|
Table Of Contents
Converting an Existing AA Database for CiscoSecure ACS 2.3
Converting an Existing CiscoSecure ACS 1.x Database
Converting an Existing RADIUS ACS Database
Importing DES Encrypted Profiles
Importing a TACACS+ Freeware Database to CiscoSecure
Converting an Existing AA Database for CiscoSecure ACS 2.3
This chapter provides instructions on how to transfer your existing database to the runtime database included in your CiscoSecure Access Control Server (ACS) 2.3 package. It includes the following sections:
• Converting an Existing CiscoSecure ACS 1.x Database
• Converting an Existing RADIUS ACS Database
• Importing DES Encrypted Profiles
• Importing a TACACS+ Freeware Database to CiscoSecure
Cisco provides two conversion utilities:
•The CSimport Utility—Enables you to convert an existing CiscoSecure ACS database created with CiscoSecure 1.x to CiscoSecure ACS 2.3.
•The CSmigrate Utility—Enables you to transfer and convert to CiscoSecure ACS 2.3 format a database created by a RADIUS access control server not using CiscoSecure.
Each utility requires the name and path of the original AA database file in addition to the name of the log file for error messages. Make sure you have this information before you try to run the utility.
Converting an Existing CiscoSecure ACS 1.x Database
By default, the upgrade utility for the Terminal Access Controller Access Control System (TACACS+) commits all data from your CiscoSecure ACS 1.x database to the CiscoSecure ACS 2.3 database. The default path of the AA file is /bin/CiscoSecure/samples. The default name of the AA file is aa.database. The default name of the log file is upgrade.log.
Complete the following steps to upgrade from the TACACS+ supported database of CiscoSecure ACS 1.x to the database of CiscoSecure ACS 2.3, which supports both the TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols:
Step 1 Confirm that the AA database file and the upgrade utility reside in the same file system as the database server.
Step 2 To transfer your CiscoSecure 1.x database to CiscoSecure ACS 2.3, use the CSimport command:
CSimport {-c|t} -p path -s aa filename -l log filename
where:
For example:
CSimport -c -p
/bin/CiscoSecure/samples -s aa.database -l debug.log
moves the 1.x database from /bin/CiscoSecure/samples/aa.database to the CiscoSecure ACS 2.3 database.
Use \\n to specify new lines in profiles to be added using the AddProfile or CSimport utilities.
Converting an Existing RADIUS ACS Database
This section provides instructions on how to convert/import an existing RADIUS ACS database to the TACACS+ and RADIUS database of the CiscoSecure ACS 2.3.
Files the Utility Can Convert
The following are examples of files (users, dictionary, and clients) that the import utility recognizes:
•Sample users file:
steve Password = "testing", Expiration = "Dec 24 1992"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 172.16.3.33
•Sample dictionary file:
#
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE User-Service-Type 6 integer
# Integer Translations
#
# User Types
VALUE User-Service-Type Login-User 1
VALUE User-Service-Type Framed-User 2
VALUE User-Service-Type Dialback-Login-User 3
VALUE User-Service-Type Dialback-Framed-User 4
VALUE User-Service-Type Outbound-User 5
VALUE User-Service-Type Shell-User 6
•Sample clients file:
#
#Client Name Key
CiscoRouter testing123
123.45.67.89 secret
Converting the Database
To convert/import an existing RADIUS ACS database:
Step 1 Identify the location of the users, clients, and (optionally) dictionary files. If the location of these files is not the default, /etc/raddb, you will need to explicitly define it.
Step 2 Identify the dictionary name. It must be unique within the database. The dictionary name might also already exist in the database, creating a convenient way to add users to the database.
Step 3 Identify the RADIUS-vendor value to register with this dictionary. Choices are Cisco, IETF, and Ascend. This value identifies a set of extensions typically found in a vendor's RADIUS server implementation.
Step 4 When you first run the import utility, specify test mode as follows:
CSmigrate -t -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}
where:
In test mode, all the validation is performed but the data is not yet written to the database. Review the results found in the log file. You can use vi or any text editor to view the log file.
Step 5 When you are satisfied with the results of the test mode, rerun the import utility, this time specifying commit mode:
CSmigrate -c -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}
where:
-c specifies commit mode. Sends the content of the old database to the new CiscoSecure ACS 2.3 database.
For example:
CSmigrate -c -p /etc/raddb -l import.log -v Cisco -d Cisco100 -g staff -mr
imports the database from an existing RADIUS access control server to the CiscoSecure ACS 2.3 database.
Importing DES Encrypted Profiles
The migration tool has been enhanced to import DES encrypted passwords. When the migration tool encounters this password type in the RADIUS user's file, it DES encrypts the password and sets the password type for that user to DES. For example:
msmart DESPASSWORD = "agent86"
Framed-Protocol = PPP,
...
gets converted to and is represented within the CiscoSecure ACS 2.3 database as follows:
user = msmart {
password = DES "*&^@#*!&%" # encrypted "agent86"
radius = IETF {
reply_attributes {
Framed-Protocol = PPP
}
}
}
It is possible that a user's profile contains many password types. The RADIUS server applies the following rules when it comes to passwords:
1. If the RADIUS subprofile contains a password (the part of the user's profile that starts with radius = ), the AAA server uses that password.
2. If the RADIUS subprofile does not contain a password, it applies the user-level password according to the following table:
Table 15-3 User-Level Password Rules
NAS Sends Attribute AAA Server Utilizes User's Profile PasswordUser-Password(2)
OTP, file, PAP
CHAP-Password(3)
CHAP
ARAP
Ascend-ARA-Password (181)
There is no way to force the AAA server to apply the DES-assigned password established by the migration/import utility. As a result, the AAA server has been augmented with a command-line argument, -D, that forces the server to apply the DES password to authenticate users. When the -D option is applied, the RADIUS/AAA server will authenticate user's according to the following table (again, assuming no password in a RADIUS subprofile).
Table 15-4 DES Password Rules
NAS Sends Attribute AAA Server Utilizes User's Profile PasswordUser-Password(2)
DES
CHAP-Password(3)
CHAP
ARAP
Ascend-ARA-Password (181)
Note The -D option is not the default. If this behavior is desired on a AAA server basis, you will have to manually edit the /etc/rc2.d/S80CiscoSecure script.
Importing a TACACS+ Freeware Database to CiscoSecure
The conversion utility, cnv, allows you to import a public domain TACACS+ freeware database into a CiscoSecure ACS 2.x for UNIX database. With cnv, the user can create an intermediate file (import file) that can then be imported in CiscoSecure 2.x RDBMS using CSImport.
However, before the import file can be used, it must be broken into two files. The first section of the import file contains the AAA server control file; the second part contains all the user profiles to import. The import file contains a separator bar, which separates these two sections. Command-line syntax for cnv is as follows:
cnv <old_Config >new_Config
where
old_Config is the TACACS+ freeware configuration file.
new_Config is the new configuration file that contains the user profiles and AAA server configuration information.
Example Import
To create an import file from a TACACS+ freeware configuration file named "myoldconfigfile," the system administrator would follow these steps:
Step 1 Enter:
cnv <myoldconfigfile>mynewimportfile
Step 2 Break mynewimportfile into AAA.cnf and newuser.dat. AAA.cnf contains the AAA server configuration information, and newuser.dat contains the user profiles to add to the RDBMS.
Step 3 Run CSimport to import the user profiles:
CSimport -c -p /dir -s newuser.dat
Step 4 Update CSU.cfg with the appropriate AAA server information contained in AAA.cnf.
Posted: Wed Feb 16 09:51:15 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.