Re: Import Steel Belted Radius users to ACS

raarons · ‎01-22-2014

Is there a method to import SBR (local) users into ACS? Perhaps via some intermediate tool? The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?

Tarik Admani · ‎01-23-2014

If you can export a list of the user accounts you can take the user names and download the import template (CSV) from the ACS user configuration.

What you can do next is build a one-time password so that users will have to enter and set the flag in the import template for the password to expire during the next login.

You can then use the UCP scripts on a web server so that users can change their password, this is the best solution I can suggest.

Also are you username formats the same in Active Directory? You can import the usernames and set the password to use AD or LDAP for password authentication (will need to double-check your version of ACS).

Thanks,

Tarik Admani
*Please rate helpful posts*

raarons · ‎01-24-2014

Hi Tarik

That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools. So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?

The passwords are stored directly in the SBR server. I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course. However, the issue is that the passwords are not exported in plain text. If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file. If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form.