Configuration Guide for Cisco Secure ACS 4.2
Configuring RDBMS Synchronization and Running RDBMS Sync Remotely
Downloads: This chapterpdf (PDF - 299.0KB) The complete bookPDF (PDF - 4.32MB) | Feedback

Using RDBMS Synchronization to Create dACLs and Specify Network Configuration

Table Of Contents

Using RDBMS Synchronization to Create dACLs and Specify Network Configuration

New RDBMS Synchronization Features in ACS Release 4.2

Using RDBMS Synchronization to Configure dACLs

Step 1: Enable dACLs

Step 2: Create a Text File to Define the dACLs

Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL

Sample accountActions CSV File

Step 4: Configure RDBMS Synchronization to Use a Local CSV File

Step 5: Perform RDBMS Synchronization

Running RDBMS Synchronization from the ACS GUI

Running CSDBSync Manually to Create the dACLs

Performing RDBM Synchronization Using a Script

Step 6: View the dACLs

Error Messages

Reading, Updating, and Deleting dACLs

Updating or Deleting dACL Associations with Users or Groups

Using RDBMS Synchronization to Specify Network Configuration

Creating, Reading, Updating and Deleting AAA clients


Using RDBMS Synchronization to Create dACLs and Specify Network Configuration


This chapter describes how to configure ACS 4.2 to enable new RDBMS Synchronization features introduced with ACS 4.2.

For detailed information on RDBMS Synchronization, see "RDBMS Synchronization" in Chapter 8 of the User Guide for Cisco Secure ACS, 4.2, "System Configuration: Advanced."

For detailed information on the accountActions codes to use with RDBMS Synchronization, see Appendix E of the User Guide for Cisco Secure ACS, 4.2, "RDBMS Synchronization Import Definitions."

This chapter contains:

New RDBMS Synchronization Features in ACS Release 4.2

Using RDBMS Synchronization to Configure dACLs

Reading, Updating, and Deleting dACLs

Updating or Deleting dACL Associations with Users or Groups

Using RDBMS Synchronization to Specify Network Configuration

New RDBMS Synchronization Features in ACS Release 4.2

ACS 4.2 provides enhanced support for RDBMS Synchronization:

Configuration of Downloadable ACLs (dACLs) for Specified Users and Groups—You can specify dACLs by entering permit ip and deny ip commands in a comma-separated value (CSV) accountActions file. By using new account action codes that you include in the accountActions file, you can create a dACL that contains the commands that the text file specifies.

On ACS for Windows, you can perform dACL configuration from the RDBMS Synchronization page in the ACS GUI or by running the CSDBSync command.

On the ACS SE, you can perform dACL configuration from the RDBMS Synchronization page in the ACS SE GUI; or, connect to the ACS SE by using an SSH client and then running the csdbsync -syncnow command from the SSH shell.

Support for Creation, Reading, Updating, and Deleting of Single or Multiple AAA Clients Through RDBMS Synchronization—With the capability to read AAA client data, you can export the AAA client list for a particular NDG, an AAA client list with a specified IP range, or the list of all AAA clients.

Remote Invocation of the CSDBSync Service on the ACS Solution Engine—With ACS 4.2, you can run the CSDBSync service on a remote ACS SE, over an SSH connection.

Using RDBMS Synchronization to Configure dACLs

With ACS 4.2, you can use RDBMS Synchronization to set up downloadable dACLs and associate dACLs with specified Users or Groups.

To configure dACLs by using RDBMS Synchronization:


Step 1 Enable RDBMS Synchronization and dACLs.

Step 2 Create a text file to define the dACLs.

Step 3 Code an accountActions CSV file to create the dACL, and associate a User or Group with the dACL.

Step 4 Configure RDBMS Synchronization to use a local CSV file.

Step 5 Perform RDBMS Synchronization in one of two ways:

From the ACS GUI.

By running the csdbsync -syncnow command from the Windows command shell or in an SSH connection with a remote ACS SE.

Step 6 View the dACL.


Step 1: Enable dACLs

To enable dACLs:


Step 1 In the Navigation Bar, click Interface Configuration.

Step 2 Click Advanced Options.

The Advanced Options page opens.

Step 3 Check the User-Level Downloadable ACLs check box.

Step 4 Check the Group-Level Downloadable ACLs check box.

This enables assigning a dACL to a Group Name.

Step 5 Check the RDBMS Synchronization check box.

Step 6 Click Submit.


Step 2: Create a Text File to Define the dACLs

To create a text file to define dACLs:


Step 1 Use a text editor of your choice to create a text file; for example Notepad.

