cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

CiscoSecure ACS File Formats and Syntax

Server Control File

Message Catalogs

Using Message Catalogs to Support Multiple Languages

Assigning a Message Catalog to a TACACS+-Enabled NAS

Message Catalog Format


CiscoSecure ACS File Formats and Syntax


This appendix describes configuration parameters and syntax for the CiscoSecure Access Control Server (ACS) control file and the message catalogs. It includes the following sections:

Server Control File

Message Catalogs

Server Control File

The server control file (CSU.cfg) is the main file required to set up the CiscoSecure ACS software and is located in the /$BASEDIR/config directory. This file includes basic configuration parameters for each network access server (NAS) to be serviced and specifies the following information:

License key(s) that enable CiscoSecure ACS software

NAS-specific configuration parameters

Name of the NAS to which the parameters are to be applied

Encryption key shared between the CiscoSecure ACS and the selected NAS

Message catalog filename for the specified NAS

Maximum time (in seconds) after sending a response to wait for a client to continue a transaction

Maximum number of attempts to get username and password before the operation is cancelled

Maximum period of inactivity (in seconds) before an open accounting session is timed out and closed

Duration of the warning period for expiring passwords and services

List of NASes authorized to use SENDPASS as an authentication method

The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines can be continued on a successive line by ending them with a back-slash (\).

The following is an example CiscoSecure ACS (CSU.cfg) control file. Administrators can customize this example for their own configuration file using the variables listed in Table B-1.

/*
* CiscoSecure Access Control Server Example Control File
*/

/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c" }; /* NAS License Key
goes here */
STRING config_update_log_filename = "/CiscoSecure/logfiles/passwd_chg.log";
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0x7e;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;
NUMBER config_record_write_frequency = 5; /* update frequency in
seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails
accepted */
/*before account is disabled. */

/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"", /* NAS name can go here */
"arachnid", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1 /* trusted NAS for SENDPASS */
},
{
"boggle", /* NAS name */
"heliotrope", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0 /* not a trusted NAS for SENDPASS */
}
};

AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libsdi.so",
"sdi"
}
,
{
"./libenigma.so",
"enigma"
}
,
{
"./libcryptocard.so",
"crypto"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};

AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};

ACCT config_external_acct_symbols = {
{
"./libargs.so",
"accounting_fn"
}
};

ADMIN config_external_admin_symbols = {
"./libadmin.so"
};


DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};

PARSER config_external_parser_symbols = {
"./libt+.so"
};

EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};

The variables shown in Table B-1 are valid in the CSU.cfg file.

Table B-1 CSU.cfg Variables

Type
Name
Default
Description
Example

List

config_license_key

None

A list of the license keys used to enable the product.

LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" };

String

config_update_log_
filename

None

The name of the file that keeps the results of password changes, and so on.

STRING config_update_log_filename = "./updates";

Number

config_expiry_period

30 (days)

Number of days before a (new) password changed via CHPASS expires.

NUMBER config_expiry_period = 30;

Number

config_warning_period

10 (days)

Number of days before a password expires during which the user is warned that his or her password will expire soon.

NUMBER config_warning_period = 10;

Number

config_get_names_
from_dns

1 (true)

Decide if server should perform IP address-to-hostname lookups.

NUMBER config_get_names_from_dns = 0;

Number

config_limit_for_idle_
connection

300 (seconds)

Maximum number of seconds to hold an idle NAS connection open.

NUMBER config_limit_for_idle_ connection = 300;

NAS

config_nas_config

None

Specifies for each NAS client, the NAS host name, the secret encryption key, message catalog, username retries allowed, password retries allowed, default NAS configuration (1/0), trusted NAS for SEND pass (1/0), password expiration period in days.

NAS
config_nas_config = {
{
"NAS_NAMEA", "SECRET12345","./ cat_1",1,3,1,1,30
}
{
"NAS_NAMEB", "SECRET16789","./ cat_1",1,3,0,0,30
}
}

Number

config_nodelay_for_tcp

1 (on)

Decide whether to TCP_NODELAY on TCP1 sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons.

NUMBER config_nodelay_for_tcp = 1;

Number

config_priv_level_for_
own_CHPASS

 

Privilege level at which a user can change his/her own password.

NUMBER config_priv_level_for_own_ CHPASS = 1;

Number

config_receive_buffer_
size

16384 (16 KB)

Buffer size to allocate for receive function in each TCP connection.

NUMBER config_receive_buffer_size = 8192;

Number

config_send_buffer_
size

16384 (16 KB)

Buffer size to allocate for send function in each TCP connection.

NUMBER config_send_buffer_size = 8192;

Number

config_system_logging
_level

0x80 (LOG_LOCAL0)

Syslog facility under which to log.

NUMBER config_system_logging_level 0x80;

Number

config_system_priority
_level

-4

System priority to assign the CiscoSecure ACS daemon.

NUMBER config_system_priority_level = -4;

Number

config_use_keepalives

1 (on)

Determines whether SO_KEEPALIVE on TCP sockets should be set.

NUMBER config_use_keepalives = 1;

Number

config_logging_
configuration

0x7E

Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and debugging info can be configured through options in the CiscoSecure ACS AAA General web page, described in " Managing General Settings on the ACS" in Chapter 6, "ACS and NAS Management."

NUMBER config_logging_configuration = 0x7E
NUMBER
config_logging_configuration = 0xffffffff; /* allow RADIUS debug */
NUMBER
config_logging_configuration = 0xffffff7f; /* no RADIUS debug */

1 TCP = Transmission Control Protocol.


Message Catalogs

Message catalogs allow system administrators to redefine the set of messages sent by the CiscoSecure ACS to the users connecting to a particular NAS. Message catalogs are editable text files containing message strings that can be customized to support particular groups of users on a per-NAS basis.

Using Message Catalogs to Support Multiple Languages

A system administrator can customize multiple message catalogs to set up specific TACACS+-enabled NASes to support users of specific language backgrounds logging in to the network.

For example, to set up a specific NAS to display Spanish language messages and prompts to the users dialing-in, a system administrator can edit and rename an existing message catalog, substituting Spanish language message strings for the message strings already there. (A line in a message catalog consists of a CiscoSecure message ID and a message string. The message ID is non-configurable. The message string can be whatever characters you specify.)

The system administrator can then associate that message catalog with the target NAS.

Multiple message catalogs can be set up to support multiple NASes, each NAS with a different user community based on language.

Assigning a Message Catalog to a TACACS+-Enabled NAS

Each TACACS+-enabled NAS served by a CiscoSecure ACS can have a different message catalog assigned to it if necessary.

You can assign TACACS+-enabled NASes a message catalog through the NAS Message Catalog file name field in the AAA NAS page on the CiscoSecure ACS administration web site (See " "Managing Profiles for TACACS+-Enabled NASes" section on page 6-1.) You cannot assign specific message catalogs to NASes enabled for RADIUS-only.

Message Catalog Format

The format of a line in the message catalog is:

msg_ID "msg_string "

Where

msg_ID—is a predefined value permanently associated with a specific CiscoSecure message or prompt.

msg_string—is a message string of whatever characters you specify.

For example:

3 "Hello\040there"
2 "ok, what's your password\012"

The formatting and display of messages are determined by the NAS. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character.

For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.

The following list identifies the default message IDs, message names, and message strings used by the CiscoSecure ACS software:

0 AUTHEN_CLIENT_LOGIN_PROMPT "\nUser Access Verification\n"
1 AUTHEN_CLIENT_USERNAME_PROMPT "Username: "
2 AUTHEN_CLIENT_PASSWORD_PROMPT "Password: "
3 AUTHEN_CLIENT_SIGN_ON_MESSAGE ""
4 AUTHEN_CLIENT_CHANGEPASS_INTRO "Change password sequence"
5 AUTHEN_CLIENT_PASSWORDS_IDENTICAL "Error - passwords the same"
6 AUTHEN_CLIENT_PASSWORD_EXPIRED "Your password has expired"
7 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_USERNAME "Too many tries for username"
8 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_PASSWORD "Too many tries for password"
9 AUTHEN_CLIENT_NEW_PASSWORD1 "New password: "
10 AUTHEN_CLIENT_NEW_PASSWORD2 "New password again: "
11 AUTHEN_CLIENT_PASSWORDS_DIFFERENT "The passwords are different"
12 AUTHEN_CLIENT_BAD_PASSWORD "Bad password"
13 AUTHEN_CLIENT_CANT_CHANGE_PASSWORD "You cannot change your password"
14 AUTHEN_CLIENT_ACCOUNT_EXPIRY_WARNING "Your account will expire in %d days"
15 AUTHEN_CLIENT_PASSWORD_EXPIRY_WARNING "Your password will expire in %d days"
16 AUTHEN_CLIENT_NEW_PASSWORD_CRITERIA "A password must be between six and thirteen characters, containing at least one alphabetic and numeric character."

