cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Converting an Existing AA Database for CiscoSecure ACS 2.3

Converting an Existing CiscoSecure ACS 1.x Database

Converting an Existing RADIUS ACS Database

Files the Utility Can Convert

Importing DES Encrypted Profiles

Importing a TACACS+ Freeware Database to CiscoSecure

Example Import


Converting an Existing AA Database for CiscoSecure ACS 2.3

This chapter provides instructions on how to transfer your existing database to the runtime database included in your CiscoSecure Access Control Server (ACS) 2.3 package. It includes the following sections:

Converting an Existing CiscoSecure ACS 1.x Database

Converting an Existing RADIUS ACS Database

Importing DES Encrypted Profiles

Importing a TACACS+ Freeware Database to CiscoSecure

Cisco provides two conversion utilities:

The CSimport Utility—Enables you to convert an existing CiscoSecure ACS database created with CiscoSecure 1.x to CiscoSecure ACS 2.3.

The CSmigrate Utility—Enables you to transfer and convert to CiscoSecure ACS 2.3 format a database created by a RADIUS access control server not using CiscoSecure.

Each utility requires the name and path of the original AA database file in addition to the name of the log file for error messages. Make sure you have this information before you try to run the utility.

Converting an Existing CiscoSecure ACS 1.x Database

By default, the upgrade utility for the Terminal Access Controller Access Control System (TACACS+) commits all data from your CiscoSecure ACS 1.x database to the CiscoSecure ACS 2.3 database. The default path of the AA file is /bin/CiscoSecure/samples. The default name of the AA file is aa.database. The default name of the log file is upgrade.log.

Complete the following steps to upgrade from the TACACS+ supported database of CiscoSecure ACS 1.x to the database of CiscoSecure ACS 2.3, which supports both the TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols:

Step 1 Confirm that the AA database file and the upgrade utility reside in the same file system as the database server.

Step 2 To transfer your CiscoSecure 1.x database to CiscoSecure ACS 2.3, use the CSimport command:

CSimport {-c|t} -p path -s aa filename -l log filename

where:

Table 15-1 CSImport Command Switches

-c

Commit mode. Sends the content of the old database to the CiscoSecure ACS 2.3 database.

-t

Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist.

-p path

Path of the old AA database where the default is /bin/CiscoSecure/samples.

-s aa filename

Name of the AA database where the default is aa.database.

-l log filename

Name of the log file where the default is upgrade.log.


For example:

CSimport -c -p /bin/CiscoSecure/samples -s aa.database -l debug.log

moves the 1.x database from /bin/CiscoSecure/samples/aa.database to the CiscoSecure ACS 2.3 database.

Use \\n to specify new lines in profiles to be added using the AddProfile or CSimport utilities.

Converting an Existing RADIUS ACS Database

This section provides instructions on how to convert/import an existing RADIUS ACS database to the TACACS+ and RADIUS database of the CiscoSecure ACS 2.3.

Files the Utility Can Convert

The following are examples of files (users, dictionary, and clients) that the import utility recognizes:

Sample users file:

steve Password = "testing", Expiration = "Dec 24 1992"
  User-Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-Address = 172.16.3.33
  

Sample dictionary file:

#
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE User-Service-Type 6 integer

# Integer Translations
#

# User Types

VALUE User-Service-Type Login-User 1
VALUE User-Service-Type Framed-User 2
VALUE User-Service-Type Dialback-Login-User 3
VALUE User-Service-Type Dialback-Framed-User 4
VALUE User-Service-Type Outbound-User 5
VALUE User-Service-Type Shell-User 6

Sample clients file:

#
#Client Name     Key
CiscoRouter      testing123
123.45.67.89     secret

Converting the Database

To convert/import an existing RADIUS ACS database:

Step 1 Identify the location of the users, clients, and (optionally) dictionary files. If the location of these files is not the default, /etc/raddb, you will need to explicitly define it.

Step 2 Identify the dictionary name. It must be unique within the database. The dictionary name might also already exist in the database, creating a convenient way to add users to the database.

Step 3 Identify the RADIUS-vendor value to register with this dictionary. Choices are Cisco, IETF, and Ascend. This value identifies a set of extensions typically found in a vendor's RADIUS server implementation.

Step 4 When you first run the import utility, specify test mode as follows:

CSmigrate -t -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}

where:

Table 15-2 CSMigrate Command Switches

-t

Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist.

