|
Table Of Contents
CiscoSecure ACS File Formats and Syntax
Using Message Catalogs to Support Multiple Languages
Assigning a Message Catalog to a TACACS+-Enabled NAS
CiscoSecure ACS File Formats and Syntax
This appendix describes configuration parameters and syntax for the CiscoSecure Access Control Server (ACS) control file and the message catalogs. It includes the following sections:
Server Control File
The server control file (CSU.cfg) is the main file required to set up the CiscoSecure ACS software and is located in the /$BASEDIR/config directory. This file includes basic configuration parameters for each network access server (NAS) to be serviced and specifies the following information:
•License key(s) that enable CiscoSecure ACS software
•NAS-specific configuration parameters
–Name of the NAS to which the parameters are to be applied
–Encryption key shared between the CiscoSecure ACS and the selected NAS
–Message catalog filename for the specified NAS
–Maximum time (in seconds) after sending a response to wait for a client to continue a transaction
–Maximum number of attempts to get username and password before the operation is cancelled
–Maximum period of inactivity (in seconds) before an open accounting session is timed out and closed
–Duration of the warning period for expiring passwords and services
–List of NASes authorized to use SENDPASS as an authentication method
The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines can be continued on a successive line by ending them with a back-slash (\).
The following is an example CiscoSecure ACS (CSU.cfg) control file. Administrators can customize this example for their own configuration file using the variables listed in Table B-1.
/*
* CiscoSecure Access Control Server Example Control File
*/
/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c" }; /* NAS License Key
goes here */
STRING config_update_log_filename = "/CiscoSecure/logfiles/passwd_chg.log";
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0x7e;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;
NUMBER config_record_write_frequency = 5; /* update frequency in
seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails
accepted */
/*before account is disabled. */
/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"", /* NAS name can go here */
"arachnid", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1 /* trusted NAS for SENDPASS */
},
{
"boggle", /* NAS name */
"heliotrope", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0 /* not a trusted NAS for SENDPASS */
}
};
AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libsdi.so",
"sdi"
}
,
{
"./libenigma.so",
"enigma"
}
,
{
"./libcryptocard.so",
"crypto"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};
AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};
ACCT config_external_acct_symbols = {
{
"./libargs.so",
"accounting_fn"
}
};
ADMIN config_external_admin_symbols = {
"./libadmin.so"
};
DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};
PARSER config_external_parser_symbols = {
"./libt+.so"
};
EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};
The variables shown in Table B-1 are valid in the CSU.cfg file.
Table B-1 CSU.cfg Variables
Type Name Default Description ExampleList
config_license_key
None
A list of the license keys used to enable the product.
LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" };
String
config_update_log_
filenameNone
The name of the file that keeps the results of password changes, and so on.
STRING config_update_log_filename = "./updates";
Number
config_expiry_period
30 (days)
Number of days before a (new) password changed via CHPASS expires.
NUMBER config_expiry_period = 30;
Number
config_warning_period
10 (days)
Number of days before a password expires during which the user is warned that his or her password will expire soon.
NUMBER config_warning_period = 10;
Number
config_get_names_
from_dns1 (true)
Decide if server should perform IP address-to-hostname lookups.
NUMBER config_get_names_from_dns = 0;
Number
config_limit_for_idle_
connection300 (seconds)
Maximum number of seconds to hold an idle NAS connection open.
NUMBER config_limit_for_idle_ connection = 300;
NAS
config_nas_config
None
Specifies for each NAS client, the NAS host name, the secret encryption key, message catalog, username retries allowed, password retries allowed, default NAS configuration (1/0), trusted NAS for SEND pass (1/0), password expiration period in days.
NAS
config_nas_config = {
{
"NAS_NAMEA", "SECRET12345","./ cat_1",1,3,1,1,30
}
{
"NAS_NAMEB", "SECRET16789","./ cat_1",1,3,0,0,30
}
}
Number
config_nodelay_for_tcp
1 (on)
Decide whether to TCP_NODELAY on TCP1 sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons.
NUMBER config_nodelay_for_tcp = 1;
Number
config_priv_level_for_
own_CHPASSPrivilege level at which a user can change his/her own password.
NUMBER config_priv_level_for_own_ CHPASS = 1;
Number
config_receive_buffer_
size16384 (16 KB)
Buffer size to allocate for receive function in each TCP connection.
