User Guide for Cisco Secure Access Control Server 4.1
RDBMS Synchronization Import Definitions

Table Of Contents

RDBMS Synchronization Import Definitions

accountActions Specification

accountActions Format

accountActions Mandatory Fields

accountActions Processing Order

Supported Versions for ODBC Data Sources (ACS for Windows)

Action Codes

Action Codes for Setting and Deleting Values

Action Codes for Creating and Modifying User Accounts

Action Codes for Initializing and Modifying Access Filters

Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Action Codes for Modifying Network Configuration

ACS Attributes and Action Codes

User-Specific Attributes

User-Defined Attributes

Group-Specific Attributes

An Example of accountActions


RDBMS Synchronization Import Definitions


ACS for Windows

RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of the Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS, uses a table named accountActions as input for automated or manual updates of the ACS internal database.

ACS SE

RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions file. The RDBMS Synchronization feature of ACS SE uses a comma-separated value (CSV) file named accountActions as input for automated or manual updates of the ACS internal database. Each line in accountActions represents one action, with the exception of the first line, which is ignored during synchronization events. This scenario permits the use of the first line of accountActions as field headers.

For more information about the RDBMS Synchronization feature and accountActions, see RDBMS Synchronization Components, page 8-20.

This chapter contains the following topics:

accountActions Specification

Supported Versions for ODBC Data Sources (ACS for Windows)

Action Codes

ACS Attributes and Action Codes

An Example of accountActions

accountActions Specification

Whether you create accountActions by hand in a text editor or through automation using a third-party system that writes to accountActions, you must adhere to the accountActions specification and must only use the action codes detailed in Action Codes. Otherwise, RDBMS Synchronization may import incorrect information into the ACS internal database or may fail to occur at all.

accountActions Format

Each row in accountActions has 14 fields (or columns). Table F-1 lists the fields that compose accountActions. Table F-1 also reflects the order in which the fields appear in accountActions.

The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in Action Codes.

To see an example accountActions, see An Example of accountActions.

Table F-1 accountActions Fields 

Field Name
Mnemonic
Type
Size (Max. Length)
Comments

SequenceId

SI

AutoNumber

32

The unique action ID.

Priority

P

Integer

1

The priority with which this update is to be treated. Zero (0) is the lowest priority.

UserName

UN

String

32

The name of the user to which the transaction applies.

GroupName

GN

String

32

The name of the group to which the transaction applies.

Action

A

Number

0-216

The action required. (See Action Codes.)

ValueName

VN

String

255

The name of the parameter to change.

Value1

V1

String

255

The new value (for numeric parameters, this is a decimal string).

Value2

V2

String

255

The name of a TACACS+ protocol; for example, ip or RADIUS VSA Vendor ID.

Value3

V3

String

255

The name of a TACACS+ service; for example, ppp or the RADIUS VSA attribute number.

DateTime

DT

DateTime

The date and time the action was created.

MessageNo

MN

Integer

Used to number related transactions for audit purposes.

ComputerNames

CN

String

32

RESERVED by CSDBSync.

AppId

AI

String

255

The type of configuration parameter to change.

Status

S

Number

32

TRI-STATE:0=not processed, 1=done, 2=failed. This value should normally be set to 0.


accountActions Mandatory Fields

For all actions, the following fields cannot be empty and must have a valid value:

Action

SequenceID

Status

In addition to the previous required fields, the DateTime, UserName and GroupName fields are also often required to have a valid value:

If a transaction is acting upon a user account, a valid value is required in the UserName field.

If a transaction is acting upon a group, a valid value is required in the GroupName field.

If a transaction is acting upon a AAA client configuration, neither the UserName field nor the GroupName field require a value.


Note The UserName and GroupName fields are mutually exclusive; only one of these two fields can have a value and neither field is always required.


accountActions Processing Order

ACS reads rows from accountActions and processes them in a specific order. ACS determines the order first by the values in the Priority fields (mnemonic: P) and then by the values in the Sequence ID fields (mnemonic: SI). ACS processes the rows with the highest Priority field. The lower the number in the Priority field, the higher the priority. For example, if row A has the value 1 in its Priority field and row B has the value 2 in its Priority field, ACS would process row A first, regardless of whether row B has a lower sequence ID or not. If rows have an equal priority, ACS processes them by their sequence ID, with the lowest sequence ID processed first.

Thus, the Priority field (P) enables transactions of higher importance to occur first, such as deleting a user or changing a password. In the most common implementations of RDBMS Synchronization, a third-party system writes to accountActions in batch mode, with all actions (rows) assigned a priority of zero (0).


Note When changing transaction priorities, be careful that they are processed in the correct order; for example, a user account must be created before the user password is assigned.


