03-29-2005 03:46 PM - edited 03-10-2019 02:05 PM
I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
Using RDBMS synchronization to import the csv file below.
SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
1,1,External,163,26,access=look,2334,1
The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
V2 = IETF vendor ID (which in this case is 2334)
V3 = VSA attribute ID (1)
V1 = In this case 'access=look'
After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
From the FTP server I can confirm that the file was transferred.
What I should get is an INFO message similar to:
08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
Any ideas as to what is wrong would be much appreciated.
Cheers,
Aylmer.
03-29-2005 08:17 PM
HI you need to import the RADIUS VSA for PAcketeer from their site.
The link to the steps as shown below is ( might require u to subscribe & login)
IN any case the same content is copied below:-
Also the stpes on how to do them is listed here
Create a User Defined Vendor
First, you need to create a User Defined Vendor.
1. Create a text file (packet.ini) and enter the following:
[User Defined Vendor]
Name=Packeteer
IETF Code=2334
VSA 1=Packeteer-AVPair
[Packeteer-AVPair]
Type=STRING
Profile=OUT
2. Name the file packet.ini.
Add the Vendor to the Database
Next, you need to add the above vendor to the database.
1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - Unassigned
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
open slot.
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
Adding or removing vendors requires ACS services to be re-started.
Please make sure regedit is not running as it can prevent registry
backup/restore operations
Are you sure you want to proceed? (y/n)y
Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
Stopping any running services
Creating backup of current config
Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
Adding VSA [Packeteer-AVPair]
Done
Checking new configuration...
New configuration OK
Re-starting stopped services
Verify that Packeteer was added.
C:\Program Files\CiscoSecure ACS v3.0\Utils>
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - RADIUS (Packeteer)
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
4. Return to ACS Admin and select Network Configuration.
From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
of the form. Be sure the Packeteer-AVPair box is selected and supply either
"access=touch" or "access=look" in the available entry space.
03-29-2005 08:36 PM
Hi,
Thanks for your response, but I am using the ACS Solution Engine not the Windows version of the ACS.
As a result I don't have access to CSUtil or the ability to create text files on the ACS, I have to use the RDBMS synch function instead.
Cheers.
09-08-2005 04:02 PM
Hi Aylmer,
Did you manage to resolve this issue - I'm experiencing the same problem myself with the ACS engine.
thanks,
11-30-2005 03:10 AM
Hi
Does anyone have a good example of an RDBMS import file?
Better still - a CSUtil style file and an equivalent RDBMS file for the purpose of adding User Defined Vendors?
Thanks
Aaron
12-01-2005 01:33 AM
OK I have to own up to being the person who implemented UDVs in csutil and dbsync.
Here is an example CSV that will add a new vendor (My-Vendor with IETF code 9999), then add 2 new VSAs.
Vsa #1 is a string that can be access-accept and accounting packets
Vsa #2 is an integer that is for access-accept only and has 2 enums
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
0,,,,350,My-Vendor,AUTO_ASSIGN_SLOT,9999,,,,,,0
1,,,,352,My-Vsa-1,9999,1,STRING,,,,,0
2,,,,353,,9999,1,MULTI IN OUT,,,,,0
3,,,,352,My-Vsa-2,9999,2,INTEGER,,,,,0
4,,,,353,,9999,2,OUT,,,,,0
5,,,,354,Disabled,9999,2,0,,,,,0
6,,,,354,Enabled,9999,2,1,,,,,0
7,,,,355,,,,,,,,,0
This is equivalent to
[User Defined Vendor]
Name=My-Vendor
IETF Code=9999
VSA 1=my-vsa-1
VSA 2=my-vsa-2
[my-vsa-1]
Type=STRING
Profile=MULTI IN OUT
[my-vsa-2]
Type=INTEGER
Profile=OUT
Enums=my-vsa-2-Types
[my-vsa-2-Types]
0=Disabled
1=Enabled
12-01-2005 08:42 AM
Hi Aymler,
I tried this kind of RDBMS action, on my ACS 3.3, and I has exactly the same problem, nothing in Reports.
I tired to configure a new dictionay with .CSV file below and nothing happened.
SI,P,UN,GN,A,VN,V1,V2,V3,DT,MN,CN,AI,S
1,,,,350,Brocade,0,1588,,01122005,,,,
2,,,,352,Brocade-Auth-Role,1588,1,STRING,01122005,,,,
If someone is able to help Aymler, he could be able to help me too perhaps.
Many thanks,
Yves-Alain
12-02-2005 01:53 AM
Aymler,
In a previous email, Darran explained the synthax to use. I use it and it's working now. I think our problem was we never applied the line dedicated to reboot process.
Many thanks to Darran.
Regards,
Yves-Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide