Table of Contents

Cisco Secure ACS Command-Line Database Utility

This appendix details the Cisco Secure ACS command-line utility, CSUtil.exe. Among its several functions, CSUtil.exe enables you to add, change, and delete users from a colon-delimited text file. You can also use the utility to add and delete AAA client configurations.

Note   You can accomplish similar tasks using the ACS System Backup, ACS System Restore, Database Replication, and RDBMS Synchronization features. For more information on these features, see "Establishing Cisco Secure ACS System Configuration."

This appendix contains the following topics:

Location of CSUtil.exe and Related Files

When you install Cisco Secure ACS in the default location, CSUtil.exe is located in the following directory:

C:\Program Files\CiscoSecure ACS vX.X\Utils

where X.X is the version of your Cisco Secure ACS software. Regardless of where you install Cisco Secure ACS, CSUtil.exe is located in the Utils directory.

Files generated by or accessed by CSUtil.exe are also located in the Utils directory.

CSUtil.exe Syntax

The syntax for the CSUtil.exe command is as follows:

Note   Most CSUtil.exe options require that you stop the CSAuth service. While the CSAuth service is stopped, Cisco Secure ACS does not authenticate users. To determine if an option requires that you stop CSAuth, see CSUtil.exe Options D-3.

You can combine many of the options in a single use of CSUtil.exe. If you are new to using CSUtil.exe, we recommend performing only one option at a time, with the exception of those options, such as -p, that must be used in conjunction with other options.

Experienced CSUtil.exe users may find it useful to combine CSUtil.exe options, such as in the following example, which would first import AAA client configurations and then generate a dump of all Cisco Secure ACS internal data:

CSUtil.exe Options

CSUtil.exe can perform several actions. The options, listed below in alphabetical order, are detailed in later sections of this chapter.

Backing Up Cisco Secure ACS with CSUtil.exe

You can use the -b option to create a system backup of all Cisco Secure ACS internal data. The resulting backup file has the same data as the backup files produced by the ACS Backup feature found in the HTML interface. For more information about the ACS Backup feature, see Cisco Secure ACS Backup.

Note   During the backup, all services are automatically stopped and restarted. No users are authenticated while the backup is occurring.

To back up Cisco Secure ACS with CSUtil.exe, follow these steps:

Step 2   Type:

where filename is the name of the backup file. Press Enter.

Result: CSUtil.exe displays a confirmation prompt.

Step 3   To confirm that you want to perform a backup and to halt all Cisco Secure ACS services during the backup, type Y and press Enter.

Result: CSUtil.exe generates a complete backup of all Cisco Secure ACS internal data, including user accounts and system configuration. This process may take a few minutes.

---

Note    CSUtil.exe displays the error message Backup Failed when it attempts to back up components of Cisco Secure ACS that are empty, such as when no administrator accounts exist. These apply only to components that are empty, not to the overall success or failure of the backup.

---

Restoring Cisco Secure ACS with CSUtil.exe

You can use the -r option to restore all Cisco Secure ACS internal data. The backup file from which you restore Cisco Secure ACS can be one generated by the CSUtil.exe -b option or by the ACS Backup feature in the HTML interface.

Cisco Secure ACS backup files contain two types of data:

You can restore either user and group data or system configuration, or both. For more information about the ACS Backup feature, see Cisco Secure ACS Backup.

Note   During the backup, all services are automatically stopped and restarted. No users are authenticated while the restoration is occurring.

To restore Cisco Secure ACS with CSUtil.exe, follow these steps:

Step 2   Perform the applicable restoration command:

where filename is the name of the backup file. Press Enter.

where filename is the name of the backup file. Press Enter.

where filename is the name of the backup file. Press Enter.

Result: CSUtil.exe displays a confirmation prompt.

Step 3   To confirm that you want to perform a restoration and to halt all Cisco Secure ACS services during the restoration, type Y and press Enter.