You can use the MessageNo field (mnemonic: MN) to associate related transactions, such as the addition of a user and subsequent actions to set password values and status. You can use the MessageNo field to create an audit trail for a third-party system that writes to accountActions.

Supported Versions for ODBC Data Sources (ACS for Windows)

The following versions are supported for RDBMS synchronization through ODBC.

MS-SQL version 3.80 later

ODBC version 3.80 or later

Action Codes

This section provides the action codes valid for use in the Action field (mnemonic: A) of accountActions. The Required column uses the field mnemonic names to indicate which fields should be completed, except for the mandatory fields, which are assumed. For more information about the mnemonic names of accountActions fields, see Table F-1. For more information about the mandatory fields, see accountActions Mandatory Fields.

If an action can be applied to a user or group, UN|GN appears, using the vertical bar (|) to indicate that either one of the two fields is required. To make the action affect only the user, leave the group name empty; to make the action affect only the group, leave the user name empty.

This section contains the following topics:

Action Codes for Setting and Deleting Values

Action Codes for Creating and Modifying User Accounts

Action Codes for Initializing and Modifying Access Filters

Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Action Codes for Modifying Network Configuration

Action Codes for Setting and Deleting Values

The two most fundamental action codes are SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2), described in Table F-2.

The SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2) actions, described in Table F-2, instruct RDBMS Synchronization to assign a value to various internal attributes in ACS. Unless a Cisco representative asks you to use these action codes for other purposes, you can only use these action codes for assigning values to user-defined fields (see User-Specific Attributes).

Table F-2 Action Codes for Setting and Deleting Values 

Action Code
Name
Required
Description

1

SET_VALUE

UN|GN, AI, VN, V1, V2

Sets a value (V1) named (VN) of type (V2) for App ID (AI).

App IDs (AI) can be one of the following:

APP_CSAUTH

APP_CSTACACS

APP_CSRADIUS

APP_CSADMIN

Value types (V2) can be one of the following:

TYPE_BYTE—Single 8-bit number.

TYPE_SHORT—Single 16-bit number.

TYPE_INT—Single 32-bit number.

TYPE_STRING—Single string.

TYPE_ENCRYPTED_STRING—Single string to be saved encrypted.

TYPE_MULTI_STRING—Tab-separated set of substrings.

TYPE_MULTI_INT—Tab-separated set of 32-bit numbers.

For example:

UN = "fred" 
AI = "APP_CSAUTH" 
VN = "My Value" 
V2 = "TYPE_MULTI_STRING" 
V1 = "str1tabstr2tabstr3"

2

DELETE_VALUE

UN|GN, AI, VN

Deletes value (VN) for App ID (AI) and user (UN) or group (GN).


Action Codes for Creating and Modifying User Accounts

Table F-3 lists the action codes for creating, modifying, and deleting user accounts.


Note Before you can modify a user account, such as assigning a password, you must create the user account, in the web interface or by using the ADD_USER action (action code: 100).


Transactions using these codes affect the configuration that appears in the User Setup section of the web interface. For more information about the User Setup section, see Chapter 6, "User Management."

Table F-3 User Creation and Modification Action Codes 

Action Code
Name
Required
Description

100

ADD_USER

UN|GN, V1

Creates a user (32 characters maximum). V1 is used as the initial password. Optionally, the user can also be assigned to a group.

101

DELETE_USER

UN

Removes a user.

102

SET_PAP_PASS

UN, V1

Sets the PAP password for a user (64 ASCII characters maximum). CHAP/ARAP will also default to this.

103

SET_CHAP_PASS

UN, V1

Sets the CHAP/ARAP password for a user (64 characters maximum).

104

SET_OUTBOUND_CHAP_PASS

UN, V1

Sets the CHAP/ARAP password for a user (32 characters maximum).

105

SET_T+_ENABLE_PASS

UN, VN, V1, V2, V3

Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15).

The enable type (V3) should be one of the following:

ENABLE_LEVEL_AS_GROUP—Max privilege taken from group setting.

ENABLE_LEVEL_NONE—No T+ enable configured.

ENABLE_LEVEL_STATIC—Value set in V2 used during enable level check.

You can use VN to link the enable password to an external authenticator, as per action 108 SET_PASS_TYPE.

106

SET_GROUP

UN, GN

Sets the ACS group assignment of the user.

108

SET_PASS_TYPE

UN|GN, V1

Sets the password type of the user. This can be one of the ACS internal database password types or any of the external databases supported:

PASS_TYPE_CSDB—CSDB internal password.

PASS_ TYPE_CSDB_UNIX—CSDB internal password (UNIX encrypted).

PASS_TYPE_NT—External Windows user database password.

PASS_TYPE_NDS—External Novell database password.

