Cisco AAA Implementation Case Study
Appendix A: AAA Device Configuration Listings
Downloads: This chapterpdf (PDF - 276.0KB) The complete bookPDF (PDF - 1.74MB) | Feedback

AAA Device Configuration Listings

Table Of Contents

AAA Device Configuration Listings

A.1 Sample Cisco IOS Configuration Listings

A.1.1 Example Local-Based Router AAA Configuration

A.1.2 Example Server-Based TACACS+ NAS Configuration

A.1.3 Example Server-Based RADIUS NAS Configuration

A.2 Router AAA Command Implementation Descriptions

A.3 NAS AAA Command Implementation Descriptions

A.4 CiscoSecure for UNIX Configuration Listings

A.4.1 CSU.cfg Listing

A.4.2 CSConfig.ini Listing

A.4.3 Oracle User Environment Variable

A.4.4 listener.ora Listing

A.5 CiscoSecure Log Files


AAA Device Configuration Listings


This appendix provides the following configuration listings:

A.1.1 Example Local-Based Router AAA Configuration

A.1.2 Example Server-Based TACACS+ NAS Configuration

A.1.3 Example Server-Based RADIUS NAS Configuration

A.4.1 CSU.cfg Listing

A.4.2 CSConfig.ini Listing

A.4.3 Oracle User Environment Variable

A.4.4 listener.ora Listing

A.1 Sample Cisco IOS Configuration Listings

The following listing represents the complete running configuration for the router and NAS used to illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS configurations.

A.1.1 Example Local-Based Router AAA Configuration

The following example of a local-based router configuration includes both dial-in and EXEC shell access configurations.

maui-rtr-03#show running-config
Building configuration...
 
Current configuration:
!
! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr
! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr
!
version 12.0
service timestamps debug datetime msec localtime show-timezone 
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-rtr-03
!
no logging console
aaa new-model
aaa authentication login default local enable
aaa authentication login NO_AUTHEN none
aaa authorization exec default local
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default local
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
enable secret 5 xxxxxxxxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxxxxxx
!
!
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
ip domain-name maui-onions.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
!
!
!
!
!
interface Loopback0
 ip address 172.22.255.3 255.255.255.255
 no ip directed-broadcast
!
interface ATM1/0
 no ip address
 no ip directed-broadcast
 shutdown
 no atm ilmi-keepalive
!
interface Serial2/0
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial2/1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial2/2
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial2/3
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Ethernet3/0
 ip address 172.22.241.3 255.255.255.0
 no ip directed-broadcast
 ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5
!
interface Ethernet3/1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Ethernet3/2
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Ethernet3/3
 no ip address
 no ip directed-broadcast
 shutdown
!
interface FastEthernet4/0
 ip address 172.22.80.1 255.255.255.0
 no ip directed-broadcast
 ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5
 half-duplex
!
router eigrp 69
 network 172.22.0.0
!
ip default-gateway 172.22.53.1
ip classless
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
snmp-server engineID local 00000009020000D0BB7F5054
snmp-server community cisco xx
snmp-server community rules xx
snmp-server trap-source Loopback0
snmp-server contact 
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps config
snmp-server enable traps envmon
tacacs-server host 172.22.53.201 key biteme
tacacs-server key ciscorules
!
line con 0
 authorization commands 15 NO_AUTHOR
 authorization exec NO_AUTHOR
 accounting commands 15 NO_ACCOUNT
 login authentication NO_AUTHEN
 transport input none
line aux 0
line vty 0 4
!
ntp clock-period 17179912
ntp source Loopback0
ntp update-calendar
ntp server 172.22.255.1
end

A.1.2 Example Server-Based TACACS+ NAS Configuration

The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for TACACS+ implementations:

maui-nas-03#show running-config
Building configuration...