NUMBER config_receive_buffer_size = 8192;
Number
config_send_buffer_
size16384 (16 KB)
Buffer size to allocate for send function in each TCP connection.
NUMBER config_send_buffer_size = 8192;
Number
config_system_logging
_level0x80 (LOG_LOCAL0)
Syslog facility under which to log.
NUMBER config_system_logging_level 0x80;
Number
config_system_priority
_level-4
System priority to assign the CiscoSecure ACS daemon.
NUMBER config_system_priority_level = -4;
Number
config_use_keepalives
1 (on)
Determines whether SO_KEEPALIVE on TCP sockets should be set.
NUMBER config_use_keepalives = 1;
Number
config_logging_
configuration0x7E
Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and debugging info can be configured through options in the CiscoSecure ACS AAA General web page, described in " Managing General Settings on the ACS" in Chapter 6, "ACS and NAS Management."
NUMBER config_logging_configuration = 0x7E
NUMBER
config_logging_configuration = 0xffffffff; /* allow RADIUS debug */
NUMBER
config_logging_configuration = 0xffffff7f; /* no RADIUS debug */
1 TCP = Transmission Control Protocol.
Message Catalogs
Message catalogs allow system administrators to redefine the set of messages sent by the CiscoSecure ACS to the users connecting to a particular NAS. Message catalogs are editable text files containing message strings that can be customized to support particular groups of users on a per-NAS basis.
Using Message Catalogs to Support Multiple Languages
A system administrator can customize multiple message catalogs to set up specific TACACS+-enabled NASes to support users of specific language backgrounds logging in to the network.
For example, to set up a specific NAS to display Spanish language messages and prompts to the users dialing-in, a system administrator can edit and rename an existing message catalog, substituting Spanish language message strings for the message strings already there. (A line in a message catalog consists of a CiscoSecure message ID and a message string. The message ID is non-configurable. The message string can be whatever characters you specify.)
The system administrator can then associate that message catalog with the target NAS.
Multiple message catalogs can be set up to support multiple NASes, each NAS with a different user community based on language.
Assigning a Message Catalog to a TACACS+-Enabled NAS
Each TACACS+-enabled NAS served by a CiscoSecure ACS can have a different message catalog assigned to it if necessary.
You can assign TACACS+-enabled NASes a message catalog through the NAS Message Catalog file name field in the AAA NAS page on the CiscoSecure ACS administration web site (See " "Managing Profiles for TACACS+-Enabled NASes" section on page 6-1.) You cannot assign specific message catalogs to NASes enabled for RADIUS-only.
Message Catalog Format
The format of a line in the message catalog is:
msg_ID "msg_string "
Where
msg_ID—is a predefined value permanently associated with a specific CiscoSecure message or prompt.
msg_string—is a message string of whatever characters you specify.
For example:
3 "Hello\040there"
2 "ok, what's your password\012"
The formatting and display of messages are determined by the NAS. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character.
For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.
The following list identifies the default message IDs, message names, and message strings used by the CiscoSecure ACS software:
0 AUTHEN_CLIENT_LOGIN_PROMPT "\nUser Access Verification\n"
1 AUTHEN_CLIENT_USERNAME_PROMPT "Username: "
2 AUTHEN_CLIENT_PASSWORD_PROMPT "Password: "
3 AUTHEN_CLIENT_SIGN_ON_MESSAGE ""
4 AUTHEN_CLIENT_CHANGEPASS_INTRO "Change password sequence"
5 AUTHEN_CLIENT_PASSWORDS_IDENTICAL "Error - passwords the same"
6 AUTHEN_CLIENT_PASSWORD_EXPIRED "Your password has expired"
7 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_USERNAME "Too many tries for username"
8 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_PASSWORD "Too many tries for password"
9 AUTHEN_CLIENT_NEW_PASSWORD1 "New password: "
10 AUTHEN_CLIENT_NEW_PASSWORD2 "New password again: "
11 AUTHEN_CLIENT_PASSWORDS_DIFFERENT "The passwords are different"
12 AUTHEN_CLIENT_BAD_PASSWORD "Bad password"
13 AUTHEN_CLIENT_CANT_CHANGE_PASSWORD "You cannot change your password"
14 AUTHEN_CLIENT_ACCOUNT_EXPIRY_WARNING "Your account will expire in %d days"
15 AUTHEN_CLIENT_PASSWORD_EXPIRY_WARNING "Your password will expire in %d days"
16 AUTHEN_CLIENT_NEW_PASSWORD_CRITERIA "A password must be between six and thirteen characters, containing at least one alphabetic and numeric character."