Example 4-1 shows a sample text file.

Example 4-1 Sample Text File for Creating a dACL

[DACL#1]
Name = DACL_For_Troy
Description = Test_DACL_For_ACS_42
Content#1= content1
Definition#1#1= permit ip any host 192.168.1.152   
Definition#1#2= permit ip any host 192.168.5.152
Definition#1#3= permit ip any host 192.168.29.33   
Definition#1#4= permit ip any host 192.168.29.34
Definition#1#5= permit ip any host 192.168.9.50   
Definition#1#6= permit ip any host 192.168.9.20
Definition#1#7= permit ip any host 192.168.7.20   
Definition#1#8= permit ip any host 192.168.128.1
Definition#1#9= permit ip any 192.168.24.0 0.0.0.255   
Definition#1#10= permit ip any 192.168.0 0.0.0.255
Definition#1#11= permit ip any 192.0.0.0 0.255.255.255   
Definition#1#12= deny ip any 192.168.0.0 0.3.255.255
Definition#1#13= deny ip any 192.168.0.0 0.1.255.255   
Definition#1#14= permit ip any any
 
   

Step 2 Code the information in the file as described in Table 4-1.

Table 4-1 Keywords for Creating a dACL By Coding a Text File

Keyword
Value

dACL number

The first line of the text file must specify the dACL number, enclosed in square brackets; for example, [DACL#n], where n is the number of the dACL. In Example 4-1, the first line specifies DACL#1, because the file specifies only one dACL.

Name

Specifies the name of the dACL that is created when you run CSDBSync.

Description

Specifies a short description of the dACL.

Content

Specifies the number of a content block that consists of definitions for access privileges associated with the dACL. This keyword has the format Content#n, where n specifies the number of the content block. The file shown in Example 4-1 has only one content block.

Definition keywords

Specify a series of permit IP or deny ip commands that ACS applies to Users or Groups to which you associate the dACL. Each Definition keyword has the format Definition #n#n1, where n is the number of the content block of definition keywords and n1 is the number of each definition.


Step 3 Save the file:

ACS for Windows—Save the file to a directory on the Windows machine that is running ACS.

ACS SE—Save the file to a directory on an FTP server used with the ACS SE.


Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL

To create a an AccountActions CSV file to create a dACL and assign it to a User or Group:


Step 1 Create a text file by using a text editor of your choice; for example, Notepad.

Step 2 Code a statement to create a User or Group. For example, to create a User named Troy, who belongs to a Group named Group, and has an initial password of ipassword, code the following statement:

1,1,Troy,Group 5,100,ipassword,7/8/2008 15:00,0,,,0
 
   

Step 3 Code a statement to create a dACL. For example, to create a dACL called DACL_for_Troy that is specified in a text file called dACL_create.txt, code the following statement:

2,1,,,385,C:\dACL_folder\dACL_create.txt,7/8/2008 15:00,0,,,0
 
   

Action code 385 creates a dACL. The value directly after the action code specifies the directory path and filename of the text file that specifies the dACL. In the sample code shown in Example 4-1 and Example 4-2, this is the dACL_create.txt file.

The value after the directory path and filename must specify a timestamp for the file; for example, 7/8/2008 15:00.

Step 4 Code a statement to associate the dACL with a specified User. For example, to associate the dACL DACL_for_Troy with the User Troy, code:

3,1,Troy,,380,DACL_For_Troy,7/8/2008 15:00,0,,,0
 
   

The third value in this statement specifies the User (Troy) to associate the dACL with. Action code 380 associates dACL with the User, and the value immediately after the action code specifies the dACL name (dACL_for_Troy).

The value after the dACL name must specify a timestamp for the action; for example, 7/8/2008 15:00.

Step 5 Save the file:

ACS for Windows—Save the file to a directory on the Windows machine that is running ACS.

ACS SE—Save the file to a directory on an FTP server used with the ACS SE.


Sample accountActions CSV File

Example 4-2 shows a sample accountActions CSV file.


Note The default filename for the CSV is accountactions.csv. However, you can rename it.


Example 4-2 Sample accountActions CSV File

SequenceId,Priority,UserName,GroupName,Action,ValueName,DateTime,MessageNo,ComputerNames,A
ppId,Status
1,1,Troy,Group 5,100,ipassword,7/8/2008 15:00,0,,,0
2,1,,,385,C:\dACL_folder\dACL_create.txt,7/8/2008 15:00,0,,,0
3,1,Troy,,380,DACL_For_Troy,7/8/2008 15:00,0,,,0
 
   

Table 4-2 describes the accountActions codes used in Example 4-2 to add a User, create a dACL, and associate the dACL with a specified User or Group.