PASS_TYPE_LDAP—External generic LDAP database password.

PASS_TYPE_LEAP—External LEAP proxy RADIUS server database password.

PASS_TYPE_RADIUS_TOKEN—External RADIUS token server database password.

109

REMOVE_PASS_STATUS

UN,V1

Removes a password status flag. This action results in the status states being linked in a logical XOR condition. V1 should contain one of the following:

PASS_STATUS_EXPIRES—Password expires on a given date.

PASS_STATUS_NEVER—Password never expires.

PASS_STATUS_WRONG—Password expires after a given number of login attempts using the wrong password.

PASS_STATUS_DISABLED—The account has been disabled.

110

ADD_PASS_STATUS

UN, V1

Defines how a password should be expired by ACS. To set multiple password states for a user, use multiple instances of this action. This action results in the status states being linked in a logical XOR condition. V1 should contain one of the following:

PASS_STATUS_EXPIRES—Password expires on a given date.

PASS_STATUS_NEVER—Password never expires.

PASS_STATUS_WRONG—Password expires after a given number of login attempts by using the wrong password.

PASS_STATUS_RIGHT—Password expires after a given number of login attempts by using the correct password.

PASS_STATUS_DISABLED—The account has been disabled.

112

SET_PASS_EXPIRY_WRONG

UN,V1

Sets the maximum number of bad authentications allowed (automatic reset on good password if not exceeded) and resets the current count.

113

SET_PASS_EXPIRY_DATE

UN,V1

Sets the date on which the account expires. The date format should be YYYYMMDD.

114

SET_MAX_SESSIONS

UN|GN,
V1

Sets the maximum number of simultaneous sessions for a user or group. V1 should contain one of the following values:

MAX_SESSIONS_UNLIMITED

MAX_SESSIONS_AS_GROUP

1-65534

115

SET_MAX_SESSIONS_GROUP_USER

GN,V1

Sets the max sessions for a user of the group to one of the following values:

MAX_SESSIONS_UNLIMITED

1-65534

260

SET_QUOTA

VN,V1,
V2

Sets a quota for a user or group.

VN defines the quota type. Valid values are:

online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.

sessions—The quota limits the user or group by the number of sessions on the network for the period defined in V2.

V1 defines the quota. If VN is set to sessions, V1 is the maximum number of sessions in the period defined in V2. If VN is set to online time, V1 is the maximum number of seconds.

V2 holds the period for the quota. Valid values are:

QUOTA_PERIOD_DAILY—The quota is enforced in 24-hour cycles, from 12:01 A.M. to midnight.

QUOTA_PERIOD_WEEKLY—The quota is enforced in 7-day cycles, from 12:01 A.M. Sunday until midnight Saturday.

QUOTA_PERIOD_MONTHLY—The quota is enforced in monthly cycles, from 12:01 A.M. on the first of the month until midnight on the last day of the month.

QUOTA_PERIOD_ABSOLUTE—The quota is enforced in an ongoing basis, without an end.

261

DISABLE_QUOTA

UN|GN,
VN

Disables a group or user usage quota.

VN defines the quota type. Valid values are:

online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.

sessions—The quota limits the user or group by the number of sessions on the network for the period defined in V2.

262

RESET_COUNTERS

UN|GN

Resets usage quota counters for a user or group.

263

SET_QUOTA_APPLY_TYPE

V1

Defines whether a user usage quota is determined by the user group quota or by a quota unique to the user. V1 makes this specification. Valid values for V1 are:

ASSIGNMENT_FROM_USER

ASSIGNMENT_FROM_GROUP

270

SET_DCS_TYPE

UN|GN,
VN,V1, Optional-
ly V2

Sets the type of device command set (DCS) authorization for a group or user.

VN defines the service. Valid service types are:

shell—Cisco IOS shell command authorization.

pixshell—Cisco PIX command authorization.

Note If additional DCS types have been added to your ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as:
PIX Shell (pixshell)

V1 defines the assignment type. The valid values for VN are:

none—Sets no DCS for the user or group.

as group—For users only, this value signifies that the user DCS settings for the service specified should be the same as the user group DCS settings.

static—Sets a DCS for the user or group for all devices enabled to perform command authorization for the service specified.

If V1 is set to static, V2 is required and must contain the name of the DCS to assign to the user or group for the given service.

ndg—Specifies that command authorization for the user or group is to be done on a per-NDG basis. Use action 271 to add DCS to NDG mappings for the user or group.

Note Changing a user or group assignment type (V1) results in clearing previous data, including NDG to DCS mappings (defined by action 271).

271

SET_DCS_NDG_MAP

UN|GN,
VN,V1,
V2

Use this action code to map between the device command set and the NDG when the assignment type specified by a 270 action code is ndg.