Current configuration:

maui-nas-03#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-03
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
 firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
 firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
clock summer-time CST recurring
ip subnet-zero
no ip domain-lookup
ip domain-name maui-onions.com
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 clock source line secondary 1
!
controller T1 2
 clock source line secondary 2
!
controller T1 3
 clock source line secondary 3
!
controller T1 4
 clock source line secondary 4
!
controller T1 5
 clock source line secondary 5
!
controller T1 6
 clock source line secondary 6
!
controller T1 7
 clock source line secondary 7
!
!
interface Loopback0
 ip address 172.22.87.3 255.255.255.255
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Loopback1
 ip address 172.22.83.1 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Ethernet0
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial1
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial2
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial3
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial0:23
 description "PRI D channel"
 ip unnumbered Dialer1
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no logging event link-status
 timeout absolute 240 0
 dialer rotary-group 1
 dialer-group 5
 no snmp trap link-status
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no fair-queue
 compress stac
 no cdp enable
!
interface FastEthernet0
 ip address 172.22.80.3 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 ip tcp header-compression passive
 no ip mroute-cache
 no logging event link-status
 dialer in-band
 dialer idle-timeout 900
 async mode interactive
 no snmp trap link-status
 peer default ip address pool default
 no fair-queue
 no cdp enable
 ppp max-bad-auth 3
 ppp authentication pap chap
 group-range 1 192
!
interface Dialer1
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no logging event link-statustimeout absolute 240 0
 dialer in-band
 dialer idle-timeout 300 either
 dialer-group 5
 no snmp trap link-status
 peer default ip address pool default
 no fair-queue
 compress stac
 no cdp enable
 ppp max-bad-auth 3
 ppp multilink
!
router eigrp 69
 network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip default-gateway 172.22.80.1
ip classless
ip tacacs source-interface Loopback0
ip http server
!
access-list 110 deny   tcp any any eq telnet
access-list 110 permit tcp any any
tacacs-server host 172.22.53.204
tacacs-server key ciscorules
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab 
Learning Rack ISG
^C
!
line con 0
 authorization commands 15 NO_AUTHOR
 authorization exec NO_AUTHOR
 login authentication NO_AUTHEN
 transport input none
line 1 192
 session-timeout 15 
 exec-timeout 48 0
 autoselect during-login
 autoselect ppp
 absolute-timeout 240
 script dialer cisco_default
 refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
 modem InOut
 modem autoconfigure type mica
 transport preferred telnet
 transport input all
 transport output pad telnet rlogin udptn
line aux 0
line vty 0 4
!
end

A.1.3 Example Server-Based RADIUS NAS Configuration

The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for RADIUS implementations:

maui-nas-03#show running-config
Building configuration...

Current configuration:

