Cisco AAA Implementation Case Study - Implementing Cisco AAA Servers [Cisco AS5800 Series Universal Gateways]

Table Of Contents

Implementing Cisco AAA Servers

3.1 Installing CiscoSecure for UNIX with Oracle

3.1.1 Creating Oracle Tablespace

3.1.2 Verifying the Oracle Database Instance

3.1.3 Installing CiscoSecure for UNIX

3.1.4 Creating and Verifying Basic User Profile

Implementing Cisco AAA Servers

This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1, "Cisco AAA Case Study Overview" for information regarding this case study's network requirements and environment details for this case study. Figure 3-1 illustrates the general networking environment in which this CSU is implemented.

These sections focus on the following topics:

•3.1 Installing CiscoSecure for UNIX with Oracle

•3.1.4 Creating and Verifying Basic User Profile

Figure 3-1 AAA-Based, Secure Network Access Scenario

3.1 Installing CiscoSecure for UNIX with Oracle

These processes of help you to install CiscoSecure for UNIX:

•3.1.1 Creating Oracle Tablespace

•3.1.2 Verifying the Oracle Database Instance

•3.1.3 Installing CiscoSecure for UNIX

•3.1.4 Creating and Verifying Basic User Profile

3.1.1 Creating Oracle Tablespace

You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section are for reference.

Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the database.

For detailed Oracle installation notes, go to the following location:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm
Example of creating a Oracle tablespace:
<CSUserver>$su - oracle
Sun Microsystems Inc.   SunOS 5.5.1     Generic May 1996
<CSUserver>$$ORACLE_HOME/bin/svrmgrl
Oracle Server Manager Release 2.3.4.0.0 - Production
Copyright (c) Oracle Corporation 1994, 1995. All rights reserved.
Oracle7 Server Release 7.3.4.0.1 - Production
With the distributed option
PL/SQL Release 2.3.4.0.0 - Production
SVRMGR>connect internal
Connected.
SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m;
Statement processed.
SVRMGR>create user csecure identified by csecure default tablespace cstb;
Statement processed.
SVRMGR>grant dba to csecure identified by csecure;
Statement processed.
SVRMGR>exit
Server Manager complete.
3.1.2 Verifying the Oracle Database Instance

Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the following five pieces of information:

•The Oracle user account for CiscoSecure (csecure)

•The password for the Oracle account (csecure)

•TNS service name for the Oracle server (ciscosj)

•The location of $ORACLE_HOME (/opt/oracle/product/7.3.4)

•The number of Connections to use for ORACLE RDBMS (50)

Step 1 To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed, enter the following command. Log in to the $ORACLE_HOME as follows:
<CSUserver>$env | grep ORACLE_HOME
ORACLE_HOME=/opt/oracle/product/7.3.4 
Note This environment variable should have been configured during Oracle installation by the DBA.
Step 2 On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by entering the following command:
<CSUserver>$ps -ef |grep smon
  oracle   819     1  0   Feb 26 ?        0:00 ora_smon_ciscosj
The command returns the ora_smon_<SID> process if the server is running. Notice the database instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this case, with username of csecure and password of csecure) and start the database by using Server Manager (svrmgrl) and Oracle listener (lsnrctl) as follows:
<CSUserver>$$ORACLE_HOME/bin/svrmgrl
SVRMGR>connect internal
SVRMGR>startup
ORACLE instance started.
Total System Global Area       4576056 bytes
Fixed Size                       39816 bytes
Variable Size                  4118448 bytes
Database Buffers                409600 bytes
Redo Buffers                      8192 bytes
Database mounted.
Database opened. 
<CSUserver>$$ORACLE_HOME/bin/lsnrctl start
LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46
Copyright (c) Oracle Corporation 1994.  All rights reserved.
Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait...
TNSLSNR for Solaris:Version 2.3.4.0.0 - Production
System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora
Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log
Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus))
Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY))
Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521))
Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris:Version 2.3.4.0.0 - Production
Start Date                12-APR-00 09:40:50
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  OFF
SNMP                      OFF
Listener Parameter File   /opt/oracle/product/7.3.4/network/admin/listener.ora
Listener Log File         /opt/oracle/product/7.3.4/network/log/listener.log
Services Summary...
  ciscoaus              has 1 service handler(s)
The command completed successfully 
Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter Security Manager using the sqlplus process:
<CSUserver>$sqlplus csecure/csecure@ciscosj
SQL>select * from user_sys_privs;
USERNAME                       PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
CSECURE                        UNLIMITED TABLESPACE                     NO
Note Ensure that the assigned resource role/privilege for the username and password is as shown.

The command returns a table with a column listing the privileges granted to the Oracle database account. The default tablespace assigned to the Oracle database account must be at least 200MB. The size is verified by the installation script.

Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows:
<CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj
TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28
Copyright (c) Oracle Corporation 1995.  All rights reserved.
Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521))
OK (80 msec)
Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, at least four of the connections are reserved for mandatory background server processes. In addition, the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during the installation.

3.1.3 Installing CiscoSecure for UNIX

The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX (CSU) on a Sun Solaris workstation. Installation consists of the following steps:

1. Start the CSU installation process by invoking the pkgadd program.

2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:

3. Create /var/log/csuslog file.

4. Configure the AAA server for maximum level debugging.

5. Restart the AAA server.

6. Restart the syslog daemon.

Step 1 Start the CSU installation process by invoking the pkgadd program.

The process that follows illustrates the general installation sequence. Extraneous output was omitted where noted for brevity.

Note The following installation process requires approximately 20 minutes.
<CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris
The following packages are available:
  1  CSCEacs     CiscoSecure Access Control Software
                 (sun4) 2.3(3)
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:1
Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure
-2.3.3.solaris>
CiscoSecure Access Control Software
(sun4) 2.3(3)
Copyright(c) 1996-1999 Cisco Systems, Inc.
CiscoSecure Access Control Server
Version 2.3(3)
All Rights Reserved.
Copyright (c) 1994-1999 Netscape Communications Corporation
Copyright (c) 1988-1999 Sybase, Inc.
Trade Mark WebLogic, Inc.
Notice:
By using this product, you agree to be bound by the terms of
the license supplied  with this product. If you do not agree
to these terms, promptly return the unused product, manuals,
related equipment, and  hardware (with proof of purchase) to
the place of purchase for a full refund.
To install this product, you must agree to accept the terms
of the enclosed license [accept=y,exit=n,exit=q]: y
checking patches...
************************************************************************
* Notice:                                                              *
* This installation program saves  your Database files from a previous *
* CiscoSecure install.  If you  have not installed CiscoSecure before, *
* you should answer YES  to the next question.   If you have performed *
* a 'package remove' and  are installing a new  version of CiscoSecure *
* and want to retain  your previous Database files,  you should answer *
* NO to the next question.                                             *
************************************************************************
Is this a new install (y/n/q) (default: yes, q to quit)?y
Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure
IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q]
If the hostname of this server is not the same as its fully qualified domain
name (FQDN), enter the FQDN, e.g., www.cisco.com.  Otherwise, press enter
to use the default (default: CSUserver) [?,q]
Enter the AAA Server License key (default: <none>) [?,q]
Enter the TACACS+ NAS name to use (default: <none>) [?,q]
Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules
Select any or all Token Cards to use
  1  CryptoCard
  2  Secure-Computing     SafeWord
  3  SDI                  SDI Token Card
Enter selection (default: none) [?,??,q]:
Choose Database
  1  SQLAnywhere     Sybase SQL Anywhere
  2  ORACLE          Oracle Enterprise
  3  SYBASE          Sybase Enterprise
Enter selection (default: SQLAnywhere) [?,??,q]:2
Enter the username for the ORACLE DB account [?,q]csecure
Enter the password for the ORACLE DB account [?,q]csecure
Enter the TNS service name for the Oracle Server [?,q]ciscosj
Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4
Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server
process (default: 9900) [0-65535,?,q]
Enter a unique name for the CiscoSecure DB Server Process (default:
CSdbServer) [?,q]
Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50
Enter the directory Path to use for the AAA server profile caching
(default: /, q to quit)?
        Modify any selections below?
        New CiscoSecure Install             YES
        CiscoSecure Directory               /opt/ciscosecure
        CiscoSecure IP Address              172.23.25.41
        CiscoSecure Web Server Name         CSUserver
        Profile Cache Directory             /
        AAA License Key                     <none>
        TACACS+ NAS Name                    <none>
        TACACS+ NAS Secret Key              SECRET12345
        Token Cards selected                none
        Data Base                           ORACLE
        DB User Account Name                csecure
        DB User Account Passwd              csecure
        Oracle TNS Name                     ciscosj
        Oracle Home                         /opt/oracle/product/7.3.4
        CiscoSecure DB Server IP Address    172.23.25.41
        CiscoSecure DB Server Port          9900
        CiscoSecure DB Server Proc Name     CSdbServer
        DB Server Connections               50
        Modify any values [y,n,q]: n
cs_install.log being written to /tmp directory
Using </opt/ciscosecure> as the package base directory.
## Processing package information.
## Processing system information.
   6 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSCEacs> [y,n,?]y
Installing CiscoSecure Access Control Software as <CSCEacs>
## Executing preinstall script.
## Installing part 1 of 1.
Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter.
[ verifying class <TSERVER> ]
## Executing postinstall script.
Creating the initial database tables and views........
Loading properties from /opt/ciscosecure/config/CSConfig.ini
Finished loading properties.
Data Source = ORACLE
Driver Type = JDBC-Weblogic-Oracle   URL = jdbc:weblogic:oracle:ciscosj   username = 
csecure   password = ********
Connected to jdbc:weblogic:oracle:ciscosj
Driver       Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version      2.5.4
sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_sp
ace where tablespace_name = (select default_tablespace from sys.dba_users where
username = USER)        group by tablespace_name
Total free space in CSTB tablespace is 199 MB.
Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql%
Executing SQL statements..
Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter.
Successfully done.
Initializing RADIUS data in the database........
Loading properties from /opt/ciscosecure/config/CSConfig.ini
Finished loading properties.
Data Source = ORACLE
Driver Type = JDBC-Weblogic-Oracle   URL = jdbc:weblogic:oracle:ciscosj   username = 
csecure   password = ********
Connected to jdbc:weblogic:oracle:ciscosj
Driver       Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version      2.5.4
Radius data version: 23
Adding SERVER_LIST
Adding DICTIONARY_LIST
Adding SERVER.172.23.25.41
Adding DICTIONARY.IETF
Adding DICTIONARY.Cisco
Adding DICTIONARY.Ascend
Adding DICTIONARY.Cisco11.1
Adding DICTIONARY.Cisco11.2
Adding DICTIONARY.Cisco11.3
Adding DICTIONARY.Ascend5
No update to dictionary list
Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?)
Successfully done.
Installation is complete. However, further configuration may be necessary.
For more information on the steps necessary to finish configuration, read
the /opt/ciscosecure/DOCS/README.txt file.
Results of this install are saved in the /tmp/cs_install.log file and in
/opt/ciscosecure/logfiles/cs_install.log.
NOTE:  For AAA Server tuning, refer to 
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm#
xtocid192003
Installation of <CSCEacs> was successful.
Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:

Enter the following command:
#added by rbrown@cisco.com on 02/28/00
local0.debug                    /var/log/csuslog
Note Do not use whitespace to separate the above statements in /etc/syslog.conf. Use only tabs.