VN defines the service. Valid service types are:

shell—Cisco IOS shell command authorization.

pixshell—Cisco PIX command authorization.

Note If additional DCS types have been added to your ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as:
PIX Shell (pixshell)

V1 defines the name of the NDG. Use the name of the NDG as it appears in the web interface. For example, if you have configured an NDG named East Coast NASs and want to use action 271 to apply a DCS to that NDG, V1 should be East Coast NASs.

V2 defines the name of the DCS. Use the name of the DCS as it appears in the web interface. For example, if you have configured a DCS named Tier2 PIX Admin DCS and want to use action 271 to apply it to an NDG, V2 should be Tier2 PIX Admin DCS.


Action Codes for Initializing and Modifying Access Filters

Table F-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users.

Transactions using these codes affect the configuration that appears in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 6, "User Management." For more information about the Group Setup section, see Chapter 5, "User Group Management."

Table F-4 Action Codes for Initializing and Modifying Access Filters 

Action Code
Name
Required
Description

120

INIT_NAS_ACCESS_CONTROL

UN|GN,V1

Clears the AAA client access filter list and initialize permit or deny for any forthcoming filters. V1 should be one of the following values:

ACCESS_PERMIT

ACCESS_DENY

121

INIT_DIAL_ACCESS_CONTROL

UN|GN,V1

Clears the dial-up access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following values:

ACCESS_PERMIT

ACCESS_DENY

122

ADD_NAS_ACCESS_FILTER

UN|GN,V1

Adds a AAA client filter for the user|group.

V1 should contain a single (AAA client name, AAA client port, remote address, CLID) tuple; for example:

NAS01,tty0,0898-69696969 

Optionally, the AAA client name can be All AAA clients to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports.

123

ADD_DIAL_ACCESS_FILTER

UN|GN, V1, V2

Adds a dial-up filter for the user|group.

V1 should contain one of the following values:

Calling station ID

Called station ID

Calling and called station ID; for example:

01732-875374,0898-69696969 

NAS IP address, NAS port; for example:

10.45.6.123,tty0 

V2 should contain the filter type as one of the following values:

CLID—The user is filtered by the calling station ID.

DNIS—The user is filtered by the called station ID.

CLID/DNIS—The user is filtered by calling and called station IDs.

NAS/PORT—The user is filtered by NAS IP and NAS port address.

130

SET_TOKEN_CACHE_SESSION

GN, V1

Enables or disables token caching for an entire session; V1 is 0=disable, 1=enable.

131

SET_TOKEN_CACHE_TIME

GN, V1

Sets the duration that tokens are cached. V1 is the token cache duration in seconds.

140

SET_TODDOW_ACCESS

UN|GN, V1

Sets periods during which access is permitted. V1 contains a string of 168 characters. Each character represents a single hour of the week. A 1 represents an hour that is permitted, while a 0 represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is 111111111111 and so on.

150

SET_STATIC_IP

UN, V1, V2

Configures the (TACACS+ and RADIUS) IP address assignment for this user.

V1 holds the IP address in the following format:

xxx.xxx.xxx.xxx

V2 should be one of the following:

ALLOC_METHOD_STATIC—The IP address in V1 is assigned to the user in the format xxx.xxx.xxx.xxx.

ALLOC_METHOD_NAS_POOL—The IP pool named in V1 (configured on the AAA client) will be assigned to the user.

ALLOC_METHOD_AAA_POOL—The IP pool named in V1 (configured on the AAA server) will be assigned to the user.

ALLOC_METHOD_CLIENT—The dial-in client will assign its own IP address.

ALLOC_METHOD_AS_GROUP—The IP address assignment configured for the group will be used.

151

SET_CALLBACK_NO

UN|GN, V1

Sets the callback number for this user or group (TACACS+ and RADIUS). V1 should be one of the following:

Callback number—The phone number the AAA client is to call back.

none—No callback is allowed.

roaming—The dial-up client determines the callback number.

as group—Use the callback string or method defined by the group.


Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for ACS groups and users. In the event that ACS has conflicting user and group settings, user settings always override group settings.

Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 6, "User Management." For more information about the Group Setup section, see Chapter 5, "User Group Management."

Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings 

Action Code
Name
Required
Description

161

DEL_RADIUS_ATTR

UN|GN, VN, Optionally V2, V3

Deletes the named RADIUS attribute for the group or user, where:

VN = "Vendor-Specific"

V2 = IETF vendor ID

V3 = VSA attribute ID

For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair:

VN = "Vendor-Specific" 
V2 = "9" 
V3 = "1"

163

ADD_RADIUS_ ATTR

UN|GN, VN, V1, Optionally V2, V3

Adds to the attribute named (VN) the value (V1) for the user/group (UN|GN). For example, to set the IETF RADIUS Reply-Message attribute (attr. 18) for a group:

GN = "Group 1" 
VN = "Reply-Message" 
V1 = "Greetings" 

As another example, to set the IETF RADIUS Framed-IP-Address attribute (attr. 9) for a user:

UN = "fred" 
VN = "Framed-IP-Address" 
V1 = "10.1.1.1" 

To add a vendor-specific attribute (VSA), set VN = "Vendor-Specific" and use V2 and V3 as follows:

V2 = IETF vendor ID

V3 = VSA attribute ID

For example, to add the Cisco IOS/PIX RADIUS cisco-av-pair attribute with a value of "addr-pool=pool1":

VN="Vendor-Specific" 
V1 = "addr-pool=pool1" 
V2 = "9" 
V3 = "1" 

RADIUS attribute values can be one of the following:

INTEGER

TIME

IP ADDRESS

STRING

170

ADD_TACACS_SERVICE

UN|GN, VN, V1, V3, Optionally V2

Permits the service for that user or group of users. For example:

GN = "Group 1" 
V1 = "ppp" 
V2 = "ip" 

or

UN = "fred" 
V1 = "ppp" 
V2 = "ip" 

or

UN = "fred" 
V1= "exec"

Note If a protocol is not specified for the PPP service, the default protocol is IP.

171

REMOVE_TACACS_SERVICE

UN|GN, V1

Optionally V2

Denies the service for that user or group of users. For example:

GN = "Group 1" 
V1 = "ppp" 
V2 = "ip" 

or

UN = "fred" 
V1 = "ppp" 
V2 = "ip" 

or

UN = "fred" 
V1 = "exec" 

This also resets the valid attributes for the service.

172

ADD_TACACS_ATTR

UN|GN, VN, V1, V3

Optionally V2

Sets a service-specific attribute. The service must already have been permitted via the web interface or using Action 170:

GN = "Group 1" 
VN = "routing" 
V1 = "ppp" 
V2 = "ip" 
V3 = "true" 

or

UN = "fred" 
VN = "route" 
V1 = "ppp" 
V2 = "ip" 
V3 = 10.2.2.2

173

REMOVE_TACACS_ATTR

UN|GN, VN, V1

Optionally V2

Removes a service-specific attribute:

GN = "Group 1" 
V1 = "ppp" 
V2 = "ip" 
VN = "routing" 

or

UN = "fred" 
V1 = "ppp" 
V2 = "ip" 
VN = "route"

Note If a protocol is not specified for the ppp service, the default protocol is IP. In previous releases, all the protocols were enabled for the PPP service which caused the groups to enter an invalid state.

174

ADD_IOS_COMMAND

UN|GN, VN, V1

Authorizes the given Cisco IOS command and determines if any arguments given to the command are to be found in a defined set or are not to be found in a defined set. The defined set is created using Actions 176 and 177:

GN = "Group 1" 
VN = "telnet" 
V1 = "permit" 

or

UN = "fred" 
VN = "configure" 
V1 = "deny" 

The first example permits the Telnet command to be authorized for users of Group 1. Any arguments can be supplied to the Telnet command as long as they are not matched against any arguments defined via Action 176.

The second example permits the configure command to be authorized for user fred, but only if the arguments supplied are permitted by the filter defined by a series of Action 176.

175

REMOVE_IOS_COMMAND

UN|GN, VN

Removes command authorization for the user or group:

GN = "Group 1" 
VN = "telnet" 

or

UN = "fred" 
VN = "configure" 

Users of Group 1 can no longer use the Cisco IOS telnet command.

User fred can no longer use the configure command.

176

ADD_IOS_COMMAND_ARG

UN|GN, VN, V1, V2

Specifies a set of command-line arguments that are permitted or denied for the Cisco IOS command contained in VN. The command must have already been added via Action 174:

GN = "Group 1" 
VN = "telnet" 
V1 = "permit" 
V2 = "10.1.1.2" 

or

UN = "fred" 
VN = "show" 
V1 = "deny" 
V2 = "run" 

The first example will allow the telnet command with argument 10.1.1.2 to be used by any user in Group 1.

The second example ensures that user fred cannot issue the Cisco IOS command show run.

177

REMOVE_IOS_COMMAND_ARG

UN|GN, VN, V2

Removes the permit or deny entry for the given Cisco IOS command argument:

GN = "Group 1" 
VN = "telnet" 
V2 = "10.1.1.1" 

or

UN = "fred" 
VN = "show" 
V2 = "run"

178

SET_PERMIT_DENY_ UNMATCHED_IOS_COMMANDS

UN|GN, V1

Sets unmatched Cisco IOS command behavior. The default is that any Cisco IOS commands not defined via a combination of Actions 174 and 175 will be denied. This behavior can be changed so that issued Cisco IOS commands that do not match any command/command argument pairs are authorized:

GN = "Group 1" 
V1 = "permit" 

or

UN = "fred" 
V1 = "deny" 

The first example will permit any command not defined by Action 174.