18 AUTHEN_USER_NOT_FOUND "Authentication - User not found"
19 AUTHEN_BAD_METHOD_FOR_USER "Authentication - Bad method for user"
20 AUTHEN_BAD_TYPE "Authentication - Bad type"
21 AUTHEN_NO_USERNAME "Authentication - No username specified"
22 AUTHEN_INSUFFICIENT_PRIVILEGE "Authentication - Insufficient privilege"
23 AUTHEN_UNEXPECTED_DATA "Authentication - Unexpected data"
24 AUTHEN_UNEXPECTED_RESERVED_DATA "Authentication - Unexpected reserved data"
25 AUTHEN_INCORRECT_PASSWORD "Authentication - Incorrect password"
26 AUTHEN_ABORTED_SEQUENCE "Authentication - Aborted sequence"
27 AUTHEN_FILEHANDLING_ERROR "Authentication - File handling error"
28 AUTHEN_UNKNOWN_PASSWORD_TYPE "Authen - Unknown password type"
29 AUTHEN_USER_NOT_IN_FILE "Authentication - User not in file"
30 AUTHEN_ERROR_IN_EXTERNAL_FN, "Authentication - Error in external function"
31 AUTHEN_BAD_SERVICE "Authentication - Bad Service"
32 AUTHEN_BAD_ACTION "Authentication - Bad Action"
33 AUTHEN_SENDPASS_OK "Authentication - SENDPASS (ok)"
34 AUTHEN_SENDPASS_FAIL "Authentication - SENDPASS (fail)"
35 PROTOCOL_USERNAME_TOO_LONG "Protocol - Username too long"
36 PROTOCOL_NASNAME_TOO_LONG "Protocol - NAS name too long"
37 PROTOCOL_NASPORT_TOO_LONG "Protocol - NAS port name too long"
38 PROTOCOL_NACADDR_TOO_LONG "Protocol - NAC address too long"
39 PROTOCOL_BAD_PRIVILEGE "Protocol - Invalid privilege field"
40 PROTOCOL_ACTIVE_SESSION "Protocol - Session id in use"
41 PROTOCOL_NO_SESSION "Protocol - No session found"
42 PROTOCOL_INCORRECT_TYPE "Protocol - Incorrect type"
43 PROTOCOL_INCORRECT_SESSION "Protocol - Incorrect session"
44 PROTOCOL_INCORRECT_SEQUENCE "Protocol - Incorrect sequence"
45 PROTOCOL_INCORRECT_VERSION "Protocol - Incorrect version"
46 PROTOCOL_GARBLED "Protocol - Garbled message"
47 PROTOCOL_READ_TIMEOUT "Protocol - Read timeout"
48 PROTOCOL_CONNECTION_CLOSED "Protocol - Connection closed"
49 PROTOCOL_BAD_TYPE "Protocol - Bad type"
50 PROTOCOL_MAX_USERS_EXCEEDED "Maximum number of users exceeded"
51 PROTOCOL_ENCRYPTION_MISMATCH "Mismatched encryption"
52 AUTHOR_NO_SERVICE "Authorization - No service specified"
53 AUTHOR_FAILED_MANDATORY_ARG "Authorization - Failed mandatory argument"
54 AUTHOR_FAILED_COMMAND_LINE "Authorization - Failed command line"
55 AUTHOR_FAILED_SERVICE "Authorization - Failed service"
56 AUTHOR_FAILED_TIME "Authorization - Failed time qualification"
57 AUTHOR_BAD_ARGUMENT "Authorization - Bad argument"
58 AUTHOR_NO_COMMAND "Authorization - No command specified"
59 AUTHOR_FAILED_CMD "Authorization - Failed command"
60 AUTHOR_NO_PROTOCOL "Authorization - No protocol"
61 AUTHOR_UNKNOWN_USER "Authorization - Unknown user"
62 AUTHOR_INVALID_NAS_OR_PORT "Authorization - Unauthorized NAS or PORT"
63 AUTHOR_COMMAND_AUTHORIZED "Authorization - Command authorized"
Posted: Wed Feb 16 10:12:50 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.