Table 4-2 Account Action Codes to Create dACLs and Assign Them to Specified Users or Groups

Action Code
Name
Required
Description

100

ADD_USER

UN|GN, V1

Creates a User (32 characters maximum). The variable V1 is used as the initial password. Optionally, you can assign the User to a Group.

385

CREATE_DACL

VN

Use this action code to create a dACL.

VN = <input_file_name>

where input_file_name is a text file that contains definitions for dACLs.

On ACS for Windows, this file resides in a directory on the Windows machine that is running ACS.

On the ACS SE, this file resides on an FTP server used with the ACS SE.

You can specify the absolute file path; for example: C:\DACL\create_DACL_for_User_1.txt for ACS for Windows.

The dACL definition is ignored if it is already present, or contains an invalid definition, content name, content definition, or NAF name.

380

CREATE_USER_DACL

UN|GN, VN

This action code associates a specified dACL with a User or Group. The dACL name specified should be valid and present in ACS. The codes are:

UN = valid Username

GN = Valid Group name (optional)

VN = dACL name. (This dACL must be defined in Shared Profile Components).


Step 4: Configure RDBMS Synchronization to Use a Local CSV File

To configure RDBMS Synchronization to use a local CSV file:


Step 1 In the navigation bar, click System Configuration.

Step 2 Click RDBMS Synchronization.


Note If this feature does not appear, choose Interface Configuration > Advanced Options, then check the RDBMS Synchronization check box.


The RDBMS Synchronization Setup page appears.

Step 3 If you are using ACS for Windows, complete these steps:

a. Complete the required fields on the RDBMS Synchronization Setup page (Figure 4-1).

Figure 4-1 RDBMS Synchronization Setup Page (ACS for Windows)

b. Check the Use local CSV file check box.

c. In the AccountActions file field, enter the filename of the accountActions CSV file that you created in Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL.

d. In the Directory field, enter the directory path to the accountActions CSV file.

ACS has the information with which to access the accountActions table.

Step 4 If you are using ACS SE:

a. Complete the required fields on the RDBMS Synchronization Setup page (Figure 4-2).

Figure 4-2 RDBMS Synchronization Setup Page (ACS SE)

b. Enter the following information:

Actions File— The name of the accountActions file. The default name is accountactions.csv. The filename provided must match the name of the accountActions file on the FTP server.

FTP Server—The IP address or hostname of the FTP server from which ACS obtains the accountActions file. If you specify a hostname, DNS must be enabled on your network.

Directory—The relative path from the FTP server root directory to the directory where the accountActions file resides. To specify the FTP root directory, enter a single dot (.).

Username—A valid username to enable ACS to access the FTP server.

Password—The password for the username provided in the Login box.

The ACS SE has the information necessary to get the accountActions file from the FTP server.

Step 5 (ACS for Windows and ACS SE) Set the Synchronization Scheduling and Synchronization Partners options as required.

Figure 4-3 shows the Synchronization Scheduling and Synchronization Partners sections of the RDBMS Synchronization Setup page.

Figure 4-3 Synchronization Scheduling and Synchronization Partners Options

Step 6 Specify the following Synchronization Scheduling information:

Manually—If you want to disable automatic RDBMS Synchronization, check the Manually check box.

Every X minutes—ACS performs synchronization on a set frequency. The unit of measurement is minutes, with a default update frequency of 60 minutes.

At specific times—ACS performs synchronization at the time that is specified in the day and hour graph. The minimum interval is one hour, and the synchronization occurs on the hour that you chose.

Step 7 For each ACS that you want this ACS to update with data from the accountActions table, click the ACS in the AAA Servers list, and then click the right arrow button (-->) on the interface.

The ACS that you chose appears in the Synchronize list.

Step 8 To remove ACSs from the Synchronize list, click the ACS in the Synchronize list, and then click the left arrow button (<--).

The ACS that you chose is removed from the Synchronize list.

Step 9 At the bottom of the browser window, click Synchronize Now.

ACS immediately begins a synchronization event. To check the status of the synchronization, view the RDBMS Synchronization report in Reports and Activity.


Step 5: Perform RDBMS Synchronization

You can perform the RDBMS Synchronization and create the dACLs in two ways. By running:

RDBMS Synchronization from the ACS GUI.

CSDBSync manually to create the dACLs.

Running RDBMS Synchronization from the ACS GUI

When you click Synchronize Now on the RDBMS Synchronization page for ACS for Windows or for the ACS SE, ACS begins a synchronization event and creates the dACLs specified in the accountActions CSV file.