179

REMOVE_ALL_IOS_COMMANDS

UN|GN

This action removes all Cisco IOS commands defined for a particular user or group.

210

RENAME_GROUP

GN,V1

Renames an existing group to the name supplied in V1.

211

RESET_GROUP

GN

Resets a group back to the factory default.

212

SET_VOIP

GN, V1

Enables or disables Voice over IP (VoIP) support for the group named:

GN = name of group

V1 = ENABLE or DISABLE


Action Codes for Modifying Network Configuration

Table F-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration that appears in the Network Configuration section of the web interface. For more information about the Network Configuration section, see Chapter 3, "Network Configuration."

Table F-6 Action Codes for Modifying Network Configuration 

Action Code
Name
Required
Description

220

ADD_NAS

VN, V1, V2, V3

Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3). Valid vendors are:

VENDOR_ID_IETF_RADIUS—For IETF RADIUS.

VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.

VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.

VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.

VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.

VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.

VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.

VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.

VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.

VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.

For example:

VN = AS5200-11 
V1 = 192.168.1.11 
V2 = byZantine32 
V3 = VENDOR_ID_CISCO_RADIUS

221

SET_NAS_FLAG

VN, V1

Sets one of the per-AAA client flags (V1) for the named AAA client (VN). Use the action once for each flag required. Valid values for per-AAA client flags are:

FLAG_SINGLE_CONNECT

FLAG_LOG_KEEP_ALIVE

FLAG_LOG_TUNNELS

222

DEL_HOST

VN

Deletes the named AAA client (VN).

223

ADD_NAS_BY_IETF_CODE

VN,V1, V2, V3

Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and the enterprise code for the vendor (V3).

230

ADD_AAA_SERVER

VN, V1, V2

Adds a new AAA server named (VN) with IP address (V1), shared secret key (V2).

231

SET_AAA_TYPE

VN, V1

Sets the AAA server type for server (VN) to value in V1, which should be one of the following:

TYPE_ACS

TYPE_TACACS

TYPE_RADIUS

The default is AAA_SERVER_TYPE_ACS.

232

SET_AAA_FLAG

VN, V1

Sets one of the per-AAA client flags (V1) for the named AAA server (VN):

FLAG_LOG_KEEP_ALIVE

FLAG_LOG_TUNNELS

Use the action once for each flag required.

233

SET_AAA_TRAFFIC_TYPE

VN, V1

Sets the appropriate traffic type (V1) for the named AAA server (VN):

TRAFFIC_TYPE_INBOUND

TRAFFIC_TYPE_OUTBOUND

TRAFFIC_TYPE_BOTH

The default is TRAFFIC_TYPE_BOTH.

234

DEL_AAA_SERVER

VN

Deletes the named AAA server (VN).

240

ADD_PROXY

VN, V1, V2, V3

Adds a new proxy markup (VN) with markup type (V1) strip markup flag (V2) and accounting flag (V3).

The markup type (V1) must be one of the following:

MARKUP_TYPE_PREFIX

MARKUP_TYPE_SUFFIX

The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding.

The accounting flag (V3) should be one of the following:

ACCT_FLAG_LOCAL

ACCT_FLAG_REMOTE

ACCT_FLAG_BOTH

241

ADD_PROXY_TARGET

VN, V1

Adds to named proxy markup (VN) the host name (V1). The host should already be configured in ACS.

Note The order in which proxy targets are added sets the proxy search order; the first target added is the first target proxied to, and so on. The order must be changed through the web interface.

242

DEL_PROXY

VN

Deletes the named proxy markup (VN).

250

ADD_NDG

VN

Creates a network device group (NDG) named (VN).

251

DEL_NDG

VN

Deletes the named NDG.

252

ADD_HOST_TO_NDG

VN, V1

Adds to the named AAA client/AAA server (VN) the NDG (V1).

270

SET_DCS_ASSIGNMENT

271

ADD_NDG_TO_DCS_MAPPING

300

RESTART_PROTO_MODULES

Restarts the CSRadius and CSTacacs services to apply new settings.

350

ADD_UDV

VN, V1, V2

Adds a RADIUS vendor to the ACS vendor database. Vendors added to ACS by this method are know as User-Defined Vendors (UDV).

VN contains the name of the Vendor.

Note ACS adds RADIUS(...) to the name entered in the Variable Name field. For example, if you enter the name MyCo, ACS displays RADIUS (MyCo) in the web interface.