maui-nas-03#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-03
!
aaa new-model
aaa authentication login default group radius local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group radius
aaa accounting network default start-stop group radius
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
 firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
 firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
clock summer-time CST recurring
ip subnet-zero
no ip domain-lookup
ip domain-name maui-onions.com
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 clock source line secondary 1
!
controller T1 2
 clock source line secondary 2
!
controller T1 3
 clock source line secondary 3
!
controller T1 4
 clock source line secondary 4
!
controller T1 5
 clock source line secondary 5
!
controller T1 6
 clock source line secondary 6
!
controller T1 7
 clock source line secondary 7
!
!
interface Loopback0
 ip address 172.22.87.3 255.255.255.255
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Loopback1
 ip address 172.22.83.1 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Ethernet0
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial1
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial2
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial3
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
 clockrate 2015232
!
interface Serial0:23
 description "PRI D channel"
 ip unnumbered Dialer1
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no logging event link-status
 timeout absolute 240 0
 dialer rotary-group 1
 dialer-group 5
 no snmp trap link-status
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no fair-queue
 compress stac
 no cdp enable
!
interface FastEthernet0
 ip address 172.22.80.3 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 ip tcp header-compression passive
 no ip mroute-cache
 no logging event link-status
 dialer in-band
 dialer idle-timeout 900
 async mode interactive
 no snmp trap link-status
 peer default ip address pool default
 no fair-queue
 no cdp enable
 ppp max-bad-auth 3
 ppp authentication pap chap
 group-range 1 192
!
interface Dialer1
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no logging event link-statustimeout absolute 240 0
 dialer in-band
 dialer idle-timeout 300 either
 dialer-group 5
 no snmp trap link-status
 peer default ip address pool default
 no fair-queue
 compress stac
 no cdp enable
 ppp max-bad-auth 3
 ppp multilink
!
router eigrp 69
 network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip default-gateway 172.22.80.1
ip classless
ip tacacs source-interface Loopback0
ip http server
!
access-list 110 deny   tcp any any eq telnet
access-list 110 permit tcp any any
tacacs-server host 172.22.53.204
tacacs-server key ciscorules
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab 
Learning Rack ISG
^C
!
line con 0
 authorization commands 15 NO_AUTHOR
 authorization exec NO_AUTHOR
 login authentication NO_AUTHEN
 transport input none
line 1 192
 session-timeout 15 
 exec-timeout 48 0
 autoselect during-login
 autoselect ppp
 absolute-timeout 240
 script dialer cisco_default
 refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
 modem InOut
 modem autoconfigure type mica
 transport preferred telnet
 transport input all
 transport output pad telnet rlogin udptn
line aux 0
line vty 0 4
!
end

A.2 Router AAA Command Implementation Descriptions

Configurations addressed in this section focus on router administration configurations. Router administration configurations cause functions to run within the router shell. Examples include commands executed from a the router console, commands executed with a VTY connection, and a shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1 provides commands relevant for a router in a Cisco IOS AAA environment.

Table A-1 Cisco IOS Commands Required to Set AAA for a Router

Cisco IOS Command
Description/Application Comment

tacacs-server key secret-key

Specifies encryption key; must be the same in AAA server.

aaa new-model

Enables AAA. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all PPP interfaces.

aaa authentication login default group tacacs+

Causes router to forward all login requests to AAA server.

aaa authorization exec default group tacacs+ if-authenticated

Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server.

aaa authorization commands 15 default group tacacs+ if-authenticated

Use command authorization for privilege level 15 commands that must be assigned to router users for successful operation of these commands.

aaa accounting exec default start-stop group tacacs+

Logs EXEC shell information for user profile in start-stop TACACS+ format.

aaa accounting commands 15 default stop-only group tacacs+

Sends TACACS+ accounting stop record at the end of a privilege level 15 command.

aaa accounting system default stop-only group tacacs+

Performs accounting for all system level events not associated with users, such as reloads in stop-start TACACS+ format.

ip tacacs source-interface FastEthernet0/0/0

Specifies this interface IP address for management in the AAA server.

ip http server

Enables HTTP server access.

ip http authentication aaa

Forces AAA authentication and authorization at privilege level 15.

tacacs-server host IP-address

Specifies AAA server.


A.3 NAS AAA Command Implementation Descriptions

Configurations addressed in this section focus on AAA with PPP. These configurations differ from router administration configurations. PPP is a network level function and is separate from router shell functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access a Cisco IOS AAA environment.


Note The following table lists Cisco IOS configuration commands required to support both TACACS+ and RADIUS AAA implementations.


Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)

IOS Command
Description/Application Comment

aaa new-model

Enables authentication, authorization, and accounting. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all ppp interfaces.

aaa authentication login default group tacacs+

Causes router to forward all login requests to a TACACS+ server.

aaa authentication login default group radius

Causes router to forward all login requests to a RADIUS server.

aaa authentication ppp default if-needed group radius

Use default list for PPP authentication; the if-needed keyword allows clients using "Terminal Window after Dial" option to successfully authenticate to RADIUS server and negotiate PPP, without using Windows dialup networking username and password combination.