Step 3 Create /var/log/csuslog file.

Enter the touch command to create the csulog file.
<CSUserver>$touch /var/log/csuslog;chmod 777 csuslog
Step 4 Configure the AAA server for maximum level debugging.

Modify /opt/ciscosecure/config/CSU.cfg as follows:
NUMBER config_logging_configuration = 0x7ffffffff
Step 5 Restart the AAA server.

Enter the following command to restart the AAA server:
<CSUserver>$/etc/rc0.d/K80CiscoSecure
Stopping CiscoSecure Processes:
 CiscoSecure AutoRestart Stopped
 Fast Track Server Stopped
 Fast Track Admin Program Stopped
 Acme Server Stopped
 AAA Server Stopped
 DBServer Stopped
<CSUserver>$/etc/rc2.d/S80CiscoSecure
Starting CiscoSecure Processes:
 Fast Track Admin Started
 FastTrack Server (Delayed Start)
 DBServer Started
 AAA Server starts in 15 Seconds:  123456789012345
 AAA Server Started
 Acme Server Started
 Cisco AutoRestart started
Step 6 Restart the syslog daemon.

Enter the follow command to restart the syslog daemon:
<CSUserver>$ps -ef |grep syslog
    root   150     1  0   Feb 26 ?        0:00 /usr/sbin/syslogd
<CSUserver>$kill -HUP 150
3.1.4 Creating and Verifying Basic User Profile

These processes help you to accomplish basic user profile creation and verification:

1. Create user csu_test.

2. Verify user csu_test.

3. Configure the router for basic authentication.

4. Log in to the router and verify user access.

5. Review the AAA server log.

Step 1 Create user csu_test.

Enter the following commands to add the user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks
Profile Successfully Added
Step 2 Verify user csu_test.

Enter the following commands to verify settings for user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test
User Profile Information
user = csu_test{
profile_id = 18
profile_cycle = 1
password = des "********"
}
Step 3 Configure the router for basic authentication.

Log in to the router and include the following commands:
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 172.22.53.201 key ciscorules
Step 4 Log in to the router and verify user access.

Enter the user name and password:
Username:csu_test
Password:<password>
Step 5 Review the AAA server log.

Enter the tail command to assess the csulog file:

Note This CSU log fragment illustrates user csu_test being authenticated and permitted privilege level 15 access.
<CSUserver>$tail -f /var/log/csuslog
Feb 29 16:52:28 CSUserver last message repeated 20 times1
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: 
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: 
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG -
Feb 29 16:52:30 CSUserver User Access Verification
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username:
Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password:
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = 
coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]