V1 contains the user-defined vendor slot number or AUTO_ASSIGN_SLOT. ACS has ten vendor slots, numbered 0 through 9. If you specify AUTO_ASSIGN_SLOT, ACS selects the next available slot for your vendor.

Note If you want to replicate UDVs between ACSs, you must assign the UDV to the same slot number on both ACSs.

V2 contains the IANA-assigned enterprise code for the vendor.

351

DEL_UDV

V1

Removes the vendor with the IETF code specified in V1 and any defined VSAs.

Note Action code 351 does not remove any instances of VSAs assigned to ACS groups or users. If ACS has AAA clients configured with the UDV specified in V1, the delete operation fails.

352

ADD_VSA

VN, V1, V2, V3

Adds a new VSA to the vendor specified by the vendor IETF code in V1.

VN is the VSA name. If the vendor name is MyCo and the attribute is assigned a group ID, we recommend prefixing the vendor name or an abbreviation to all VSAs. For example, VSAs could be MyCo-Assigned-Group-Id.

Note VSA names must be unique to the vendor and to the ACS dictionary. For example, MyCo-Framed-IP-Address is allowed but Framed-IP-Address is not, because Framed-IP-Address is used by IETF action code 8 in the RADIUS attributes.

V2 is the VSA number. This must be in the 0-255 range.

V3 is the VSA type as one of following values:

INTEGER

STRING

IPADDR

By default, VSAs are assumed to be outbound (or authorization) attributes. If the VSA is either multi-instance or used in accounting messages, use SET_VSA_PROFILE (Action code 353).

353

SET_VSA_PROFILE

V1, V2, V3

Sets the inbound/outbound profile of the VSA. The profile specifies usage IN for accounting, OUT for authorization, or MULTI if more than a singe instance is allowed per RADIUS message. Combinations are allowed.

V1 contains the vendor IETF code.

V2 contains the VSA number.

V3 contains the profile, one of the following:

IN 
OUT 
IN OUT 
MULTI OUT 
MULTI IN OUT

354

ADD_VSA_ENUM

VN, V1, V2, V3

Sets meaningful enumerated values, if the VSA attribute has enumerated. In the User Setup section, the ACS web interface displays the enumeration strings in a list.

VN contains the VSA Enum Name.

V1 contains the vendor IETF code.

V2 contains the VSA number.

V3 contains the VSA Enum Value.

Example:

VN = Disabled 
V1 = 9034 
V2 = MyCo-Encryption 
V3 = 0 

or

VN = Enabled 
V1 = 9034 
V2 = MyCo-Encryption 
V3 = 1

355

ADOPT_NEW_UDV_OR_VSA

Restarts the CSAdmin, CSRadius, and CSLog services. These services must be restarted before new UDVs or VSAs can become usable.


ACS Attributes and Action Codes

This section complements the previous section by providing an inverse reference; it provides topics with tables that list ACS attributes, their data types and limits, and the action codes you can use to act upon the ACS attributes.

This section contains the following topics:

User-Specific Attributes

User-Defined Attributes

Group-Specific Attributes

User-Specific Attributes

Table F-7 lists the attributes that define an ACS user, including their data types, limits, and default values. It also provides the action code you can use in accountActions to affect each attribute. Although there are many actions available, adding a user requires only one transaction: ADD_USER. You can safely leave other user attributes at their default values. The term NULL is not simply an empty string, but means not set; that is, the value will not be processed. Some features are processed only if they have a value assigned to them. For more information about action codes, see Action Codes.

Table F-7 User-Specific Attributes 

Attribute
Actions
Logical Type
Limits
Default

Username

100, 101

String

1-64 characters

ASCII/PAP Password

100, 102

String

4-32 characters

Random string

CHAP Password

103

String

4-32 characters

Random string

Outbound CHAP Password

104

String

4-32 characters

NULL

TACACS+ Enable Password

105

String Password

4-32 characters

NULL

Integer privilege level

0-15 characters

NULL

Group

106

String

0-100 characters

Default Group

Password Supplier

107

Enum

See Table F-3.

LIBRARY_CSDB

Password Type

108

Enum

See Table F-3.

PASS_TYPE_CSDB (password is cleartext PAP)

Password Expiry Status

109, 110

Bitwise Enum

See Table F-3.

PASS_STATUS_
NEVER (never expires)

Expiry Data

112, 113

Short wrong max/current

0-32,767

Expiry date

Max Sessions

114

Unsigned short

0-65535

MAX_SESSIONS_AS_GROUP

TODDOW Restrictions

140

String

168 characters

111111111111

NAS Access Control

120, 122

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See Table F-4.)