Result: CSUtil.exe restores the specified portions of your Cisco Secure ACS data. This process may take a few minutes.

---

Note    If the backup file is missing a database component, CSUtil.exe displays an error message. Such an error message applies only to the restoration of the missing component. The absence of a database component in a backup is usually intentional and indicates that the component was empty in Cisco Secure ACS at the time the backup was created.

---

Creating a CiscoSecure User Database

You can use the -n option to create a CiscoSecure user database.

Note   Using the -n option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

Caution   Using the -n option erases all user information in the CiscoSecure user database. Unless you have a current backup or dump of your CiscoSecure user database, all user accounts are lost when you use this option.

To create a CiscoSecure user database, follow these steps:

Step 2   On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files.

Step 3   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 4   Type:

and press Enter.

Result: CSUtil.exe displays a confirmation prompt.

Step 5   To confirm that you want to initialize the CiscoSecure user database, type Y and press Enter.

Result: The CiscoSecure user database is initialized. This process may take a few minutes.

Step 6   To resume user authentication, type:

and press Enter.

Creating a Cisco Secure ACS Database Dump File

You can use the -d option to dump all contents of the CiscoSecure user database into a text file. In addition to providing a thorough, eye-readable, and compressible backup of all Cisco Secure ACS internal data, a database dump can also be useful for the Cisco Technical Assistance Center (TAC) during troubleshooting.

Using the -l option, you can reload the Cisco Secure ACS internal data from a dump file created by the -d option. For more information about the -l option, see Loading the Cisco Secure ACS Database from a Dump File.

Note   Using the -d option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

To dump all Cisco Secure ACS internal data into a text file, follow these steps:

Step 2   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 3   Type:

and press Enter.

Result: CSUtil.exe displays a confirmation prompt.

Step 4   To confirm that you want to dump all Cisco Secure ACS internal data into dump.txt, type Y and press Enter.

Result: CSUtil.exe creates the dump.txt file. This process may take a few minutes.

Step 5   To resume user authentication, type:

and press Enter.

Loading the Cisco Secure ACS Database from a Dump File

You can use the -l option to overwrite all Cisco Secure ACS internal data from a dump text file. This option replaces the existing all Cisco Secure ACS internal data with the data in the dump text file. In effect, the -l option initializes all Cisco Secure ACS internal data before loading it from the dump text file. Dump text files are created using the -d option. While the -d option only produces dump text files that are named dump.txt, the -l option allows for loading renamed dump files. For more information about creating dump text files, see Creating a Cisco Secure ACS Database Dump File.

You can use the -p option in conjunction with the -l option to reset password-aging counters.

Note   Using the -l option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

To load all Cisco Secure ACS internal data from a text file, follow these steps:

Step 2   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 3   Type:

where filename is the name of the dump file you want CSUtil.exe to use to load Cisco Secure ACS internal data. Press Enter.

Result: CSUtil.exe displays a confirmation prompt for overwriting all Cisco Secure ACS internal data with the data in the dump text file.

---

Note    Overwriting the database does not preserve any data; instead, after the overwrite, the database contains only what is specified in the dump text file.

---

Step 4   To confirm that you want to replace all Cisco Secure ACS internal data, type Y and press Enter.

Result: CSUtil.exe initializes all Cisco Secure ACS internal data, and then loads Cisco Secure ACS with the information in the dump file specified. This process may take a few minutes.

Step 5   To resume user authentication, type:

and press Enter.

Compacting the CiscoSecure User Database

Like many relational databases, the CiscoSecure user database handles the deletion of records by marking deleted records as deleted but not removing the record from the database. Over time, your CiscoSecure user database may be substantially larger than is required by the number of users it contains. To reduce the CiscoSecure user database size, you can compact it periodically.

Compacting the CiscoSecure user database consists of using in conjunction three CSUtil.exe options:

Additionally, if you want to automate this process, consider using the -q option to suppress the confirmation prompts that otherwise appear before CSUtil.exe performs the -n and -l options.