aaa authentication ppp default if-needed group tacacs+

Use default list for PPP authentication; the if-needed keyword allows clients using "Terminal Window after Dial" option to successfully authenticate to TACACS+ server and negotiate PPP, without using Windows dialup networking username and password combination.

aaa authorization exec default group radius if-authenticated

Use default list to verify authorization.

aaa authorization exec default group tacacs+ if-authenticated

Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server.

aaa authorization network default group tacacs+ if-authenticated

Use default list for authorization to verify service=-ppp attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through TACACS+.

aaa authorization network default group radius if-authenticated

Use default list for authorization to verify Service-Type=Framed attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through RADIUS.

aaa accounting exec default start-stop group tacacs+

Logs EXEC shell information for user profile in start-stop TACACS+ format.

aaa accounting network default start-stop group tacacs+

Logs all network related services requests, such as PPP in stop-start TACACS+ format.

aaa accounting exec default start-stop group radius

Logs EXEC shell information for user profile in start-stop RADIUS format.

aaa accounting network default start-stop group radius

Logs all network related services requests, such as PPP in stop-start RADIUS format.

tacacs-server host IP-address key secret-key

Specifies AAA server. Specifies encryption key; must be the same in AAA server.

radius-server host IP-address auth-port 1645 acct-port 1646 key secret-keys

Specifies RADIUS AAA server IP address by using default UDP Port 1645 for authentication and authorization and UDP Port 1646 for accounting.


A.4 CiscoSecure for UNIX Configuration Listings

This section provides the following listings:

A.4.1 CSU.cfg Listing

A.4.2 CSConfig.ini Listing

A.4.4 listener.ora Listing

A.4.3 Oracle User Environment Variable

For a complete description of AAA server files, go to:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx

A.4.1 CSU.cfg Listing

# cd /opt/ciscosecure/config
# ls
CSConfig.ini  CSU.cfg       CSU.cfg.sav
# cat CSU.cfg
LIST config_license_key = {"a73dc113d300a5ba3459"};
STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log";
/* store accounting records here when database fails */
/* default = /var/log/CSAccountingLog */
STRING config_acct_filename = "/var/log/CSAccountingLog";
 
/* AAA Server Metrics */
/* default = 0 (disable) */
NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable */
/* default = 8 seconds */
NUMBER config_metrics_log_interval = 8; /* in seconds */
 
/* Callerid as Username */
/* default = 1 (enable) */
NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */
 
/* Use default user profile when user/callerid can't be found */
/* default = 1 (enable) */
NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */
 
/* AAA Server MaxSessions Configuration */
/* default = 0 (disable) */
NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 24 hours */
NUMBER config_maxsessions_session_timeout = 1440; /* in minutes */
/* default = 60 minutes */
NUMBER config_maxsessions_purge_interval = 60;  /* in minutes */
 
/* AAA Server Distributed MaxSessions Configuration */
/* default = 0 (disable) */
NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 0 (disabled) */
NUMBER config_dms_periodic_stats_interval = 0;   /* 0 to disable, otherwise inte
rval in seconds */
 
/* Cryptocard challenge lookahead */
/* default = 0, which is same as 1, do only 1 challenge, don't look ahead */
/* the maximum number of challenge look ahead is 20 */
NUMBER config_cryptocard_challenge_lookahead = 0;
 
/* Group Profile Cache Timeout; 0 == no timeout */
/* default = 5 seconds */
NUMBER config_cache_group_timeout = 5;  /* in seconds */
 
/* Per-user accounting function */
/* default = 1 (enable) */
NUMBER config_acct_fn_enable = 1;  /* 1 to enable, 0 to disable */
 
/*  Extended Radius support */
NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */
 
STRING config_server_ip_address = "172.23.25.41";
NUMBER config_token_cache_absolute_timeout = 86400;
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0xffffffff;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;
NUMBER config_local_timezone = -8;            /* set this for your timezone */
NUMBER config_use_host_timezone = 0;          /* set value to 1 to always use system time 
*/
NUMBER config_record_write_frequency = 5;     /* update frequency in seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails accepted *
/
                                              /*   before account is disabled. *
/
 
