Accounting Scheme
An accounting scheme is used to define a user accounting method. An accounting scheme is applied to a domain. It is combined with the authentication scheme, authorization scheme, and server template in the domain for user authentication, authorization, and accounting.
Accounting Methods Supported by a Device
- RADIUS accounting: A RADIUS server is used to perform user accounting.
- HWTACACS accounting: An HWTACACS server is used to perform user accounting.
- Non-accounting: Users can access a network without being charged.
Order in Which Accounting Methods Take Effect
You can only specify an accounting method at one time in an accounting scheme.
RADIUS accounting packets in RADIUS Packets indicate that accounting packets are divided into Accounting-Request and Accounting-Response packets. Accounting succeeds if each Accounting-Request packet sent by a device is responded by the server with an Accounting-Response packet. If no Accounting-Response packet is received
from the server, accounting fails.
After the accounting function is enabled, the device sends Accounting-Request packets recording user activities to the AAA server. The AAA server then performs user accounting and auditing based on information in the packets. Take RADIUS accounting as an example. Accounting-Request packets are divided into three types:
- Accounting-Request (Start) packet: When a user is successfully authenticated and begins to access network resources, the device sends an Accounting-Request (Start) packet to the RADIUS server.
- Accounting-Request (Stop) packet: When a user is disconnected proactively (or forcibly by the NAS), the device sends an Accounting-Request (Stop) packet to the server.
- Accounting-Request (Interim-update) packet: To reduce accounting deviation and ensure that the accounting server can receive Accounting-Request (Stop) packets and stop user accounting, you can configure the real-time accounting function on the device. In this case, the device periodically sends an Accounting-Request (Interim-update) packet to the RADIUS server.
Typically, each Accounting-Request packet sent by a device is responded by the server with an Accounting-Response packet. If the device does not receive a corresponding Accounting-Response packet due to network faults, accounting fails. In this case, the device determines whether the user can still be online depending on the type of the Accounting-Request packet as follows:
- Accounting-start failure: The user goes offline by default.
- Real-time accounting failure: The user is allowed to be online by default.
- stop_acct_fail: The device retransmits the Accounting-Request(Stop) packet.