Table Of Contents
RDBMS Synchronization Import Definitions
accountActions Specification
accountActions Format
accountActions Mandatory Fields
accountActions Processing Order
Action Codes
Action Codes for Setting and Deleting Values
Action Codes for Creating and Modifying User Accounts
Action Codes for Initializing and Modifying Access Filters
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
Action Codes for Modifying Network Configuration
Cisco Secure ACS Attributes and Action Codes
User-Specific Attributes
User-Defined Attributes
Group-Specific Attributes
An Example of accountActions
RDBMS Synchronization Import Definitions
RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions file. The RDBMS Synchronization feature of Cisco Secure Access Control Server (ACS) Solution Engine uses a comma-separated value (CSV) file named "accountActions" as input for automated or manual updates of the CiscoSecure user database. Each line in accountActions represents one action, with the exception of the first line, which is ignored during synchronization events. This permits the use of the first line of accountActions as field headers.
For more information about the RDBMS Synchronization feature and accountActions, see RDBMS Synchronization.
This chapter contains the following topics:
•accountActions Specification
•Action Codes
•Cisco Secure ACS Attributes and Action Codes
•An Example of accountActions
accountActions Specification
Whether you create accountActions by hand in a text editor or through automation using a third-party system that writes to accountActions, you must adhere to the accountActions specification and must only use the action codes detailed in Action Codes. Otherwise, RDBMS Synchronization may import incorrect information into the CiscoSecure user database or may fail to occur at all.
accountActions Format
Each row in accountActions has 14 fields (or columns). Table E-1 lists the fields that compose accountActions. Table E-1 also reflects the order in which the fields appear in accountActions.
The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in Action Codes.
To see an example accountActions, see An Example of accountActions.
Table E-1 accountActions Fields
Field Name
|
Mnemonic
|
Type
|
Size (Max. Length)
|
Comments
|
SequenceId
|
SI
|
AutoNumber
|
32
|
The unique action ID.
|
Priority
|
P
|
Integer
|
1
|
The priority with which this update is to be treated. 0 is the lowest priority.
|
UserName
|
UN
|
String
|
32
|
The name of the user to which the transaction applies.
|
GroupName
|
GN
|
String
|
32
|
The name of the group to which the transaction applies.
|
Action
|
A
|
Number
|
0-216
|
The Action required. (See Action Codes.)
|
ValueName
|
VN
|
String
|
255
|
The name of the parameter to change.
|
Value1
|
V1
|
String
|
255
|
The new value (for numeric parameters, this is a decimal string).
|
Value2
|
V2
|
String
|
255
|
The name of a TACACS+ protocol; for example, "ip" or RADIUS VSA Vendor ID.
|
Value3
|
V3
|
String
|
255
|
The name of a TACACS+ service; for example, "ppp" or the RADIUS VSA attribute number.
|
DateTime
|
DT
|
DateTime
|
—
|
The date/time the Action was created.
|
MessageNo
|
MN
|
Integer
|
—
|
Used to number related transactions for audit purposes.
|
ComputerNames
|
CN
|
String
|
32
|
RESERVED by CSDBSync.
|
AppId
|
AI
|
String
|
255
|
The type of configuration parameter to change.
|
Status
|
S
|
Number
|
32
|
TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0.
|
accountActions Mandatory Fields
For all actions, the following three fields cannot be empty and must have a valid value:
•Action
•DateTime
•SequenceID
In addition to the three required fields above, the UserName and GroupName fields are also often required to have a valid value:
•If a transaction is acting upon a user account, a valid value is required in the UserName field.
•If a transaction is acting upon a group, a valid value is required in the GroupName field.
•If a transaction is acting upon AAA client configuration, neither the UserName field nor the GroupName field require a value.
Note The UserName and GroupName fields are mutually exclusive; only one of these two fields can have a value and neither field is always required.
accountActions Processing Order
Cisco Secure ACS reads rows from accountActions and processes them in a specific order. Cisco Secure ACS determines the order first by the values in the Priority fields (mnemonic: P) and then by the values in the Sequence ID fields (mnemonic: SI). Cisco Secure ACS processes the rows with the highest Priority field. The lower the number in the Priority field, the higher the priority. For example, if row A has the value 1 in its Priority field and row B has the value 2 in its Priority field, Cisco Secure ACS would process row A first, regardless of whether row B has a lower sequence ID or not. If rows have an equal priority, Cisco Secure ACS processes them by their sequence ID, with the lowest sequence ID processed first.
Thus, the Priority field (P) enables transactions of higher importance to occur first, such as deleting a user or changing a password. In the most common implementations of RDBMS Synchronization, a third-party system writes to accountActions in batch mode, with all actions (rows) assigned a priority of zero (0).
Note When changing transaction priorities, be careful that they are processed in the correct order; for example, a user account must be created before the user password is assigned.
You can use the MessageNo field (mnemonic: MN) to associate related transactions, such as the addition of a user and subsequent actions to set password values and status. You can use the MessageNo field to create an audit trail for a third-party system that writes to accountActions.
Action Codes
This section provides the action codes valid for use in the Action field (mnemonic: A) of accountActions. The Required column uses the field mnemonic names to indicate which fields should be completed, except for the mandatory fields, which are assumed. For more information about the mnemonic names of accountActions fields, see Table E-1. For more information about the mandatory fields, see accountActions Mandatory Fields.