18 AUTHEN_USER_NOT_FOUND "Authentication - User not found"
19 AUTHEN_BAD_METHOD_FOR_USER "Authentication - Bad method for user"
20 AUTHEN_BAD_TYPE "Authentication - Bad type"
21 AUTHEN_NO_USERNAME "Authentication - No username specified"
22 AUTHEN_INSUFFICIENT_PRIVILEGE "Authentication - Insufficient privilege"
23 AUTHEN_UNEXPECTED_DATA "Authentication - Unexpected data"
24 AUTHEN_UNEXPECTED_RESERVED_DATA "Authentication - Unexpected reserved data"
25 AUTHEN_INCORRECT_PASSWORD "Authentication - Incorrect password"
26 AUTHEN_ABORTED_SEQUENCE "Authentication - Aborted sequence"
27 AUTHEN_FILEHANDLING_ERROR "Authentication - File handling error"
28 AUTHEN_UNKNOWN_PASSWORD_TYPE "Authen - Unknown password type"
29 AUTHEN_USER_NOT_IN_FILE "Authentication - User not in file"
30 AUTHEN_ERROR_IN_EXTERNAL_FN,  "Authentication - Error in external function"
31 AUTHEN_BAD_SERVICE "Authentication - Bad Service"
32 AUTHEN_BAD_ACTION "Authentication - Bad Action"
33 AUTHEN_SENDPASS_OK "Authentication - SENDPASS (ok)"
34 AUTHEN_SENDPASS_FAIL "Authentication - SENDPASS (fail)"

35 PROTOCOL_USERNAME_TOO_LONG "Protocol - Username too long"
36 PROTOCOL_NASNAME_TOO_LONG "Protocol - NAS name too long"
37 PROTOCOL_NASPORT_TOO_LONG "Protocol - NAS port name too long"
38 PROTOCOL_NACADDR_TOO_LONG "Protocol - NAC address too long"
39 PROTOCOL_BAD_PRIVILEGE "Protocol - Invalid privilege field"
40 PROTOCOL_ACTIVE_SESSION "Protocol - Session id in use"
41 PROTOCOL_NO_SESSION "Protocol - No session found"
42 PROTOCOL_INCORRECT_TYPE "Protocol - Incorrect type"
43 PROTOCOL_INCORRECT_SESSION "Protocol - Incorrect session"
44 PROTOCOL_INCORRECT_SEQUENCE "Protocol - Incorrect sequence"
45 PROTOCOL_INCORRECT_VERSION "Protocol - Incorrect version"
46 PROTOCOL_GARBLED "Protocol - Garbled message"
47 PROTOCOL_READ_TIMEOUT "Protocol - Read timeout"
48 PROTOCOL_CONNECTION_CLOSED "Protocol - Connection closed"
49 PROTOCOL_BAD_TYPE "Protocol - Bad type"
50 PROTOCOL_MAX_USERS_EXCEEDED "Maximum number of users exceeded"
51 PROTOCOL_ENCRYPTION_MISMATCH "Mismatched encryption"

52 AUTHOR_NO_SERVICE "Authorization - No service specified"
53 AUTHOR_FAILED_MANDATORY_ARG "Authorization - Failed mandatory argument"
54 AUTHOR_FAILED_COMMAND_LINE "Authorization - Failed command line"
55 AUTHOR_FAILED_SERVICE "Authorization - Failed service"
56 AUTHOR_FAILED_TIME "Authorization - Failed time qualification"
57 AUTHOR_BAD_ARGUMENT "Authorization - Bad argument"
58 AUTHOR_NO_COMMAND "Authorization - No command specified"
59 AUTHOR_FAILED_CMD "Authorization - Failed command"
60 AUTHOR_NO_PROTOCOL "Authorization - No protocol"
61 AUTHOR_UNKNOWN_USER "Authorization - Unknown user"
62 AUTHOR_INVALID_NAS_OR_PORT   "Authorization - Unauthorized NAS or PORT"
63 AUTHOR_COMMAND_AUTHORIZED "Authorization - Command authorized"

hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:12:50 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.