NAS config_nas_config = {
  {
    "",                        /* NAS name can go here */
    "ciscorules",               /* NAS/CiscoSecure secret key */
    "",                        /* message_catalogue_filename */
    1,                         /* username retries */
    2,                         /* password retries */
    1                          /* trusted NAS for SENDPASS */
  }
};
 
AUTHEN config_external_authen_symbols = {
  {
    "./libskey.so",
    "skey"
  }
        ,
  {
    "./libpap.so",
    "pap"
  }
        ,
  {
    "./libchap.so",
    "chap"
  }
        ,
  {
    "./libarap.so",
    "arap"
  }
};
 
AUTHOR config_external_author_symbols = {
  {
    "./libargs.so",
    "process_input_arguments",
    "process_input_arguments_ok",
    "process_input_arguments_fail",
    "process_output_arguments",
    "process_output_arguments_ok",
    "process_output_arguments_fail"
  }
};
 
/*
 * Sample of pre/post process configuration.
 *
AUTHOR config_external_author_symbols = {
  {
    "./libcustomerprovided.so",
    "customer_function"
  }
};
 *
 * end sample
 */
 
ACCT config_external_acct_symbols = {
  {
    "./libacctmember.so",
    "acct_member_fn"
  }
};
 
ADMIN config_external_admin_symbols = {
        "./libadmin.so"
};
 
 
DB config_external_database_symbols = {
  {
        "./libdb.so",
        "",
        ""
  }
};
 
PARSER config_external_parser_symbols = {
        "./libt+.so"
};
 
EVENT config_external_event_symbols = {
  {
        "./libdb.so",
        "",
        ""
  }
};
 
DMS config_external_dms_symbols = {
        "./libCiscoDMS.so"
};
#
#

A.4.2 CSConfig.ini Listing

#
#cat CSConfig.ini
############################################################
#
# $Archive: $
#
# (C) Copyright 1996 Cisco Systems. All rights reserved.
#
# This is CiscoSecure DBServer main initialization file.
#
# $Log: $
#
# $NoKeyWords: $
#
############################################################
;<--------------------- Ruler Line -------------------------------------------->
;        1         2         3         4         5         6         7         8
;2345678901234567890123456789012345678901234567890123456789012345678901234567890
;
;-------------------------------------------------------------------------------
[System]
; Location where the system is installed
RootDir=/opt/ciscosecure
 
; Location of the default profile (default= $RootDir/config/DefaultProfile)
DefaultProfile=/opt/ciscosecure/config/DefaultProfile
 
;-------------------------------------------------------------------------------
[System Error]
SysErrorFileDir = /opt/ciscosecure/logfiles
; DBServer gets the default path for System error handler here
; if it was not specified at command line with option
; [-LOGPATH path] when starting the DBServer deamon.
; DBServer must have sufficient access privilege to create this
: path and the log file if it does not already exist.
 
; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10
; (note: Catastrophic errors will shutdown the daemon)
MinLogLevel = 8
 
;-------------------------------------------------------------------------------
[SessionMgr]
; Session Manager configurables, purge interval is in minutes
MaxSessions=1000
PurgeInterval=60
 
;-------------------------------------------------------------------------------
[AccountingMgr]
 
;If this parameter=enable then log acct packets into cs_accounting_log database
table
LogRawAccountingPacketToDB = enable
 
;If we are logging accounting records then this parameter decides whether to buffer the 
records
; in memory and then save them to the database using a background process. Enabl
ing this will
; increase burst authentication performance.
;If enabled the DBServer will create enough buffers to match the value of 2 less
 than
; the number of database connections available.
; NOTE: There is a risk of losing  records that are in memory in the event of the 
DBServer going
;       down ungracefully.
BufferAccountingPackets = enable
 