If an action can be applied to either a user or group, "UN|GN" appears, using the vertical bar to indicate that either one of the two fields is required. To make the action affect only the user, leave the group name empty; to make the action affect only the group, leave the user name empty.
This section contains the following topics:
•Action Codes for Setting and Deleting Values
•Action Codes for Creating and Modifying User Accounts
•Action Codes for Initializing and Modifying Access Filters
•Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
•Action Codes for Modifying Network Configuration
Action Codes for Setting and Deleting Values
The two most fundamental action codes are SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2), described in Table E-2.
The SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2) actions, described in Table E-2, instruct RDBMS Synchronization to assign a value to various internal attributes in Cisco Secure ACS. Unless asked to use these action codes for other purposes by a Cisco representative, you can only use these action codes for assigning values to user-defined fields (see User-Specific Attributes).
Table E-2 Action Codes for Setting and Deleting Values
Action Code
|
Name
|
Required
|
Description
|
1
|
SET_VALUE
|
UN|GN, AI, VN, V1, V2
|
Sets a value (V1) named (VN) of type (V2) for App ID (AI).
App IDs (AI) can be one of the following:
•APP_CSAUTH
•APP_CSTACACS
•APP_CSRADIUS
•APP_CSADMIN
Value types (V2) can be one of the following:
•TYPE_BYTE—Single 8-bit number.
•TYPE_SHORT—Single 16-bit number.
•TYPE_INT—Single 32-bit number.
•TYPE_STRING—Single string.
•TYPE_ENCRYPTED_STRING—Single string to be saved encrypted.
•TYPE_MULTI_STRING—Tab-separated set of substrings.
•TYPE_MULTI_INT—Tab-separated set of 32-bit numbers.
For example:
UN = "fred"
AI = "APP_CSAUTH"
VN = "My Value"
V2 = "TYPE_MULTI_STRING"
V1 = "str1tabstr2tabstr3"
|
2
|
DELETE_VALUE
|
UN|GN, AI, VN
|
Deletes value (VN) for App ID (AI) and user (UN) or group (GN).
|
Action Codes for Creating and Modifying User Accounts
Table E-3 lists the action codes for creating, modifying, and deleting user accounts.
Note Before you can modify a user account, such as assigning a password, you must create the user account, either in the HTML interface or by using the ADD_USER action (action code: 100).
Transactions using these codes affect the configuration displayed in the User Setup section of the HTML interface. For more information about the User Setup section, see "User Management".
Table E-3 User Creation and Modification Action Codes
Action Code
|
Name
|
Required
|
Description
|
100
|
ADD_USER
|
UN|GN, V1
|
Creates a user (32 characters maximum). V1 is used as the initial password. Optionally, the user can also be assigned to a group.
|
101
|
DELETE_USER
|
UN
|
Removes a user.
|
102
|
SET_PAP_PASS
|
UN, V1
|
Sets the PAP password for a user (64 ASCII characters maximum). CHAP/ARAP will also default to this.
|
103
|
SET_CHAP_PASS
|
UN, V1
|
Sets the CHAP/ARAP password for a user (64 characters maximum).
|
104
|
SET_OUTBOUND_ CHAP_PASS
|
UN, V1
|
Sets the CHAP/ARAP password for a user (32 characters maximum).
|
105
|
SET_T+_ENABLE_ PASS
|
UN, VN, V1, V2, V3
|
Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15).
The enable type (V3) should be one of the following:
•ENABLE_LEVEL_AS_GROUP—Max privilege taken from group setting.
•ENABLE_LEVEL_NONE—No T+ enable configured.
•ENABLE_LEVEL_STATIC—Value set in V2 used during enable level check.
You can use VN to link the enable password to an external authenticator, as per action 108 SET_PASS_TYPE.
|
106
|
SET_GROUP
|
UN, GN
|
Sets the Cisco Secure ACS group assignment of the user.
|
108
|
SET_PASS_TYPE
|
UN|GN, V1
|
Sets the password type of the user. This can be one of the CiscoSecure user database password types or any of the external databases supported:
•PASS_TYPE_CSDB—CSDB internal password.
•PASS_ TYPE_CSDB_UNIX—CSDB internal password (UNIX encrypted).
•PASS_TYPE_NT—External Windows user database password.
•PASS_TYPE_NDS—External Novell database password.
•PASS_TYPE_LDAP—External generic LDAP database password.
•PASS_TYPE_LEAP—External LEAP proxy RADIUS server database password.
•PASS_TYPE_RADIUS_TOKEN—External RADIUS token server database password.
|
109
|
REMOVE_PASS_ STATUS
|
UN,V1
|
Removes a password status flag. This results in the status states being linked in a logical XOR condition. V1 should contain one of the following:
•PASS_STATUS_EXPIRES—Password expires on a given date.
•PASS_STATUS_NEVER—Password never expires.
•PASS_STATUS_WRONG—Password expires after a given number of login attempts using the wrong password.
•PASS_STATUS_DISABLED—The account has been disabled.
|
110
|
ADD_PASS_STATUS
|
UN, V1
|
Defines how a password should be expired by Cisco Secure ACS. To set multiple password states for a user, use multiple instances of this action. This results in the status states being linked in a logical XOR condition. V1 should contain one of the following:
•PASS_STATUS_EXPIRES—Password expires on a given date.
