|
Table Of Contents
Configuring CiscoSecure UNIX Server Software
Order of Values in the NAS Configuration Records
Configuring CiscoSecure UNIX Server Software
This chapter describes how to configure and use the CiscoSecure UNIX Server software. It contains the following sections:
•Server Control File
•Message Catalogs
To configure and use CiscoSecure UNIX Server software, you need the following files:
•Server control file—Defines global parameters and identifies the name of the Authentication and Authorization (AA) database file.
•Message catalog—Contains all messages that should be returned to the user during transactions with the network access server and the CiscoSecure server, allowing support for multiple languages (including French, German, and English) without changing the CiscoSecure server.
•AA (Authentication and Authorization) database file—Contains user-specific information for authentication and authorization, such as each user's password
•Accounting database—Contains information that enables you to track start and stop times for users, as well as the name of the network access server, and other information
•Password log file—Stores changes to user passwords
Server Control File
The server control file is the main file required for setting up CiscoSecure UNIX Server software. This file includes basic configuration parameters for each network access server that is to be serviced, and specifies the following information:
•License key(s) that enable CiscoSecure UNIX Server software
•Filename(s) of the AA database
•Filename to use for recording accounting information
•Default logging levels to be used while the CiscoSecure server is running
•How often to write accounting records to the accounting file
•Network access server-specific configuration parameters
The Network Access Server-specific parameters are as follows:
•Name of the network access server to which the parameters are to be applied
•Encryption key shared between the CiscoSecure server and the selected network access server.
•The message catalog filename for the specified network access server
•Maximum time (in seconds) after sending a response to wait for a client to continue a transaction
•Maximum number of attempts to get username and password before the operation is cancelled.
•Maximum period of inactivity (in seconds) before an open accounting session is timed out and closed
•Duration of the warning period for expiring passwords and services
•List of network access servers that are authorized to use SENDPASS as an authentication method
The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines may be continued on a successive line by ending them with a back-slash (\). A sample server control file follows:
/*
* CiscoSecure UNIX Server example control file
*/
/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c", \ "7f4f9db4d7ce8ed85b69" }; /* */
/* The pathname of the Configuration Database */
LIST config_aa_database_filename = {"./configuration.database"};
/*
* The pathname of the accounting log file - if this
* variable is not specified then accounting information is not recorded.
*/
STRING config_accounting_database_filename = "/tmp/acct";
/* Default logging configuration - basic information is logged */
NUMBER config_logging_configuration = 0x7e;
/*
* The maximum number of seconds to hold accounting information before
* writing it to the accounting file (if specified).
*/
NUMBER config_accounting_write_frequency = 5;
/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"", /* NAS name */
"arachnid", /* secret key */
"cat_1", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1, /* is default NAS configuration */
1, /* trusted NAS for SENDPASS */
30 /* Password expiry period in days */
},
{
"boggle", /* NAS name */
"heliotrope", /* secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0, /* is not the default NAS configuration */
0, /* not a trusted NAS for SENDPASS */
10 /* Password expiry period in days */
}
};
The variables shown in Table C-1 are valid in CiscoSecure UNIX Server software control files:
Table C-1 Variables in Software Control Files
Type Name Default Description ExampleList
config_aa_
database_filenameNone
A list of the names of the AA databases to load.
LIST config_aa_database_filename = { "./db.1", "./db.2" };
List
config_license_key
None
A list of the license keys used to enable the product.
LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" };
String
config_accounting_
database_filenameNone
The name of the accounting database.
STRING config_accounting_database_ filename = "./accounting";
String
config_update_
log_filenameNone
The name of the file that keeps the results of password changes, etc.
STRING config_update_log_filename = "./updates";
Number
config_accounting_
write_frequency10 (seconds)
How often to slave the accounting data to disk, in seconds.
NUMBER config_accounting_write_ frequency = 20;
Number
config_delay_on_
blocking100000 (0.1 (seconds)
How long to let the connection 'sleep' when EWOULDBLOCK is returned, in usec.
NUMBER config_delay_on_blocking = 200000;
Number
config_expiry_
period30 (days)
How long, in days, before a (new) password changed via CHPASS expires.