Note   Compacting the CiscoSecure user database requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

To compact the CiscoSecure user database, follow these steps:

Step 2   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 3   Type:

Press Enter.

Tip If you include the -q option in the command, CSUtil.exe does not prompt you for confirmation of initializing or loading the database.

Result: If you do not use the -q option, CSUtil.exe displays a confirmation prompt for initializing the database and then for loading the database. For more information about the effects of the -n option, see Creating a CiscoSecure User Database. For more information about the effects of the -l option, see Loading the Cisco Secure ACS Database from a Dump File.

Step 4   For each confirmation prompt that appears, type Y and press Enter.

Result: CSUtil.exe dumps all Cisco Secure ACS internal data to dump.txt, initializes the CiscoSecure user database, and reloads all Cisco Secure ACS internal data from dump.txt. This process may take a few minutes.

Step 5   To resume user authentication, type:

and press Enter.

User and AAA Client Import Option

The -i option enables you to update Cisco Secure ACS with data from a colon-delimited text file. You can also update AAA client definitions.

For user accounts, you can add users, change user information such as passwords, or delete users. For AAA client definitions, you can add or delete AAA clients.

This section contains the following topics:

Importing User and AAA Client Information

To import user or AAA client information, follow these steps:

Step 2   Create an import text file. For more information about what an import text file can or must contain, see User and AAA Client Import File Format.

Step 3   Copy or move the import text file to the same directory as CSUtil.exe. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files.

Step 4   On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe.

Step 5   Type:

where filename is the name of the import text file you want CSUtil.exe to use to update Cisco Secure ACS. Press Enter.

Result: CSUtil.exe displays a confirmation prompt for updating the database.

Step 6   To confirm that you want to update Cisco Secure ACS with the information from the import text file specified, type Y and press Enter.

Result: Cisco Secure ACS is updated with the information in the import text file specified. This process may take a few minutes.

If the import text file contained AAA client configuration data, CSUtil.exe warns you that you need to restart CSTacacs and CSRadius for these changes to take effect.

Step 7   To restart CSRadius, follow these steps:

and press Enter.

Result: The CSRadius service stops.

and press Enter.

Step 8   To restart CSTacacs, follow these steps:

and press Enter.

Result: The CSTacacs service stops.

and press Enter.

User and AAA Client Import File Format

The import file can contain six different line types. At least two are required. This section contains an overview topic, topics for each of the six line types, and an example section:

About User and AAA Client Import File Format

Each line of a CSUtil.exe import file is a series of colon-separated tokens. Some of the tokens are followed by values. Values, like tokens, are colon-delimited. For tokens that require values, CSUtil.exe expects the value of the token to be in the colon-delimited field immediately following the token.

ONLINE or OFFLINE Statement

CSUtil.exe requires an ONLINE or OFFLINE token in an import text file. The file must begin with a line that contains only an ONLINE or OFFLINE token. The ONLINE and OFFLINE tokens are described in Table D-1.

ADD Statements

ADD statements are optional. Only the ADD token and its value are required to add a user to Cisco Secure ACS. The valid tokens for ADD statements are listed in Table D-2.

Note   CSUtil.exe provides no means to specify a particular instance of an external user database type. If a user is to be authenticated by an external user database and Cisco Secure ACS has multiple instances of the specified database type, CSUtil.exe assigns the user to the first instance of that database type. For example, if Cisco Secure ACS has two LDAP external user databases configured, CSUtil.exe creates the user record and assigns the user to the LDAP database that was added to Cisco Secure ACS first.

For example, the following ADD statement would create an account with the username "John", assign it to Group 3, and specify that John should be authenticated by the CiscoSecure user database with the password "closedmondays":

UPDATE Statements

UPDATE statements are optional. They make changes to existing user accounts. Only the UPDATE token and its value are required by CSUtil.exe, but if no other tokens are included, no changes are made to the user account. You can use the UPDATE statement to update the group a user is assigned to or to update which database Cisco Secure ACS uses to authenticate the user. The valid tokens for UPDATE statements are listed in Table D-3.

