cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1414
Views
5
Helpful
7
Replies

Adding RADIUS VSAs on ACS 3.2 SE

aylmer
Level 1
Level 1

I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.

Using RDBMS synchronization to import the csv file below.

SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3

1,1,External,163,26,access=look,2334,1

The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.

From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)

To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:

•V2 = IETF vendor ID (which in this case is 2334)

•V3 = VSA attribute ID (1)

•V1 = In this case 'access=look'

After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.

From the FTP server I can confirm that the file was transferred.

What I should get is an INFO message similar to:

08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)

Any ideas as to what is wrong would be much appreciated.

Cheers,

Aylmer.

7 Replies 7

dbshah2000
Level 1
Level 1

HI you need to import the RADIUS VSA for PAcketeer from their site.

The link to the steps as shown below is ( might require u to subscribe & login)

https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2Vhc...

IN any case the same content is copied below:-

Also the stpes on how to do them is listed here

Create a User Defined Vendor

First, you need to create a User Defined Vendor.

1. Create a text file (packet.ini) and enter the following:

[User Defined Vendor]

Name=Packeteer

IETF Code=2334

VSA 1=Packeteer-AVPair

[Packeteer-AVPair]

Type=STRING

Profile=OUT

2. Name the file packet.ini.

Add the Vendor to the Database

Next, you need to add the above vendor to the database.

1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).

2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv

CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc

UDV 0 - Unassigned

UDV 1 - Unassigned

UDV 2 - Unassigned

UDV 3 - Unassigned

UDV 4 - Unassigned

UDV 5 - Unassigned

UDV 6 - Unassigned

UDV 7 - Unassigned

UDV 8 - Unassigned

UDV 9 - Unassigned

3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next

open slot.

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini

CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc

Adding or removing vendors requires ACS services to be re-started.

Please make sure regedit is not running as it can prevent registry

backup/restore operations

Are you sure you want to proceed? (y/n)y

Parsing [c:\temp\packet.ini] for addition at UDV slot [0]

Stopping any running services

Creating backup of current config

Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]

Adding VSA [Packeteer-AVPair]

Done

Checking new configuration...

New configuration OK

Re-starting stopped services

Verify that Packeteer was added.

C:\Program Files\CiscoSecure ACS v3.0\Utils>

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv

CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc

UDV 0 - RADIUS (Packeteer)

UDV 1 - Unassigned

UDV 2 - Unassigned

UDV 3 - Unassigned

UDV 4 - Unassigned

UDV 5 - Unassigned

UDV 6 - Unassigned

UDV 7 - Unassigned

UDV 8 - Unassigned

UDV 9 - Unassigned

4. Return to ACS Admin and select Network Configuration.

From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).

5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom

of the form. Be sure the Packeteer-AVPair box is selected and supply either

"access=touch" or "access=look" in the available entry space.

Hi,

Thanks for your response, but I am using the ACS Solution Engine not the Windows version of the ACS.

As a result I don't have access to CSUtil or the ability to create text files on the ACS, I have to use the RDBMS synch function instead.

Cheers.

Hi Aylmer,

Did you manage to resolve this issue - I'm experiencing the same problem myself with the ACS engine.

thanks,

Hi

Does anyone have a good example of an RDBMS import file?

Better still - a CSUtil style file and an equivalent RDBMS file for the purpose of adding User Defined Vendors?

Thanks

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

OK I have to own up to being the person who implemented UDVs in csutil and dbsync.

Here is an example CSV that will add a new vendor (My-Vendor with IETF code 9999), then add 2 new VSAs.

Vsa #1 is a string that can be access-accept and accounting packets

Vsa #2 is an integer that is for access-accept only and has 2 enums

SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status

0,,,,350,My-Vendor,AUTO_ASSIGN_SLOT,9999,,,,,,0

1,,,,352,My-Vsa-1,9999,1,STRING,,,,,0

2,,,,353,,9999,1,MULTI IN OUT,,,,,0

3,,,,352,My-Vsa-2,9999,2,INTEGER,,,,,0

4,,,,353,,9999,2,OUT,,,,,0

5,,,,354,Disabled,9999,2,0,,,,,0

6,,,,354,Enabled,9999,2,1,,,,,0

7,,,,355,,,,,,,,,0

This is equivalent to

[User Defined Vendor]

Name=My-Vendor

IETF Code=9999

VSA 1=my-vsa-1

VSA 2=my-vsa-2

[my-vsa-1]

Type=STRING

Profile=MULTI IN OUT

[my-vsa-2]

Type=INTEGER

Profile=OUT

Enums=my-vsa-2-Types

[my-vsa-2-Types]

0=Disabled

1=Enabled

yabilteryst
Level 1
Level 1

Hi Aymler,

I tried this kind of RDBMS action, on my ACS 3.3, and I has exactly the same problem, nothing in Reports.

I tired to configure a new dictionay with .CSV file below and nothing happened.

SI,P,UN,GN,A,VN,V1,V2,V3,DT,MN,CN,AI,S

1,,,,350,Brocade,0,1588,,01122005,,,,

2,,,,352,Brocade-Auth-Role,1588,1,STRING,01122005,,,,

If someone is able to help Aymler, he could be able to help me too perhaps.

Many thanks,

Yves-Alain

Aymler,

In a previous email, Darran explained the synthax to use. I use it and it's working now. I think our problem was we never applied the line dedicated to reboot process.

Many thanks to Darran.

Regards,

Yves-Alain