	Cisco AAA Implementation Case Study
	Implementing Cisco AAA Servers
Cisco AAA Implementation Case Study Preface Cisco AAA Case Study Overview Implementing the Local AAA Subsystem Implementing Cisco AAA Servers Implementing the Server-Based AAA Subsystem Implementing Server-Based AAA Accounting Diagnosing and Troubleshooting AAA Operations Appendix A: AAA Device Configuration Listings Appendix B: AAA Impact on Maintenance Tasks Appendix C: Server-based AAA Verification Debug Output Index	Download this chapter Implementing Cisco AAA Servers Download the complete book Please click here to view entire publication in PDF format. (PDF - 2 MB) Table Of Contents Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle 3.1.1 Creating Oracle Tablespace 3.1.2 Verifying the Oracle Database Instance 3.1.3 Installing CiscoSecure for UNIX 3.1.4 Creating and Verifying Basic User Profile Implementing Cisco AAA Servers This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1, "Cisco AAA Case Study Overview" for information regarding this case study's network requirements and environment details for this case study. Figure 3-1 illustrates the general networking environment in which this CSU is implemented. These sections focus on the following topics: •3.1 Installing CiscoSecure for UNIX with Oracle •3.1.4 Creating and Verifying Basic User Profile Figure 3-1 AAA-Based, Secure Network Access Scenario 3.1 Installing CiscoSecure for UNIX with Oracle These processes of help you to install CiscoSecure for UNIX: •3.1.1 Creating Oracle Tablespace •3.1.2 Verifying the Oracle Database Instance •3.1.3 Installing CiscoSecure for UNIX •3.1.4 Creating and Verifying Basic User Profile 3.1.1 Creating Oracle Tablespace You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section are for reference. Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the database. For detailed Oracle installation notes, go to the following location: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm Example of creating a Oracle tablespace: <CSUserver>$su - oracle Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 <CSUserver>$$ORACLE_HOME/bin/svrmgrl Oracle Server Manager Release 2.3.4.0.0 - Production Copyright (c) Oracle Corporation 1994, 1995. All rights reserved. Oracle7 Server Release 7.3.4.0.1 - Production With the distributed option PL/SQL Release 2.3.4.0.0 - Production SVRMGR>connect internal Connected. SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m; Statement processed. SVRMGR>create user csecure identified by csecure default tablespace cstb; Statement processed. SVRMGR>grant dba to csecure identified by csecure; Statement processed. SVRMGR>exit Server Manager complete. 3.1.2 Verifying the Oracle Database Instance Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the following five pieces of information: •The Oracle user account for CiscoSecure (csecure) •The password for the Oracle account (csecure) •TNS service name for the Oracle server (ciscosj) •The location of $ORACLE_HOME (/opt/oracle/product/7.3.4) •The number of Connections to use for ORACLE RDBMS (50) Step 1 To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed, enter the following command. Log in to the $ORACLE_HOME as follows: <CSUserver>$env \| grep ORACLE_HOME ORACLE_HOME=/opt/oracle/product/7.3.4 Note This environment variable should have been configured during Oracle installation by the DBA. Step 2 On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by entering the following command: <CSUserver>$ps -ef \|grep smon oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj The command returns the ora_smon_<SID> process if the server is running. Notice the database instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this case, with username of csecure and password of csecure) and start the database by using Server Manager (svrmgrl) and Oracle listener (lsnrctl) as follows: <CSUserver>$$ORACLE_HOME/bin/svrmgrl SVRMGR>connect internal SVRMGR>startup ORACLE instance started. Total System Global Area 4576056 bytes Fixed Size 39816 bytes Variable Size 4118448 bytes Database Buffers 409600 bytes Redo Buffers 8192 bytes Database mounted. Database opened. <CSUserver>$$ORACLE_HOME/bin/lsnrctl start LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46 Copyright (c) Oracle Corporation 1994. All rights reserved. Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait... TNSLSNR for Solaris:Version 2.3.4.0.0 - Production System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus)) Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY)) Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521)) Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj)) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Solaris:Version 2.3.4.0.0 - Production Start Date 12-APR-00 09:40:50 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level off Security OFF SNMP OFF Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora Listener Log File /opt/oracle/product/7.3.4/network/log/listener.log Services Summary... ciscoaus has 1 service handler(s) The command completed successfully Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter Security Manager using the sqlplus process: <CSUserver>$sqlplus csecure/csecure@ciscosj SQL>*select from user_sys_privs; USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- CSECURE UNLIMITED TABLESPACE NO Note Ensure that the assigned resource role/privilege for the username and password is as shown. The command returns a table with a column listing the privileges granted to the Oracle database account. The default tablespace assigned to the Oracle database account must be at least 200MB. The size is verified by the installation script. Step 4** To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows: <CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28 Copyright (c) Oracle Corporation 1995. All rights reserved. Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521)) OK (80 msec) Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, at least four of the connections are reserved for mandatory background server processes. In addition, the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during the installation. 3.1.3 Installing CiscoSecure for UNIX The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX (CSU) on a Sun Solaris workstation. Installation consists of the following steps: 1. Start the CSU installation process by invoking the pkgadd program. 2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: 3. Create /var/log/csuslog file. 4. Configure the AAA server for maximum level debugging. 5. Restart the AAA server. 6. Restart the syslog daemon. Step 1 Start the CSU installation process by invoking the pkgadd program. The process that follows illustrates the general installation sequence. Extraneous output was omitted where noted for brevity. Note The following installation process requires approximately 20 minutes. <CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris The following packages are available: 1 CSCEacs CiscoSecure Access Control Software (sun4) 2.3(3) Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:1 Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure -2.3.3.solaris> CiscoSecure Access Control Software (sun4) 2.3(3) Copyright(c) 1996-1999 Cisco Systems, Inc. CiscoSecure Access Control Server Version 2.3(3) All Rights Reserved. Copyright (c) 1994-1999 Netscape Communications Corporation Copyright (c) 1988-1999 Sybase, Inc. Trade Mark WebLogic, Inc. Notice: By using this product, you agree to be bound by the terms of the license supplied with this product. If you do not agree to these terms, promptly return the unused product, manuals, related equipment, and hardware (with proof of purchase) to the place of purchase for a full refund. To install this product, you must agree to accept the terms of the enclosed license [accept=y,exit=n,exit=q]: y checking patches... ************************************************************************ * Notice: * * This installation program saves your Database files from a previous * * CiscoSecure install. If you have not installed CiscoSecure before, * * you should answer YES to the next question. If you have performed * * a 'package remove' and are installing a new version of CiscoSecure * * and want to retain your previous Database files, you should answer * * NO to the next question. * ********************************************************************** Is this a new install (y/n/q) (default: yes, q to quit)?y Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q] If the hostname of this server is not the same as its fully qualified domain name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter to use the default (default: CSUserver) [?,q] Enter the AAA Server License key (default: <none>) [?,q] Enter the TACACS+ NAS name to use (default: <none>) [?,q] Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules Select any or all Token Cards to use 1 CryptoCard 2 Secure-Computing SafeWord 3 SDI SDI Token Card Enter selection (default: none) [?,??,q]: Choose Database 1 SQLAnywhere Sybase SQL Anywhere 2 ORACLE Oracle Enterprise 3 SYBASE Sybase Enterprise Enter selection (default: SQLAnywhere) [?,??,q]:2 Enter the username for the ORACLE DB account [?,q]csecure Enter the password for the ORACLE DB account [?,q]csecure Enter the TNS service name for the Oracle Server [?,q]ciscosj Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4 Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server process (default: 9900) [0-65535,?,q] Enter a unique name for the CiscoSecure DB Server Process (default: CSdbServer) [?,q] Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50 Enter the directory Path to use for the AAA server profile caching (default: /, q to quit)? Modify any selections below? New CiscoSecure Install YES CiscoSecure Directory /opt/ciscosecure CiscoSecure IP Address 172.23.25.41 CiscoSecure Web Server Name CSUserver Profile Cache Directory / AAA License Key <none> TACACS+ NAS Name <none> TACACS+ NAS Secret Key SECRET12345 Token Cards selected none Data Base ORACLE DB User Account Name csecure DB User Account Passwd csecure Oracle TNS Name ciscosj Oracle Home /opt/oracle/product/7.3.4 CiscoSecure DB Server IP Address 172.23.25.41 CiscoSecure DB Server Port 9900 CiscoSecure DB Server Proc Name CSdbServer DB Server Connections 50 Modify any values [y,n,q]: n cs_install.log being written to /tmp directory Using </opt/ciscosecure> as the package base directory. ## Processing package information. ## Processing system information. 