For example, the following UPDATE statement causes CSUtil.exe to update the account with username "John", assign it to Group 50, specify that John should be authenticated by a UNIX-encrypted password, with a separate CHAP password "goodoldchap":

DELETE Statements

DELETE statements are optional. The DELETE token and its value are required to delete a user account from Cisco Secure ACS. The DELETE token, detailed in Table D-4, is the only token in a DELETE statement.

For example, the following DELETE statement causes CSUtil.exe to permanently remove the account with username "John" from the CiscoSecure user database:

ADD_NAS Statements

ADD_NAS statements are optional. The ADD_NAS, IP, KEY, and VENDOR tokens and their values are required to add a AAA client definition to Cisco Secure ACS. The valid tokens for ADD_NAS statements are listed in Table D-5.

For example, the following ADD_NAS statement causes CSUtil.exe to add a AAA client with the name "SVR2-T+", using TACACS+ with the single connection and keep alive packet options enabled:

DEL_NAS Statements

DEL_NAS statements are optional. The DEL_NAS token, detailed in Table D-6, is the only token in a DEL_NAS statement. DEL_NAS statements delete AAA client definitions from Cisco Secure ACS.

For example, the following DEL_NAS statement causes CSUtil.exe to delete a AAA client with the name "SVR2-T+":

Import File Example

The following is an example import text file:

Exporting User List to a Text File

You can use the -u option to export a list of all users in the CiscoSecure user database to a text file named users.txt. The users.txt file organizes users by group. Within each group, users are listed in the order that their user accounts were created in the CiscoSecure user database. For example, if accounts were created for Pat, Dana, and Lloyd, in that order, users.txt lists them in that order as well, rather than alphabetically.

Note   Using the -u option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

To export user information from the CiscoSecure user database into a text file, follow these steps:

Step 2   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 3   Type:

and press Enter.

Result: CSUtil.exe exports information for all users in the CiscoSecure user database to a file named users.txt.

Step 4   To resume user authentication, type:

and press Enter.

Exporting Group Information to a Text File

You can use the -g option to export group configuration data, including device command sets, from the CiscoSecure user database to a text file named groups.txt. The groups.txt file is useful primarily for debugging purposes while working with the TAC.

Note   Using the -g option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.

To export group information from the CiscoSecure user database to a text file, follow these steps:

Step 2   If the CSAuth service is running, type:

and press Enter.

Result: The CSAuth service stops.

Step 3   Type:

and press Enter.

Result: CSUtil.exe exports information for all groups in the CiscoSecure user database to a file named groups.txt.

Step 4   To resume user authentication, type:

and press Enter.

Exporting Registry Information to a Text File

You can use the -y option to export Windows Registry information for Cisco Secure ACS. CSUtil.exe exports the Registry information to a file named setup.txt. The setup.txt file is primarily useful for debugging purposes while working with the TAC.

To export Registry information from Cisco Secure ACS to a text file, follow these steps:

Step 2   Type:

and press Enter.

Result: CSUtil.exe exports Windows Registry information for Cisco Secure ACS to a file named setup.txt.

Decoding Error Numbers

You can use the -e option to decode error numbers found in Cisco Secure ACS service logs. These are error codes internal to Cisco Secure ACS. For example, the CSRadius log could contain a message similar to the following:

In this example, the error code number that you could use CSUtil.exe to decode is "-1087":

Note   The -e option applies to Cisco Secure ACS internal error codes only, not to Windows error codes sometimes captured in Cisco Secure ACS logs, such as when Windows NT/2000 authentication fails.

For more information about Cisco Secure ACS service logs, see Service Logs.

To decode an error number from a Cisco Secure ACS service log, follow these steps:

Step 2   Type:

where number is the error number found in the Cisco Secure ACS service log. Press Enter.

---

Note    The hyphen (-) before number is required.