•PASS_STATUS_NEVER—Password never expires.
•PASS_STATUS_WRONG—Password expires after a given number of login attempts using the wrong password.
•PASS_STATUS_RIGHT—Password expires after a given number of login attempts using the correct password.
•PASS_STATUS_DISABLED—The account has been disabled.
|
112
|
SET_PASS_EXPIRY_ WRONG
|
UN,V1
|
Sets the maximum number of bad authentications allowed (automatic reset on good password if not exceeded) and reset current count.
|
113
|
SET_PASS_EXPIRY_ DATE
|
UN,V1
|
Sets the date on which the account expires. The date format should be YYYYMMDD.
|
114
|
SET_MAX_SESSIONS
|
UN|GN, V1
|
Sets the maximum number of simultaneous sessions for a user or group. V1 should contain one of the following values:
•MAX_SESSIONS_UNLIMITED
•MAX_SESSIONS_AS_GROUP
•1-65534
|
115
|
SET_MAX_ SESSIONS_GROUP_ USER
|
GN,V1
|
Sets the max sessions for a user of the group to one of the following values:
•MAX_SESSIONS_UNLIMITED
•1-65534
|
260
|
SET_QUOTA
|
VN,V1, V2
|
Sets a quota for a user or group.
VN defines the quota type. Valid values are:
•online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.
•sessions—The quota limits the user or group by the number of sessions on the network for the period defined in V2.
V1 defines the quota. If VN is set to sessions, V1 is the maximum number of sessions in the period defined in V2. If VN is set to online time, V1 is the maximum number of seconds.
V2 holds the period for the quota. Valid values are:
•QUOTA_PERIOD_DAILY—The quota is enforced in 24-hour cycles, from 12:01 A.M. to midnight.
•QUOTA_PERIOD_WEEKLY—The quota is enforced in 7-day cycles, from 12:01 A.M. Sunday until midnight Saturday.
•QUOTA_PERIOD_MONTHLY—The quota is enforced in monthly cycles, from 12:01 A.M. on the first of the month until midnight on the last day of the month.
•QUOTA_PERIOD_ABSOLUTE—The quota is enforced in an ongoing basis, without an end.
|
261
|
DISABLE_QUOTA
|
UN|GN, VN
|
Disables a group or user usage quota.
VN defines the quota type. Valid values are:
•online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.
•sessions—The quota limits the user or group by the number of sessions on the network for the period defined in V2.
|
262
|
RESET_COUNTERS
|
UN|GN
|
Resets usage quota counters for a user or group.
|
263
|
SET_QUOTA_APPLY_ TYPE
|
V1
|
Defines whether a user usage quota is determined by the user group quota or by a quota unique to the user. V1 makes this specification. Valid values for V1 are:
•ASSIGNMENT_FROM_USER
•ASSIGNMENT_FROM_GROUP
|
270
|
SET_DCS_TYPE
|
UN|GN, VN,V1, Optional- ly V2
|
Sets the type of device command set (DCS) authorization for a group or user.
VN defines the service. Valid service types are:
•shell—Cisco IOS shell command authorization.
•pixshell—Cisco PIX command authorization.
Note If additional DCS types have been added to your Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as PIX Shell (pixshell) .
V1 defines the assignment type. The valid values for VN are:
•none—Sets no DCS for the user or group.
•as group—For users only, this value signifies that the user DCS settings for the service specified should be the same as the user group DCS settings.
•static—Sets a DCS for the user or group for all devices enabled to perform command authorization for the service specified.
If V1 is set to static, V2 is required and must contain the name of the DCS to assign to the user or group for the given service.
•ndg—Specifies that command authorization for the user or group is to be done on a per-NDG basis. Use action 271 to add DCS to NDG mappings for the user or group.
Note Changing a user or group assignment type (V1) results in clearing previous data, including NDG to DCS mappings (defined by action 271).
|
271
|
SET_DCS_NDG_MAP
|
UN|GN, VN,V1, V2
|
Use this action code to map between the device command set and the NDG when the assignment type specified by a 270 action code is ndg .
VN defines the service. Valid service types are:
•shell—Cisco IOS shell command authorization.
•pixshell—Cisco PIX command authorization.
Note If additional DCS types have been added to your Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as PIX Shell (pixshell) .
V1 defines the name of the NDG. Use the name of the NDG as it appears in the HTML interface. For example, if you have configured an NDG named "East Coast NASes" and want to use action 271 to apply a DCS to that NDG, V1 should be "East Coast NASes".
V2 defines the name of the DCS. Use the name of the DCS as it appears in the HTML interface. For example, if you have configured a DCS named "Tier2 PIX Admin DCS" and want to use action 271 to apply it to an NDG, V2 should be "Tier2 PIX Admin DCS".
|
Action Codes for Initializing and Modifying Access Filters
Table E-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users.
Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see "User Management". For more information about the Group Setup section, see "User Group Management".