Running CSDBSync Manually to Create the dACLs

You can run CSDBSync manually to create the dACLs.

ACS for Windows

In Windows, use the command line interface to invoke the csdbsync -run command.

The CSDBSync service reads each statement from the accountActions CSV file and updates the ACS internal database as the action codes in the file specify. In a distributed environment, a single ACS, known as the senior synchronization partner, accesses the accountActions table and sends synchronization commands to its synchronization partners.


Step 1 Open a command prompt window.

Step 2 Enter the following commands:

a. To stop the CSDBSync service, enter net stop csdbsync.

b. Enter net start csdbsync.

c. Enter one of the following commands:

csdbsync -run

csdbsync -syncnow

ACS fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Synchronization operations that the file specifies.


ACS SE

On the ACS SE, you can run the csdbsync -syncnow command to invoke RDBMS Synchronization

To run CSDBSync manually on the ACS SE:


Step 1 Check connectivity between the ACS SE and the FTP server, and be certain that you have write permissions to the FTP server directory.

Step 2 Start a SSH command shell.

Step 3 Enter the following commands:

a. To stop the CSDBSync service, enter net stop csdbsync.

b. Enter net start csdbsync.

c. Enter one of the following commands:

csdbsync -run

csdbsync -syncnow

ACS SE fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Synchronization operations that file specifies.


Performing RDBM Synchronization Using a Script

On the ACS SE, you can change ACS configuration from a remote system by using a command-line utility for RDBMS Synchronization that includes SSH support. You can use the mechanism that starts the SSH server to add Administrator privileges and invoke the csdbsync -syncnow command. The csdbsync -syncnow and csdbsync -run commands work the same, without stopping or starting the CSDBSync service.

You can include the commands to perform these actions in a script that you run remotely on a specified ACS SE.

Step 6: View the dACLs

After you have run RDBMS Synchronization to create the dACLs, view the dACLs to ensure that they are correct.

To view the dACLs:


Step 1 In the Navigation Bar, click Shared Profile Components.

Step 2 Click Downloadable IP ACLs.

The Downloadable IP ACLs page opens

In the Name column of the Downloadable IP ACLs table, you should see the dACL that was specified in the text file that you coded in Step 2: Create a Text File to Define the dACLs.

Step 3 Click the name of the dACL.

The Downloadable IP ACLs page displays the selected dACL, as shown in Figure 4-4.

Figure 4-4 Entry for the Sample dACL

In the ACL Contents column, you should see the content name specified in the Content#1 block that you coded in the text file in Step 2: Create a Text File to Define the dACLs.

Step 4 Click the content name.

The Downloadable IP ACL Content page appears. The Content Name and ACL Definitions appear on the page, as shown in Figure 4-5.

Figure 4-5 Downloadable IP ACL Content Page

Step 5 If the dACL was not created correctly, review the steps in Using RDBMS Synchronization to Configure dACLs and check for errors.

For a list of error messages, see Error Messages.


Error Messages

Table 4-3 lists the error messages associated with dACL creation using CSDBSync.

.

Table 4-3 dACL Creation Errors 

Error Message
Explanation

Failed to process DACL. DACL not defined.

Possible Cause    The dACL was not specified correctly in the text file used to define the dACLs.

Recommended Action    Review the text file that you coded to specify the dACLs and ensure that the syntax is correct.

Failed to process DACL. Could not find NAF.

Possible Cause    The text file provided to define the dACL did not correctly define a NAF.

Recommended Action    Review the text file that you coded to specify the dACLs and ensure that the syntax is correct.

Failed to process DACL. Failed to get UserID.

Possible Cause    On the ACS SE, the user ID specified for the FTP server in the RDBMS Synchronization configuration was incorrect.

Recommended Action    Check to ensure that the specified user ID exists on the FTP server used with the ACS SE.

Failed to process DACL. DACL content not found.

Possible Cause    The text file used to specify the dACL did not correctly specify the dACL content.

Recommended Action    Check the syntax in the text file and ensure that it is correct. Ensure that the ACLs defined in the file are correct.

Failed to upload file into FTP server.

Possible Cause    The FTP server was not reachable, or a network error occurred.

Recommended Action    Ensure that the IP address for the FTP server in the RDBMS configuration is correct and that the network is functioning correctly.

Failed to import DACL file.

Possible Cause    The user ID specified in the RDBMS Synchronization configuration does not have write access to the ACS.

Recommended Action    Ensure that the specified user has write access to the ACS.

Failed to access Host DB.

Possible Cause    The CSDBSync service could not access the database on the host ACS.