---

Result: CSUtil.exe displays the text message equivalent to the error number specified.

Recalculating CRC Values

The -c option is for use by the TAC. Its purpose is to resolve CRC (cyclical redundancy check) value conflicts between files manually copied into your Cisco Secure ACS directories and the values recorded in the Windows Registry.

Note   Do not use the -c option unless a Cisco representative requests that you do.

User-Defined RADIUS Vendors and VSA Sets

This section provides information and procedures about user-defined RADIUS vendors and VSAs. It contains the following topics:

About User-Defined RADIUS Vendors and VSA Sets

In addition to a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. We recommend that you use RDBMS Synchronization to add and configure custom RADIUS vendors; however, you can use CSUtil.exe to accomplish the same custom RADIUS vendor and VSA configurations that you can accomplish using RDBMS Synchronization. Custom RADIUS vendor and VSA configuration created by either of these two features—RDBMS Synchronization or CSUtil.exe—can be modified by the other feature. Choosing one feature for configuring custom RADIUS vendors and VSAs does not preclude using the other feature. For more information about RDMBS Synchronization, see RDBMS Synchronization.

Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26. You can define up to ten custom RADIUS vendors, numbered 0 (zero) through 9. CSUtil.exe allows only one instance of any given vendor, as defined by the unique vendor IETF ID number and by the vendor name.

Note   If you intend to replicate user-defined RADIUS vendor and VSA configurations, user-defined RADIUS vendor and VSA definitions to be replicated must be identical on the primary and secondary Cisco Secure ACS servers, including the RADIUS vendor slots that the user-defined RADIUS vendors occupy. For more information about database replication, see CiscoSecure Database Replication, page 8-9.

Adding a Custom RADIUS Vendor and VSA Set

You can use the -addUDV option to add up to ten custom RADIUS vendors and VSA sets to Cisco Secure ACS. Each RADIUS vendor and VSA set is added to one of ten possible user-defined RADIUS vendor slots.

Note   While CSUtil.exe adds a custom RADIUS vendor and VSA set to Cisco Secure ACS, all Cisco Secure ACS services are automatically stopped and restarted. No users are authenticated while this process is occurring.

Before You Begin

To add a custom RADIUS VSA to Cisco Secure ACS, follow these steps:

Step 2   Type:

where slot-number is an unused Cisco Secure ACS RADIUS vendor slot and filename is the name of a RADIUS vendor/VSA import file. The filename can include a relative or absolute path to the RADIUS vendor/VSA import file. Press Enter.

For example, to add the RADIUS vendor defined in d:\acs\myvsa.ini to slot 5, the command would be:

Result: CSUtil.exe displays a confirmation prompt.

Step 3   To confirm that you want to add the RADIUS vendor and halt all Cisco Secure ACS services during the process, type Y and press Enter.

Result: CSUtil.exe halts Cisco Secure ACS services, parses the vendor/VSA input file, and adds the new RADIUS vendor and VSAs to Cisco Secure ACS. This process may take a few minutes. After it is complete, CSUtil.exe restarts Cisco Secure ACS services.

---

Note    We recommend that you archive RADIUS vendor/VSA import files. During upgrades, the Utils directory, where CSUtil.exe is located, is replaced, including all its contents. Backing up RADIUS vendor/VSA import files ensures that you can recover your custom RADIUS vendors and VSAs after reinstallation or upgrading to a later release.

---

Deleting a Custom RADIUS Vendor and VSA Set

You can use the -delUDV option to delete a custom RADIUS vendor from Cisco Secure ACS.

Note   While CSUtil.exe deletes a custom RADIUS vendor from Cisco Secure ACS, all Cisco Secure ACS services are automatically stopped and restarted. No users are authenticated while this process is occurring.

Before You Begin

Verify that, in the Network Configuration section of the Cisco Secure ACS HTML interface, no AAA client uses the RADIUS vendor. For more information about configuring AAA clients, see AAA Client Configuration.