Table E-4 Action Codes for Initializing and Modifying Access Filters
Action Code
|
Name
|
Required
|
Description
|
120
|
INIT_NAS_ACCESS_ CONTROL
|
UN|GN,V1
|
Clears the AAA client access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following values:
•ACCESS_PERMIT
•ACCESS DENY
|
121
|
INIT_DIAL_ACCESS_ CONTROL
|
UN|GN,V1
|
Clears the dial-up access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following values:
•ACCESS_PERMIT
•ACCESS DENY
|
122
|
ADD_NAS_ACCESS_ FILTER
|
UN|GN,V1
|
Adds a AAA client filter for the user|group.
V1 should contain a single (AAA client name, AAA client port, remote address, CLID) tuple; for example:
Optionally, the AAA client name can be "All AAA clients" to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports.
|
123
|
ADD_DIAL_ACCESS_ FILTER
|
UN|GN, V1, V2
|
Adds a dial-up filter for the user|group.
V1 should contain one of the following values:
•Calling station ID
•Called station ID
•Calling and called station ID; for example:
01732-875374,0898-69696969
•AAA client IP address, AAA client port; for example:
V2 should contain the filter type as one of the following values:
•CLID—The user is filtered by the calling station ID.
•DNIS—The user is filtered by the called station ID.
•CLID/DNIS—The user is filtered by both calling and called station IDs.
•AAA client/PORT—The user is filtered by AAA client IP and AAA client port address.
|
130
|
SET_TOKEN_CACHE_ SESSION
|
GN, V1
|
Enables/disables token caching for an entire session; V1 is 0=disable, 1=enable.
|
131
|
SET_TOKEN_CACHE_ TIME
|
GN, V1
|
Sets the duration that tokens are cached. V1 is the token cache duration in seconds.
|
140
|
SET_TODDOW_ACCESS
|
UN|GN, V1
|
Sets periods during which access is permitted. V1 contains a string of 168 characters. Each character represents a single hour of the week. A "1" represents an hour that is permitted, while a "0" represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is "111111111111" and so on.
|
150
|
SET_STATIC_IP
|
UN, V1, V2
|
Configures the (TACACS+ and RADIUS) IP address assignment for this user.
V1 holds the IP address in the following format:
xxx.xxx.xxx.xxx
V2 should be one of the following:
•ALLOC_METHOD_STATIC—The IP address in V1 is assigned to the user in the format xxx.xxx.xxx.xxx.
•ALLOC_METHOD_NAS_POOL—The IP pool named in V1 (configured on the AAA client) will be assigned to the user.
•ALLOC_METHOD_AAA_POOL—The IP pool named in V1 (configured on the AAA server) will be assigned to the user.
•ALLOC_METHOD_CLIENT—The dial-in client will assign its own IP address.
•ALLOC_METHOD_AS_GROUP—The IP address assignment configured for the group will be used.
|
151
|
SET_CALLBACK_NO
|
UN|GN, V1
|
Sets the callback number for this user or group (TACACS+ and RADIUS). V1 should be one of the following:
•Callback number—The phone number the AAA client is to call back.
•none—No callback is allowed.
•roaming—The dial-up client determines the callback number.
•as group—Use the callback string or method defined by the group.
|
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
Table E-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for Cisco Secure ACS groups and users. In the event that Cisco Secure ACS has conflicting user and group settings, user settings always override group settings.
Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see "User Management". For more information about the Group Setup section, see "User Group Management".
Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
Action Code
|
Name
|
Required
|
Description
|
161
|
DEL_RADIUS_ATTR
|
UN|GN, VN, Optionally V2, V3
|
Deletes the named RADIUS attribute for the group or user, where:
•VN = "Vendor-Specific"
•V2 = IETF vendor ID
•V3 = VSA attribute ID
For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair:
VN = "Vendor-Specific"
V2 = "9"
V3 = "1"
|
163
|
ADD_RADIUS_ ATTR
|
UN|GN, VN, V1, Optionally V2, V3
|
Adds to the attribute named (VN) the value (V1) for the user/group (UN|GN). For example, to set the IETF RADIUS Reply-Message attribute (attr. 18) for a group:
GN = "Group 1"
VN = "Reply-Message"
V1 = "Greetings"
As another example, to set the IETF RADIUS Framed-IP-Address attribute (attr. 9) for a user:
UN = "fred"
VN = "Framed-IP-Address"
V1 = "10.1.1.1"
To add a vendor-specific attribute (VSA), set VN = "Vendor-Specific" and use V2 and V3 as follows:
•V2 = IETF vendor ID
•V3 = VSA attribute ID
For example, to add the Cisco IOS/PIX RADIUS cisco-av-pair attribute with a value of "addr-pool=pool1":
VN="Vendor-Specific"
V1 = "addr-pool=pool1"
V2 = "9"
V3 = "1"
RADIUS attribute values can be one of the following:
•INTEGER
•TIME
•IP ADDRESS
•STRING
|
170
|
ADD_TACACS_ SERVICE
|
UN|GN, VN, V1, V3, Optionally V2
|
Permits the service for that user or group of users. For example:
GN = "Group 1"
V1 = "ppp"
V2 = "ip"
or
UN = "fred"
V1 = "ppp"
V2 = "ip"
or
|
171
|
REMOVE_TACACS_ SERVICE
|
UN|GN, V1
Optionally V2
|
Denies the service for that user or group of users. For example:
GN = "Group 1"
V1 = "ppp"
V2 = "ip"
or
UN = "fred"
V1 = "ppp"
V2 = "ip"
or
This also resets the valid attributes for the service.
