aaa accounting exec default start-stop group tacacs+
Enables AAA accounting for all EXEC shell sessions (user login/logout) and sends accounting records to a TACACS+ server group for auditing or billing.
aaa accounting exec default start-stop group tacacs+When to Use This Command
- Track user login and logout times for security auditing in a corporate network.
- Generate billing records for customer access to a managed router or switch.
- Comply with regulatory requirements by logging all administrative access to network devices.
- Monitor failed login attempts by combining with login authentication failure accounting.
Command Examples
Basic AAA Accounting for EXEC Sessions
aaa accounting exec default start-stop group tacacs+Router(config)# aaa accounting exec default start-stop group tacacs+ Router(config)#
No output is displayed upon successful configuration. The command enables accounting for all EXEC sessions using the default method list, with start-stop logging to the TACACS+ server group.
Verifying AAA Accounting Configuration
show aaa accountingAAA Accounting method lists: exec default start-stop group tacacs+ commands default stop-only group tacacs+ connection default start-stop group tacacs+ network default start-stop group tacacs+ system default start-stop group tacacs+ resource default stop-only group tacacs+
The output lists all configured accounting method lists. The 'exec' line shows that EXEC accounting uses the default list with start-stop mode and TACACS+ group. Other lines show additional accounting types if configured.
Understanding the Output
The 'show aaa accounting' command displays the configured accounting method lists. Each line corresponds to a type of accounting (exec, commands, connection, network, system, resource). The 'default' keyword indicates the method list name. The mode (start-stop, stop-only, wait-start) defines when records are sent. 'group tacacs+' specifies the server group. In a real network, you would verify that the correct accounting type is present and that the server group matches your TACACS+ configuration. If no output appears for a type, accounting is not enabled for that activity. Good configuration shows all desired types with correct mode and group. Watch for missing types or incorrect group names that could cause accounting failures.
CCNA Exam Tips
CCNA exam tip: The 'default' in 'aaa accounting exec default' is the method list name, not a keyword; you can create custom lists like 'aaa accounting exec MYLIST start-stop group tacacs+'.
CCNA exam tip: 'start-stop' sends a 'start' record when the session begins and a 'stop' record when it ends; 'stop-only' sends only a stop record; 'wait-start' delays access until the start record is acknowledged.
CCNA exam tip: AAA accounting does not affect authentication or authorization; it only logs activity. You must also configure 'aaa authentication login' and 'aaa authorization exec' for full AAA.
CCNA exam tip: The TACACS+ server must be reachable and configured with 'tacacs-server host' and 'key' commands, otherwise accounting records will not be sent.
Common Mistakes
Mistake 1: Forgetting to configure the TACACS+ server with 'tacacs-server host' and 'key', causing accounting records to fail silently.
Mistake 2: Using 'stop-only' instead of 'start-stop' when you need both login and logout records, missing the start event.
Mistake 3: Applying the command without also enabling 'aaa new-model', which is required for all AAA commands to take effect.
Related Commands
aaa authentication login default group radius local
Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.
aaa authorization exec default group tacacs+ local
Configures AAA authorization for EXEC sessions, using TACACS+ as the primary method and local authentication as fallback, to control user access to the CLI after authentication.
aaa new-model
Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions