wait-start Enter the keywords wait-start to ensure that the TACACS+ security server

acknowledges the start notice before granting the user’s process request.

stop-only Enter the keywords stop-only to instruct the TACACS+ security server to send a

“stop record accounting” notice at the end of the requested user process.

radius Enter the keyword radius to use RADIUS service for exec and dot1x accounting.

1446 Security