|
172
|
ADD_TACACS_ATTR
|
UN|GN, VN, V1, V3
Optionally V2
|
Sets a service-specific attribute. The service must already have been permitted either via the HTML interface or using Action 170:
GN = "Group 1"
VN = "routing"
V1 = "ppp"
V2 = "ip"
V3 = "true"
or
UN = "fred"
VN = "route"
V1 = "ppp"
V2 = "ip"
V3 = 10.2.2.2
|
173
|
REMOVE_TACACS_ ATTR
|
UN|GN, VN, V1
Optionally V2
|
Removes a service-specific attribute:
GN = "Group 1"
V1 = "ppp"
V2 = "ip"
VN = "routing"
or
UN = "fred"
V1 = "ppp"
V2 = "ip"
VN = "route"
|
174
|
ADD_IOS_ COMMAND
|
UN|GN, VN, V1
|
Authorizes the given Cisco IOS command and determines if any arguments given to the command are to be found in a defined set or are not to be found in a defined set. The defined set is created using Actions 176 and 177:
GN = "Group 1"
VN = "telnet"
V1 = "permit"
or
UN = "fred"
VN = "configure"
V1 = "deny"
The first example permits the Telnet command to be authorized for users of Group 1. Any arguments can be supplied to the Telnet command as long as they are not matched against any arguments defined via Action 176.
The second example permits the configure command to be authorized for user fred, but only if the arguments supplied are permitted by the filter defined by a series of Action 176.
|
175
|
REMOVE_IOS_ COMMAND
|
UN|GN, VN
|
Removes command authorization for the user or group:
GN = "Group 1"
VN = "telnet"
or
UN = "fred"
VN = "configure"
Users of Group 1 can no longer use the Cisco IOS telnet command.
User fred can no longer use the configure command.
|
176
|
ADD_IOS_ COMMAND_ARG
|
UN|GN, VN, V1, V2
|
Specifies a set of command-line arguments that are either permitted or denied for the Cisco IOS command contained in VN. The command must have already been added via Action 174:
GN = "Group 1"
VN = "telnet"
V1 = "permit"
V2 = "10.1.1.2"
or
UN = "fred"
VN = "show"
V1 = "deny"
V2 = "run"
The first example will allow the telnet command with argument 10.1.1.2 to be used by any user in Group 1.
The second example ensures that user fred cannot issue the Cisco IOS command show run.
|
177
|
REMOVE_IOS_ COMMAND_ARG
|
UN|GN, VN, V2
|
Removes the permit or deny entry for the given Cisco IOS command argument:
GN = "Group 1"
VN = "telnet"
V2 = "10.1.1.1"
or
UN = "fred"
VN = "show"
V2 = "run"
|
178
|
SET_PERMIT_DENY_ UNMATCHED_IOS_ COMMANDS
|
UN|GN, V1
|
Sets unmatched Cisco IOS command behavior. The default is that any Cisco IOS commands not defined via a combination of Actions 174 and 175 will be denied. This behavior can be changed so that issued Cisco IOS commands that do not match any command/command argument pairs are authorized:
GN = "Group 1"
V1 = "permit"
or
The first example will permit any command not defined by Action 174.
|
179
|
REMOVE_ALL_IOS_ COMMANDS
|
UN|GN
|
This action removes all Cisco IOS commands defined for a particular user or group.
|
210
|
RENAME_GROUP
|
GN,V1
|
Renames an existing group to the name supplied in V1.
|
211
|
RESET_GROUP
|
GN
|
Resets a group back to the factory default.
|
212
|
SET_VOIP
|
GN, V1
|
Enables or disables Voice over IP (VoIP) support for the group named, as follows:
•GN = name of group
•V1 = ENABLE or DISABLE
|
Action Codes for Modifying Network Configuration
Table E-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration displayed in the Network Configuration section of the HTML interface. For more information about the Network Configuration section, see "Network Configuration".
Table E-6 Action Codes for Modifying Network Configuration
Action Code
|
Name
|
Required
|
Description
|
220
|
ADD_NAS
|
VN, V1, V2, V3
|
Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3). Valid vendors are as follows:
•VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
•VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
•VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
•VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
•VENDOR_ID_ALTIGA_RADIUS—For Cisco VPN 3000 RADIUS.
•VENDOR_ID_COMPATIBLE_RADIUS—For Cisco VPN 5000 RADIUS.
•VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
•VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
•VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
•VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
For example:
VN = AS5200-11
V1 = 192.168.1.11
V2 = byZantine32
V3 = VENDOR_ID_CISCO_RADIUS
|
221
|
SET_NAS_FLAG
|
VN, V1
|
Sets one of the per-AAA client flags (V1) for the named AAA client (VN). Use the action once for each flag required. Valid values for per-AAA client flags are as follows:
•FLAG_SINGLE_CONNECT
•FLAG_LOG_KEEP_ALIVE
•FLAG_LOG_TUNNELS
|
222
|
DEL_HOST
|
VN
|
Deletes the named AAA client (VN).
|
223
|
ADD_NAS_BY_IETF_ CODE
|
VN,V1, V2, V3
|
Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and the enterprise code for the vendor (V3).
|
230
|
ADD_AAA_SERVER
|
VN, V1, V2
|
Adds a new AAA server named (VN) with IP address (V1), shared secret key (V2).
|
231
|
SET_AAA_TYPE
|
VN, V1
|
Sets the AAA server type for server (VN) to value in V1, which should be one of the following:
•TYPE_ACS
•TYPE_TACACS
•TYPE_RADIUS
•The default is AAA_SERVER_TYPE_ACS
|
232
|
SET_AAA_FLAG
|
VN, V1
|
Sets one of the per-AAA client flags (V1) for the named AAA server (VN):
•FLAG_LOG_KEEP_ALIVE
•FLAG_LOG_TUNNELS
Use the action once for each flag required.
|
233
|
SET_AAA_TRAFFIC_ TYPE
|
VN, V1
|
Sets the appropriate traffic type (V1) for the named AAA server (VN):
•TRAFFIC_TYPE_INBOUND
•TRAFFIC_TYPE_OUTBOUND
•TRAFFIC_TYPE_BOTH
The default is TRAFFIC_TYPE_BOTH.
|
234
|
DEL_AAA_SERVER
|
VN
|
Deletes the named AAA server (VN).
|
240
|
ADD_PROXY
|
VN, V1, V2, V3
|
Adds a new proxy markup (VN) with markup type (V1) strip markup flag (V2) and accounting flag (V3).
The markup type (V1) must be one of the following:
•MARKUP_TYPE_PREFIX
•MARKUP_TYPE_SUFFIX
The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding.
The accounting flag (V3) should be one of the following:
•ACCT_FLAG_LOCAL
•ACCT_FLAG_REMOTE
•ACCT_FLAG_BOTH
|
241
|
ADD_PROXY_ TARGET
|
VN, V1
|
Adds to named proxy markup (VN) the host name (V1). The host should already be configured on the Cisco Secure ACS.
Note The order in which proxy targets are added sets the proxy search order; the first target added is the first target proxied to, and so on. The order must be changed through the HTML interface.
|
242
|
DEL_PROXY
|
VN
|
Deletes the named proxy markup (VN).
|
250
|
ADD_NDG
|
VN
|
Creates a network device group (NDG) named (VN).
|
251
|
DEL_NDG
|
VN
|
Deletes the named NDG.
|
252
|
ADD_HOST_TO_NDG
|
VN, V1
|
Adds to the named AAA client/AAA server (VN) the NDG (V1).
|
270
|
SET_DCS_ ASSIGNMENT
|
—
|
—
|
271
|
ADD_NDG_TO_DCS_ MAPPING
|
—
|
—
|
300
|
RESTART_PROTO_ MODULES
|
—
|
Restarts the CSRadius and CSTacacs services to apply new settings.
|
350
|
ADD_UDV
|
VN, V1, V2
|
Adds a RADIUS vendor to the Cisco Secure ACS vendor database. Vendors added to Cisco Secure ACS by this method are know as User-Defined Vendors (UDV).
VN contains the name of the Vendor.
Note Cisco Secure ACS adds "RADIUS(...)" to the name entered in the Variable Name field. For example, if you enter the name "MyCo", Cisco Secure ACS displays "RADIUS (MyCo)" in the HTML interface.
V1 contains the user-defined vendor slot number or AUTO_ASSIGN_SLOT. Cisco Secure ACS has ten vendor slots, numbered 0 through 9. If you specify AUTO_ASSIGN_SLOT, Cisco Secure ACS selects the next available slot for your vendor.
Note If you want to replicate UDVs between Cisco Secure ACSes, you must assign the UDV to the same slot number on both Cisco Secure ACSes.
V2 contains the IANA-assigned enterprise code for the vendor.
|
351
|
DEL_UDV
|
V1
|
Removes the vendor with the IETF code specified in V1 and any defined VSAs.
Note Action code 351 does not remove any instances of VSAs assigned to Cisco Secure ACS groups or users. If Cisco Secure ACS has AAA clients configured with the UDV specified in V1, the delete operation fails.
|
352
|
ADD_VSA
|
VN, V1, V2, V3
|
Adds a new VSA to the vendor specified by the vendor IETF code in V1.
VN is the VSA name. If the vendor name is MyCo and the attribute is assigned a group ID, we recommend prefixing the vendor name or an abbreviation to all VSAs. For example, VSAs could be "MyCo-Assigned-Group-Id".
Note VSA names must be unique to both the vendor and to the Cisco Secure ACS dictionary. For example, "MyCo-Framed-IP-Address" is allowed but "Framed-IP-Address" is not, because "Framed-IP-Address" is used by IETF action code 8 in the RADIUS attributes.
V2 is the VSA number. This must be in the 0-255 range.
V3 is the VSA type as one of following values:
•INTEGER
•STRING
•IPADDR
By default, VSAs are assumed to be outbound (or authorization) attributes. If the VSA is either multi-instance or used in accounting messages, use SET_VSA_PROFILE (Action code 353).
|
353
|
SET_VSA_PROFILE
|
V1, V2, V3
|
Sets the inbound/outbound profile of the VSA. The profile specifies usage "IN" for accounting, "OUT" for authorization, or "MULTI" if more than a singe instance is allowed per RADIUS message. Combinations are allowed.
V1 contains the vendor IETF code.