Recommended Action    Ensure that the database on the ACS is configured correctly and enabled correctly in the ACS GUI.


Reading, Updating, and Deleting dACLs

Table 4-4 lists the account action codes that you can use to read, update, or delete a dACL.

.

Table 4-4 Account Action Codes for Creating, Reading, Updating, or Deleting dACLs

Action Code
Name
Required
Description

386

READ_DACL

VN, V1 (optional)

Use this action code to read dACL attributes and save them in a file for later use.

VN = contains dACL name or * for all dACLs.

V1 = <output_file_name>

where output_file_name contains the exported dACLs definition.

On the ACS SE, output_file_name specifies the file in the FTP server for the ACS SE. If not is specified the default filename DumpDACL.txt is used.

On ACS for Windows, you can specify the absolute file path; for example, C:\temp\DACL.txt for ACS for Windows. If you do not specify the file path and filename, ACS writes the data to a file in the ACS\bin directory.

387

UPDATE_DACL

VN, V1(optional)

Use this action code to update dACL attributes.

VN = <input_file_name>

where input_file_name specifies the file that contains the definition for the dACL to be updated.

On the ACS SE platform, input_file_name specifies the file name present in the FTP server for ACS SE.

You can specify the absolute file path; for example: C:\DACL\dump.txt for ACS for Windows.

V1=DACL_REPLACE or DACL_APPEND

The default option is:

DACL_REPLACE

The DACL_REPLACE option replaces the existing dACL with the new one.

DACL_APPEND appends the new dACL content and its definition to the existing dACL.

If the dACL has not been defined, the new dACL is added to the existing list.

The dACL definition is ignored if it contains an invalid definition, content name, content definition or NAF name.

388

DELETE_DACL

VN

Use this action code to delete a dACL.

VN = The name of the dACL to delete. To delete all dACLs, code an asterisk (*).

By default, all the dACLs are deleted.

Users and Groups associated with this dACL will be dereferenced after deleting the dACL.


Updating or Deleting dACL Associations with Users or Groups

Table 4-5 lists the account action codes to update the dACL or remove the association of the dACL and the User or Group.

Table 4-5 Account Action Codes to Create or Remove dACL Associations With Users and User Groups

Action Code
Name
Required
Description

381

UPDATE_USER_DACL

UN|GN, VN

This action code updates the dACL for a specified User or Group. The dACL name specified should be valid and should be present in ACS.

UN = Valid Username

GN = Valid Group name (optional)

VN = dACL name. (This dACL must be defined in Shared Profile Component)

382

DELETE_USER_DACL

UN|GN

This action code disassociates a dACL from a specified User or Group.

UN = valid Username

GN = Valid Group name (optional)


Using RDBMS Synchronization to Specify Network Configuration

You can use RDBMS Synchronization to perform network configuration tasks, such as:

Add AAA clients.

Delete AAA clients.

Set AAA client configuration details.

Add AAA servers.

Delete AAA servers.

Set AAA server configuration details.

Add and configure Proxy Distribution Table entries.


Note For specific information about all actions that RDBMS Synchronization can perform, see Appendix E, "RDBMS Synchronization Import Definition," in the User Guide for Cisco Secure ACS, 4.2.


Creating, Reading, Updating and Deleting AAA clients

The RDBMS Synchronization feature supports creation and deletion of single or multiple AAA clients. In addition, accountActions codes 224 and 225 enable reading and updating AAA client information. This section describes the various RDBMS Synchronization tasks that you can perform on single or multiple AAA clients.

Table 4-6 lists the account action codes that are used to read and update single or multiple AAA clients.

Table 4-6 Account Action Codes for Create, Read, Update, Delete for AAA Clients

Action Code
Name
Required
Description

224

UPDATE_NAS

VN, V1, V2, V3

Use this action code to update AAA clients.

VN = AAA Client Name

V1 = IP-Address

V2 = Shared Secret Key

V3 = Vendor

225

READ_NAS

VN, V1 (optional)

Use this action code to export an AAA client list to an output file that can be used to associate the list with members of a particular NDG or with all AAA clients. You can use this output file as input for CSUtil, to import NASs.

VN = <output_file_name>

where output_file_name specifies the filename for the FTP server used with the ACS SE. If nothing is specified, the default name DumpNAS.txt is used.

For the ACS for Windows platform, you can specify the absolute file path; for example: C:\MyNAS\dump.txt. If no value is specified, the AAA client lists is written to the \ACS\bin\DumpNAS.txt file.

V1 = NDG name (optional)

V1 should contain a valid NDG name.