;This parameter decides the size of each accounting packet buffer. Legal values
are from 5 to 1000
AccountingBufferSize = 500
 
; if parameter=enable then dbserver will process user max session info and save
in memory,
; if disabled then ArchiveMaxSessionInfoToDB will also be disabled.
ProcessInMemoryMaxSessionInfo = enable
 
; If this parameter=enable then log user max session info into cs_user_accounting 
database table
; Note that if the BufferAccountingPackets parameter is enabled AND 
ProcessInMemoryMaxSessionInfo
; is enabled then max session info records will be buffered as well.
ArchiveMaxSessionInfoToDB = enable
 
; This is how often (in minutes) the system checks for accounting sessions to
;  purge.
; NOTE: The purge interval is actually dependant upon a system background task
;       that is not guaranteed to run more frequently than 60 minutes. This
;       value is therefore not accurate to the minute and should not be set to
;       less than 60.
AcctPurgeInterval=60
 
; This is how long (in minutes) a session can be considered
;  active before it is purged.
; NOTE: This value is dependent on the AcctPurgeInterval setting and is not
;       accurate to the minute. It is not intended to be set to less than 60.
AcctPurgeTimeOut=1440
 
;-------------------------------------------------------------------------------
[DBServer]
DBServerName = CSdbServer
Protocol=TCP
MaxPacketSize = 4096
 
; Each DBServer process should have it's own unique name.
; Do not put the hostname here in case more than one instance
; of the DBServer is running on the same machine
 
;The following is for internal use only by the DBServer
;Date format expected from the client application such as the GUI,
;to be used for parsing date/time string. The dbserver will reject
;inputs that contains other date/time format. This format will also
;be used to return date/time strings.
;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Ap
r 1 09:26:55 PST 1997"
DateFormat = "d MMM yyyy"
DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy"
 
;-------------------------------------------------------------------------------
[ValidClients]
100 = sleddog
; Add list of trusted clients above ^^^^ in the format:
;     ClientID = Client's Host Name
;     CGI stub's clientID=100, and it's host name
;      For example 100 = localhost or  100 = 192.92.182.2
;                                      101 = 192.92.190.5
;
;if ValidateClients=true, then we only allow the clients with ids listed
;above to connect to the dbserver
ValidateClients = false
;if FastAdminValidateClients = true, then we only allow the clients with ids
;listed below to connect to the FastAdmin
FastAdminValidateClients = false
 
;-------------------------------------------------------------------------------
[Protocol TCP]
HostName = sleddog
Port = 9900
; Name of host server
 
; Daemon port number
;Port=5001
 
;-------------------------------------------------------------------------------
[Workers Pool]
; Maximum numbers of connection workers in pool, beyond which
; newly added workers will be ignored (or deleted).
MaxInPool=50
 
;-------------------------------------------------------------------------------
[Database]
DataSource = ORACLE
DriverType = JDBC-Weblogic-Oracle
; Specify the rdbms installed and the driver type
; (ODBC or JDBC) that interfaces with the rdbms.
; Driver=ODBC or Driver=JDBC, then go to the [ODBC]
; or [JDBC] section to fill in the URL info.
 
# Oracle with ODBC
;DataSource = ORACLE
;DriverType = ODBC-Visigenic-Oracle
 
# Oracle with JDBC
;DataSource = ORACLE
;DriverType = JDBC-Weblogic-Oracle
 
# SQLAnywhere with ODBC
;DataSource = SQLAnywhere
;DriverType = ODBC-SQLAnywhere
 
# Sybase with ODBC
;DataSource = SYBASE
;DriverType = ODBC-Visigenic-Sybase
 
# Sybase with JDBC
;DataSource = SYBASE
;DriverType = JDBC-Weblogic-Sybase
 
# Test with some other DB that we did not qualify
;DataSource = OtherDB
;DriverType = ODBC-Visigenic
 
# names of data dictionary
ProfileAttr = cs_profile_attr_dict
ProfileCol = cs_profile_col_dict
UserAcct = cs_user_account_attr_dict
 