V2 contains the VSA number.
V3 contains the profile, one of the following:
IN
OUT
IN OUT
MULTI OUT
MULTI IN OUT
|
354
|
ADD_VSA_ENUM
|
VN, V1, V2, V3
|
Sets meaningful enumerated values, if the VSA attribute has enumerated. In the User Setup section, the Cisco Secure ACS HTML interface displays the enumeration strings in a list.
VN contains the VSA Enum Name.
V1 contains the vendor IETF code.
V2 contains the VSA number.
V3 contains the VSA Enum Value.
Example:
VN = Disabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 0
or
VN = Enabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 1
|
355
|
ADOPT_NEW_UDV_ OR_VSA
|
—
|
Restarts the CSAdmin, CSRadius, and CSLog services. These services must be restarted before new UDVs or VSAs can become usable.
|
Cisco Secure ACS Attributes and Action Codes
This section complements the previous section by providing an inverse reference; it provides topics with tables that list Cisco Secure ACS attributes, their data types and limits, and the action codes you can use to act upon the Cisco Secure ACS attributes.
This section contains the following topics:
•User-Specific Attributes
•User-Defined Attributes
•Group-Specific Attributes
User-Specific Attributes
Table E-7 lists the attributes that define a Cisco Secure ACS user, including their data types, limits, and default values. It also provides the action code you can use in accountActions to affect each attribute. Although there are many actions available, adding a user requires only one transaction: ADD_USER. You can safely leave other user attributes at their default values. The term NULL is not simply an empty string, but means not set; that is, the value will not be processed. Some features are processed only if they have a value assigned to them. For more information about action codes, see Action Codes.
Table E-7 User-Specific Attributes
Attribute
|
Actions
|
Logical Type
|
Limits
|
Default
|
Username
|
100, 101
|
String
|
1-64 characters
|
—
|
ASCII/PAP Password
|
100, 102
|
String
|
4-32 characters
|
Random string
|
CHAP Password
|
103
|
String
|
4-32 characters
|
Random string
|
Outbound CHAP Password
|
104
|
String
|
4-32 characters
|
NULL
|
TACACS+ Enable Password
|
105
|
String Password
|
4-32 characters
|
NULL
|
Integer privilege level
|
0-15 characters
|
NULL
|
Group
|
106
|
String
|
0-100 characters
|
"Default Group"
|
Password Supplier
|
107
|
Enum
|
See Table E-3.
|
LIBRARY_CSDB
|
Password Type
|
108
|
Enum
|
See Table E-3.
|
PASS_TYPE_CSDB (password is cleartext PAP)
|
Password Expiry Status
|
109, 110
|
Bitwise Enum
|
See Table E-3.
|
PASS_STATUS_ NEVER (never expires)
|
Expiry Data
|
112, 113
|
Short wrong max/current
|
0-32,767
|
—
|
Expiry date
|
—
|
—
|
Max Sessions
|
114
|
Unsigned short
|
0-65535
|
MAX_SESSIONS_AS_GROUP
|
TODDOW Restrictions
|
140
|
String
|
168 characters
|
111111111111
|
NAS Access Control
|
120, 122
|
Bool enabled
|
T/F
|
NULL
|
Bool permit/deny
|
T/F
|
ACL String (See Table E-4.)
|
0-31 KB
|
Dial-Up Access Control
|
121, 123
|
Bool enabled
|
T/F
|
NULL
|
Bool permit/deny
|
T/F
|
NULL
|
ACL String (See Table E-4.)
|
0-31 KB
|
NULL
|
Static IP Address
|
150
|
Enum scheme
|
(See Table E-4.)
|
Client
|
String IP/Pool name
|
0-31 KB
|
NULL
|
Callback Number
|
151
|
String
|
0-31 KB
|
NULL
|
TACACS Attributes
|
160, 162
|
Formatted String
|
0-31 KB
|
NULL
|
RADIUS Attributes
|
170, 173
|
Formatted String
|
0-31 KB
|
NULL
|
UDF 1
|
1, 2
|
String Real Name
|
0-31 KB
|
NULL
|
UDF 2
|
1, 2
|
String Description
|
0-31 KB
|
NULL
|
UDF 3
|
1, 2
|
String
|
0-31 KB
|
NULL
|
UDF 4
|
1, 2
|
String
|
0-31 KB
|
NULL
|
UDF 5
|
1, 2
|
String
|
0-31 KB
|
NULL
|
User-Defined Attributes
User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure Cisco Secure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see User Data Configuration Options.
RDBMS Synchronization can set UDAs by using the SET_VALUE action (code 1) to create a value called "USER_DEFINED_FIELD_0" or "USER_DEFINED_FIELD_1". For accountActions rows defining a UDA value, the AppId (AI) field must contain "APP_ CSAUTH" and the Value2(V2) field must contain "TYPE_STRING".
Table E-8 lists the data fields that define UDAs. For more information about action codes, see Action Codes.
Table E-8 User-Defined Attributes
Action
|
Username (UN)
|
ValueName (VN)
|
Value1 (V1)
|
Value2 (V2)
|
AppId (AI)
|
1
|
fred
|
USER_DEFINED_ FIELD_0
|
SS123456789
|
TYPE_STRING
|
APP_CSAUTH
|
1
|
fred
|
USER_DEFINED_ FIELD_1
|
Engineering
|
TYPE_STRING
|
APP_CSAUTH
|
1
|
fred
|
USER_DEFINED_ FIELD_2
|
949-555-1111
|
TYPE_STRING
|
APP_CSAUTH
|
Note If more than two UDAs are created, only the first two are passed to accounting logs.