NUMBER config_expiry_period = 30;
Number
config_warning_
period10 (days)
The period, in days, before a password expires during which the user is warned that her password will expire soon.
NUMBER config_warning_period = 10;
Number
config_get_names_
from_dns1 (true)
Decide if server should perform IP address to hostname lookups.
NUMBER config_get_names_from_dns = 0;
Number
config_limit_for_
idle_connection300 (seconds)
Maximal time to hold an idle NAS connection open, in seconds.
NUMBER config_limit_for_idle_ connection = 300;
Number
config_nodelay_
for_tcp1 (on)
Decide whether to TCP_NODELAY on TCP sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons.
NUMBER config_nodelay_for_tcp =1;
Number
config_priv_level_
for_own_CHPASS1
Privilege level at which a user may change his/her own password.
NUMBER config_priv_level_for_own_ CHPASS = 1;
Number
config_receive_
buffer_size16384 (16KB)
Buffer size to allocate for receive for each TCP connection.
NUMBER config_receive_buffer_size = 8192;
Number
config_send_
buffer_size16384 (16KB)
Buffer size to allocate for send for each TCP connection.
NUMBER config_send_buffer_size = 8192;
Number
config_system_
logging_level0x80 (LOG_
LOCAL0)Syslog facility under which to log.
NUMBER config_system_logging_level 0x80;
Number
config_system_
priority_level-4
System priority ('nice' value) to assign the ciscoSecure daemon.
NUMBER config_system_priority_level = -4;
Number
config_use_
keepalives1 (on)
Decide if SO_KEEPALIVE on TCP sockets should be set, and thus be informed (more) quit the event of a network or NAS failure.
NUMBER config_use_keepalives = 1;
Number
config_logging_
configuration0x7E
Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and protocol debugging info can be obtained by the logical OR of the values as described in the Table C-2.
NUMBER config_logging_configuration = 0x7E
The logging levels are listed in Table C-2.
Authentication information is listed in Table C-3.
Authorization information is listed in Table C-4.
Accounting information is listed in Table C-5.
Protocol logging information is listed in Table C-6.
Order of Values in the NAS Configuration Records
Each value in a NAS Configuration record should be listed in the following order:
1. Network access server name
2. Encryption key
3. Message catalog filename
4. Number of username retries allowed
5. Number of password retries allowed
6. Value of nonzero if this record is the default network access server description
7. A value which is nonzero if the network access server is trusted to send replies to SENDPASS
8. Number of days during which users are warned of a pending password expiration
An example Configuration file follows:
Example:
NAS config_nas_config = {
{
"", /* any NAS name */
"zeotrope", /* secret encryption key */
"./cat_1", /* message_catalogue_filename */
1, /* username retries */
3, /* password retries */
1, /* this record is the default for any NAS not specifically listed */
1, /* trusted NAS for SENDPASS */
5 /* password expiration period, in days */
}
};
Message Catalogs
A catalog of messages forms part of the configurable data of the CiscoSecure server. A message catalog contains all messages that should be returned to users during transactions with the network access server and the CiscoSecure UNIX Server software, allowing multiple languages (such as French, German, and English) to be supported by the CiscoSecure UNIX Server software without having to change any major configuration in the CiscoSecure server.
CiscoSecure UNIX Server sends these messages to the network access server in the native language of the users. CiscoSecure UNIX Server software does this by referencing all user messages with a message ID. These message IDs identify a particular message that should be sent to the network access server for display to the user. CiscoSecure UNIX Server software does not use the actual message stored in the message catalog, thus providing language independence. By configuring different message catalogs, the software can support multiple network access servers, each with different user communities based on language. A message catalog is associated with a particular network access server by configuration statements in the server control file. Each network access server can have a different message catalog assigned to it if necessary.
Messages in the message catalog are returned to the network access server in response to specific transactions between users and the servers.
Message Catalog Format
The format of the message catalog is message_number message_string
For example:
3 "Hello\040there"
2 "ok, what's your password\012"
The formatting and display of messages is determined by the network access server. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character. For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.
See the section " Message Catalogs" in the appendix " CiscoSecure ACS File Formats and Syntax" for a full list of messages and their message IDs.
Posted: Wed Feb 16 09:59:51 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.