6 package pathnames are already properly installed. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSCEacs> [y,n,?]y Installing CiscoSecure Access Control Software as <CSCEacs> ## Executing preinstall script. ## Installing part 1 of 1. Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. [ verifying class <TSERVER> ] ## Executing postinstall script. Creating the initial database tables and views........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ****** Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 sql = select tablespace_name, floor(sum(bytes)/(10241024)) from sys.dba_free_sp ace where tablespace_name = (select default_tablespace from sys.dba_users where username = USER) group by tablespace_name Total free space in CSTB tablespace is 199 MB. Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql% Executing SQL statements.. Note* Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. Successfully done. Initializing RADIUS data in the database........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ****** Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 Radius data version: 23 Adding SERVER_LIST Adding DICTIONARY_LIST Adding SERVER.172.23.25.41 Adding DICTIONARY.IETF Adding DICTIONARY.Cisco Adding DICTIONARY.Ascend Adding DICTIONARY.Cisco11.1 Adding DICTIONARY.Cisco11.2 Adding DICTIONARY.Cisco11.3 Adding DICTIONARY.Ascend5 No update to dictionary list Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?) Successfully done. Installation is complete. However, further configuration may be necessary. For more information on the steps necessary to finish configuration, read the /opt/ciscosecure/DOCS/README.txt file. Results of this install are saved in the /tmp/cs_install.log file and in /opt/ciscosecure/logfiles/cs_install.log. NOTE: For AAA Server tuning, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm# xtocid192003 Installation of <CSCEacs> was successful. Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: Enter the following command: #added by rbrown@cisco.com on 02/28/00 local0.debug /var/log/csuslog Note** Do not use whitespace to separate the above statements in /etc/syslog.conf. Use only tabs. Step 3 Create /var/log/csuslog file. Enter the touch command to create the csulog file. <CSUserver>$touch /var/log/csuslog;chmod 777 csuslog Step 4 Configure the AAA server for maximum level debugging. Modify /opt/ciscosecure/config/CSU.cfg as follows: NUMBER config_logging_configuration = 0x7ffffffff Step 5 Restart the AAA server. Enter the following command to restart the AAA server: <CSUserver>$/etc/rc0.d/K80CiscoSecure Stopping CiscoSecure Processes: CiscoSecure AutoRestart Stopped Fast Track Server Stopped Fast Track Admin Program Stopped Acme Server Stopped AAA Server Stopped DBServer Stopped <CSUserver>$/etc/rc2.d/S80CiscoSecure Starting CiscoSecure Processes: Fast Track Admin Started FastTrack Server (Delayed Start) DBServer Started AAA Server starts in 15 Seconds: 123456789012345 AAA Server Started Acme Server Started Cisco AutoRestart started Step 6 Restart the syslog daemon. Enter the follow command to restart the syslog daemon: <CSUserver>$ps -ef \|grep syslog root 150 1 0 Feb 26 ? 0:00 /usr/sbin/syslogd <CSUserver>$kill -HUP 150 3.1.4 Creating and Verifying Basic User Profile These processes help you to accomplish basic user profile creation and verification: 1. Create user csu_test. 2. Verify user csu_test. 3. Configure the router for basic authentication. 4. Log in to the router and verify user access. 5. Review the AAA server log. Step 1 Create user csu_test. Enter the following commands to add the user csu_test: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks Profile Successfully Added Step 2 Verify user csu_test. Enter the following commands to verify settings for user csu_test: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test User Profile Information user = csu_test{ profile_id = 18 profile_cycle = 1 password = des "******" } Step 3 Configure the router for basic authentication. Log in to the router and include the following commands: aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 172.22.53.201 key ciscorules Step 4 Log in to the router and verify user access. Enter the user name and password: Username:csu_test Password:<password> Step 5 Review the AAA server log. Enter the tail** command to assess the csulog file: Note This CSU log fragment illustrates user csu_test being authenticated and permitted privilege level 15 access. <CSUserver>$tail -f /var/log/csuslog Feb 29 16:52:28 CSUserver last message repeated 20 times1 Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Feb 29 16:52:30 CSUserver User Access Verification Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username: Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password: Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.