;-------------------------------------------------------------------------------
[SQLAnywhere]
;this is the bundle database
ConnectionLicense = 12
Username = DBA
Password = SQL
 
;-------------------------------------------------------------------------------
[OtherDB]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense = 1
Username = csecure
Password = csecure
 
;-------------------------------------------------------------------------------
[ORACLE]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense=4
Username = csecure
Password = csecure
 
;-------------------------------------------------------------------------------
[SYBASE]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense = 8
Username = csecure
Password = csecure
 
;-------------------------------------------------------------------------------
[ODBC-SQLAnywhere]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -u
d"
;Property below is required for internal use only: connection usage property
PrepareStatement = 0
 
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Oracle]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:Oracle
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
 
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Sybase]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:SybaseDBLib
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
 
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Oracle]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager
Driver=jdbc:weblogic:oracle:ciscosj
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
 
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Sybase]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager
Driver=jdbc:weblogic:sybase
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
 
;-------------------------------------------------------------------------------
[ProfileCaching]
EnableProfileCaching = OFF
;Polling period in minutes for cs_trans_log table
; Interval in seconds can be specified by fraction.
; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds.
; Setting to 0 disbles polling.
DBPollInterval = 30
;-------------------------------------------------------------------------------

A.4.3 Oracle User Environment Variable

#su - oracle
Sun Microsystems Inc.   SunOS 5.5.1     Generic May 1996
$env
HOME=/export/home/oracle
HZ=100
LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/
lib
LOGNAME=oracle
ORACLE_DOC=/doc
ORACLE_HOME=/opt/oracle/product/7.3.4
ORACLE_SID=ciscosj
ORACLE_TERM=xsun5
ORAENV_ASK=NO
PATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/
bin:
SHELL=/bin/sh
TERM=ansi
TMPDIR=/var/tmp
TNS_ADMIN=/opt/oracle/product/7.3.4/network/admin
TZ=GMT-8

A.4.4 listener.ora Listing

$cd $ORACLE_HOME/
$ls
bin       jdbc      nlsrtl3   orainst   precomp   sqlplus
book22    lib       ocommon   otrace    rdbms     svrmgr
dbs       network   oracore3  plsql     slax
$cd network/admin
$ls
csmgen.tcl    listener.ora  tcl7.4        tnsnames.ora
csmman.man    sqlnet.fdf    tk4.0
$cat listener.ora
#
# Installation Generated Net V2 Configuration
# Version Date: Sep-16-97
# Filename: Listener.ora
#
LISTENER =
  (ADDRESS_LIST =
        (ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj))
        (ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY))
        (ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
  )
SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME= sleddog.)
      (ORACLE_HOME= /opt/oracle/product/7.3.4)
      (SID_NAME = ciscosj)
    )
  )
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
$ls
csmgen.tcl    listener.ora  tcl7.4        tnsnames.ora
csmman.man    sqlnet.fdf    tk4.0
$cat tnsnames.ora
#
# Installation Generated NetV2 Configuration
# Version Date: Sep-30-97
# Filename: Tnsnames.ora
#
ciscosj =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
    (CONNECT_DATA = (SID = ciscosj))
  )

A.5 CiscoSecure Log Files

$CSUBASE/logfiles/cs_install.log
$CSUBASE/logfiles/cs_shutdown.log
$CSUBASE/logfiles/cs_startup.log
$CSUBASE/logfiles/csdblog_<date>
$CSUBASE/logfiles/passwd_chg.log
$CSUBASE/ns-home/CSUServer/logs/access
$CSUBASE/ns-home/CSUServer/logs/errors
$CSUBASE/ns-home/admserver/errors
$CSUBASE/ns-home/admserver/access
$CSUBASE/ns-home-httpd-csuserver/logs