-p path

Path of the source files. The default directory is /etc/raddb. For example:

-p /usr/local/bin

-l log filename

Name of the log file found in the source path. The default name is import.log. For example:

-l migrate.log

-v radius_vendor

Name of the RADIUS vendor. Valid options are Ascend, IETF, and Cisco. The default vendor name is IETF. For example:

-v Cisco

-d dictionary_name

Name of the RADIUS dictionary. The database contains three dictionaries: IETF, Ascend, and Cisco. The default dictionary name is IETF. For example:

-d Cisco100

-g group_name

Name of the group to which the specified user belongs. For example:

-g staff

The import tool will create the specified group if it does not already exist in the CiscoSecure ACS 2.3 database. If you do not enter -g, the records of the users that you are importing will not belong to any group.

-u

Unchange, meaning if a duplicate user's profile exists, a new profile will not be imported.

-r

Replace, meaning if a duplicate user's profile exists, the old profile will be replaced with the new one.

-mu

Merge and unchange, meaning that if a duplicate user's profile exists, the new profile will be appended to the end of the existing profile, as long as the existing profile does not already contain a RADIUS profile with the same dictionary name.

-mr

Merge and replace, meaning that if a duplicate user's profile exists, append the new profile to the bottom of the existing profile; and if the existing profile contains a RADIUS profile with the same dictionary name as the new profile, replace the existing RADIUS profile with the new RADIUS profile.


In test mode, all the validation is performed but the data is not yet written to the database. Review the results found in the log file. You can use vi or any text editor to view the log file.

Step 5 When you are satisfied with the results of the test mode, rerun the import utility, this time specifying commit mode:

CSmigrate -c -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}

where:

-c specifies commit mode. Sends the content of the old database to the new CiscoSecure ACS 2.3 database.

For example:

CSmigrate -c -p /etc/raddb -l import.log -v Cisco -d Cisco100 -g staff -mr

imports the database from an existing RADIUS access control server to the CiscoSecure ACS 2.3 database.

Importing DES Encrypted Profiles

The migration tool has been enhanced to import DES encrypted passwords. When the migration tool encounters this password type in the RADIUS user's file, it DES encrypts the password and sets the password type for that user to DES. For example:


msmart DESPASSWORD = "agent86"
Framed-Protocol = PPP,
...

gets converted to and is represented within the CiscoSecure ACS 2.3 database as follows:


user = msmart {
password = DES "*&^@#*!&%" # encrypted "agent86"
radius = IETF {
reply_attributes {
Framed-Protocol = PPP
}
}
}

It is possible that a user's profile contains many password types. The RADIUS server applies the following rules when it comes to passwords:

1. If the RADIUS subprofile contains a password (the part of the user's profile that starts with radius = ), the AAA server uses that password.

2. If the RADIUS subprofile does not contain a password, it applies the user-level password according to the following table:

Table 15-3 User-Level Password Rules

NAS Sends Attribute
AAA Server Utilizes User's Profile Password

User-Password(2)

OTP, file, PAP

CHAP-Password(3)

CHAP

ARAP

Ascend-ARA-Password (181)


There is no way to force the AAA server to apply the DES-assigned password established by the migration/import utility. As a result, the AAA server has been augmented with a command-line argument, -D, that forces the server to apply the DES password to authenticate users. When the -D option is applied, the RADIUS/AAA server will authenticate user's according to the following table (again, assuming no password in a RADIUS subprofile).

Table 15-4 DES Password Rules

NAS Sends Attribute
AAA Server Utilizes User's Profile Password

User-Password(2)

DES

CHAP-Password(3)

CHAP

ARAP

Ascend-ARA-Password (181)


Note The -D option is not the default. If this behavior is desired on a AAA server basis, you will have to manually edit the /etc/rc2.d/S80CiscoSecure script.

Importing a TACACS+ Freeware Database to CiscoSecure

The conversion utility, cnv, allows you to import a public domain TACACS+ freeware database into a CiscoSecure ACS 2.x for UNIX database. With cnv, the user can create an intermediate file (import file) that can then be imported in CiscoSecure 2.x RDBMS using CSImport.

However, before the import file can be used, it must be broken into two files. The first section of the import file contains the AAA server control file; the second part contains all the user profiles to import. The import file contains a separator bar, which separates these two sections. Command-line syntax for cnv is as follows:

cnv <old_Config >new_Config

where

old_Config is the TACACS+ freeware configuration file.

new_Config is the new configuration file that contains the user profiles and AAA server configuration information.

Example Import

To create an import file from a TACACS+ freeware configuration file named "myoldconfigfile," the system administrator would follow these steps:

Step 1 Enter:

cnv <myoldconfigfile>mynewimportfile

Step 2 Break mynewimportfile into AAA.cnf and newuser.dat. AAA.cnf contains the AAA server configuration information, and newuser.dat contains the user profiles to add to the RDBMS.

Step 3 Run CSimport to import the user profiles:

CSimport -c -p /dir -s newuser.dat

Step 4 Update CSU.cfg with the appropriate AAA server information contained in AAA.cnf.

hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 09:51:15 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.