0-31 KB

Dial-Up Access Control

121, 123

Bool enabled

T/F

NULL

Bool permit/deny

T/F

NULL

ACL String (See Table F-4.)

0-31 KB

NULL

Static IP Address

150

Enum scheme

(See Table F-4.)

Client

String IP/Pool name

0-31 KB

NULL

Callback Number

151

String

0-31 KB

NULL

TACACS+ Attributes

170, 173

Formatted String

0-31 KB

NULL

RADIUS Attributes

160, 162

Formatted String

0-31 KB

NULL

UDF 1

1, 2

String Real Name

0-31 KB

NULL

UDF 2

1, 2

String Description

0-31 KB

NULL

UDF 3

1, 2

String

0-31 KB

NULL

UDF 4

1, 2

String

0-31 KB

NULL

UDF 5

1, 2

String

0-31 KB

NULL


User-Defined Attributes

User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see Customizing User Data, page 2-5.

RDBMS Synchronization can set UDAs by using the SET_VALUE action (code 1) to create a value called USER_DEFINED_FIELD_0 or USER_DEFINED_FIELD_1. For accountActions rows defining a UDA value, the AppId (AI) field must contain APP_ CSAUTH and the Value2(V2) field must contain TYPE_STRING.

Table F-8 lists the data fields that define UDAs. For more information about action codes, see Action Codes.

Table F-8 User-Defined Attributes 

Action
Username (UN)
ValueName (VN)
Value1 (V1)
Value2 (V2)
AppId (AI)

1

fred

USER_DEFINED_FIELD_0

SS123456789

TYPE_STRING

APP_CSAUTH

1

fred

USER_DEFINED_FIELD_1

Engineering

TYPE_STRING

APP_CSAUTH

1

fred

USER_DEFINED_FIELD_2

949-555-1111

TYPE_STRING

APP_CSAUTH



Note If more than two UDAs are created, only the first two are passed to accounting logs.


Group-Specific Attributes

Table F-9 lists the attributes that define an ACS group, including their data types, limits, and default values. It also provides the action code that you can use in your accountActions table to affect each field. For more information about action codes, see Action Codes.

Table F-9 Group-Specific Attributes 

Attribute
Actions
Logical Type
Limits
Default

Max Sessions

114

Unsigned short

0-65534

MAX_SESSIONS_UNLIMITED

Max Sessions for user of group

115

Unsigned short

0-65534

MAX_SESSIONS_UNLIMITED

Token caching for session

130

Bool

T/F

NULL

Token caching for duration

131

Integer time in seconds

0-65535

NULL

TODDOW Restrictions

140

String

168 characters

111111111111

NAS Access Control

120, 122

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See Table F-4.)

0-31 KB

Dial-Up Access Control

121, 123

Bool enabled

T/F

NULL

Bool permit/deny

T/F

NULL

ACL String (See Table F-4.)

0-31 KB

NULL

Static IP Address

150

Enum scheme

(See Table F-4.)

Client

String IP/Pool name

0-31 KB

NULL

RADIUS Attributes

160, 162

Formatted String

0-31 KB

NULL

TACACS+ Attributes

170, 173

Formatted String

0-31 KB

NULL

VoIP Support

212

Bool disabled

T/F

NULL


An Example of accountActions

Table F-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes. First user fred is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to Group 2. His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token caching, and some RADIUS attributes.


Note This example omits several columns that should appear in any accountActions table. The omitted columns are Sequence ID (SI), Priority (P), DateTime (DT), and MessageNo (MN).


Table F-10 Example accountActions Table 

Action
User name (UN)
Group Name (GN)
Value Name (VN)
Value1 (V1)
Value2 (V2)
Value3 (V3)
AppId (AI)

100

fred

fred

102

fred

freds_password

103

fred

freds_chap_password

104

fred

freds_outbound_password

105

fred

freds_enable_password

10

106

fred

Group 2

150

fred

123.123.123.123

151

fred

01832-123900

109

fred

PASS_STATUS_NEVER

110

fred

PASS_STATUS_WRONG

110

fred

PASS_STATUS_EXPIRES

112

fred

10

113

fred

19991231

114

fred

50

115

fred

50

120

fred

ACCESS_PERMIT

121

fred

ACCESS_DENY

122

fred

NAS01,tty0,01732-975374

123

fred

01732-975374,01622-123123

CLID/
DNIS

1

fred

USER_
DEFINED_
FIELD_0

Fred Jones

TYPE_
STRING

APP_
CSAUTH

140

Group 2

[a string of 168 ones (1)]

130

Group 2

DISABLE

131

Group 2

61

163

Group 2

Reply-
Message

Welcome to Your Internet Service

163

Group 2

Vendor-
Specific

addr-pool=pool2

9

1