Group-Specific Attributes
Table E-9 lists the attributes that define a Cisco Secure ACS group, including their data types, limits, and default values. It also provides the action code you can use in your accountActions table to affect each field. For more information about action codes, see Action Codes.
Table E-9 Group-Specific Attributes
Attribute
|
Actions
|
Logical Type
|
Limits
|
Default
|
Max Sessions
|
114
|
Unsigned short
|
0-65534
|
MAX_SESSIONS_ UNLIMITED
|
Max Sessions for user of group
|
115
|
Unsigned short
|
0-65534
|
MAX_SESSIONS_ UNLIMITED
|
Token caching for session
|
130
|
Bool
|
T/F
|
NULL
|
Token caching for duration
|
131
|
Integer time in seconds
|
0-65535
|
NULL
|
TODDOW Restrictions
|
140
|
String
|
168 characters
|
111111111111
|
NAS Access Control
|
120, 122
|
Bool enabled
|
T/F
|
NULL
|
Bool permit/deny
|
T/F
|
ACL String (See Table E-4.)
|
0-31 KB
|
Dial-Up Access Control
|
121, 123
|
Bool enabled
|
T/F
|
NULL
|
Bool permit/deny
|
T/F
|
NULL
|
ACL String (See Table E-4.)
|
0-31 KB
|
NULL
|
Static IP Address
|
150
|
Enum scheme
|
(See Table E-4.)
|
Client
|
String IP/Pool name
|
0-31 KB
|
NULL
|
TACACS Attributes
|
160, 162
|
Formatted String
|
0-31 KB
|
NULL
|
RADIUS Attributes
|
170, 173
|
Formatted String
|
0-31 KB
|
NULL
|
VoIP Support
|
212
|
Bool disabled
|
T/F
|
NULL
|
An Example of accountActions
Table E-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes. First user "fred" is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to "Group 2". His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token caching, and some RADIUS attributes.
Note This example omits several columns that should appear in any accountActions table. The omitted columns are Sequence ID (SI), Priority (P), DateTime (DT), and MessageNo (MN).
Table E-10 Example accountActions Table
Action
|
User name (UN)
|
Group Name (GN)
|
Value Name (VN)
|
Value1 (V1)
|
Value2 (V2)
|
Value3 (V3)
|
AppId (AI)
|
100
|
fred
|
—
|
—
|
fred
|
—
|
—
|
—
|
102
|
fred
|
—
|
—
|
freds_password
|
—
|
—
|
—
|
103
|
fred
|
—
|
—
|
freds_chap_ password
|
—
|
—
|
—
|
104
|
fred
|
—
|
—
|
freds_outbound_ password
|
—
|
—
|
—
|
105
|
fred
|
—
|
—
|
freds_enable_ password
|
10
|
—
|
—
|
106
|
fred
|
Group 2
|
—
|
—
|
—
|
—
|
—
|
150
|
fred
|
—
|
—
|
123.123.123.123
|
—
|
—
|
—
|
151
|
fred
|
—
|
—
|
01832-123900
|
—
|
—
|
—
|
109
|
fred
|
—
|
—
|
PASS_STATUS_ NEVER
|
—
|
—
|
—
|
110
|
fred
|
—
|
—
|
PASS_STATUS_ WRONG
|
—
|
—
|
—
|
110
|
fred
|
—
|
—
|
PASS_STATUS_ EXPIRES
|
—
|
—
|
—
|
112
|
fred
|
—
|
—
|
10
|
—
|
—
|
—
|
113
|
fred
|
—
|
—
|
19991231
|
—
|
—
|
—
|
114
|
fred
|
—
|
—
|
50
|
—
|
—
|
—
|
115
|
fred
|
—
|
—
|
50
|
—
|
—
|
—
|
120
|
fred
|
—
|
—
|
ACCESS_PERMIT
|
—
|
—
|
—
|
121
|
fred
|
—
|
—
|
ACCESS_DENY
|
—
|
—
|
—
|
122
|
fred
|
—
|
—
|
NAS01,tty0,01732-975374
|
—
|
—
|
—
|
123
|
fred
|
—
|
—
|
01732-975374,01622-123123
|
CLID/ DNIS
|
—
|
—
|
1
|
fred
|
—
|
USER_ DEFINED_ FIELD_0
|
Fred Jones
|
TYPE_ STRING
|
—
|
APP_ CSAUTH
|
140
|
—
|
Group 2
|
—
|
[a string of 168 ones (1)]
|
—
|
—
|
—
|
130
|
—
|
Group 2
|
—
|
DISABLE
|
—
|
—
|
—
|
131
|
—
|
Group 2
|
—
|
61
|
—
|
—
|
—
|
163
|
—
|
Group 2
|
Reply- Message
|
Welcome to Your Internet Service
|
—
|
—
|
—
|
163
|
—
|
Group 2
|
Vendor- Specific
|
addr-pool=pool2
|
9
|
1
|
—
|