Verify that your RADIUS accounting log does not contain attributes from the RADIUS vendor you want to delete. For more information about configuring your RADIUS accounting log, see Accounting Logs.

To delete a custom RADIUS vendor and VSA set from Cisco Secure ACS, follow these steps:

Step 2   Type:

where slot-number is the slot containing the RADIUS vendor that you want to delete. Press Enter.

---

Note    For more information about determining what RADIUS vendor a particular slot contains, see Listing Custom RADIUS Vendors.

---

Result: CSUtil.exe displays a confirmation prompt.

Step 3   To confirm that you want to halt all Cisco Secure ACS services while deleting the custom RADIUS vendor and VSAs, type Y and press Enter.

Result: CSUtil.exe displays a second confirmation prompt.

Step 4   To confirm that you want to delete the RADIUS vendor, type Y and press Enter.

Result: CSUtil.exe halts Cisco Secure ACS services, deletes the specified RADIUS vendor from Cisco Secure ACS. This process may take a few minutes. After it is complete, CSUtil.exe restarts Cisco Secure ACS services.

Listing Custom RADIUS Vendors

You can use the -listUDV option to determine what custom RADIUS vendors are defined in Cisco Secure ACS. This option also enables you to determine which of the ten possible custom RADIUS vendor slots are in use and which RADIUS vendor occupies each used slot.

To list all custom RADIUS vendors defined in Cisco Secure ACS, follow these steps:

Step 2   Type:

Press Enter.

Result: CSUtil.exe lists each user-defined RADIUS vendor slot in slot number order. CSUtil.exe lists slots that do not contain a custom RADIUS vendor as "Unassigned". An unassigned slot is empty. You can add a custom RADIUS vendor to any slot listed as "Unassigned".

Exporting Custom RADIUS Vendor and VSA Sets

You can export all custom RADIUS vendor and VSA sets to files. Each vendor and VSA set is saved to a separate file. The files created by this option are in the same format as RADIUS vendor/VSA import files. This option is particularly useful if you need to modify a custom RADIUS vendor and VSA set and you have misplaced the original file used to import the set.

Note   Exporting a custom RADIUS vendor and VSA set does not remove the vendor and VSA set from Cisco Secure ACS.

Cisco Secure ACS places all exported vendor/VSA files in a subdirectory of the directory containing CSUtil.exe. The subdirectory is named System UDVs. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files.

Each exported vendor/VSA file is named UDV_n.ini, where n is the slot number currently occupied by the custom RADIUS vendor and VSA set. For example, if vendor Widget occupies slot 4, the exported file created by CSUtil.exe is UDV_4.ini.

To export custom RADIUS vendor and VSA sets to files, follow these steps:

Step 2   Type:

Press Enter.

Result: For each custom RADIUS vendor and VSA set currently configured in Cisco Secure ACS, CSUtil.exe writes a file in the System UDVs subdirectory.

RADIUS Vendor/VSA Import File

To import a custom RADIUS vendor and VSA set into Cisco Secure ACS, you must define the RADIUS vendor and VSA set in an import file.

We recommend that you archive RADIUS vendor/VSA import files. During upgrades, the Utils directory, where CSUtil.exe is located, is replaced, including all its contents. Backing up RADIUS vendor/VSA import files ensures that you can recover your custom RADIUS vendors and VSAs after reinstallation or upgrading to a later release.

This section details the format and content of RADIUS VSA import files. It includes the following topics:

About the RADIUS Vendor/VSA Import File

RADIUS Vendor/VSA import files use a Windows .ini file format. Each RADIUS vendor/VSA import file comprises three types of sections, detailed in Table D-7. Each section comprises a section header and a set of keys and values. The order of the sections in the RADIUS vendor/VSA import file is irrelevant.

Vendor and VSA Set Definition

Each RADIUS vendor/VSA import file must have one vendor and VSA set section. The section header must be "[User Defined Vendor]". Table D-8 lists valid keys for the vendor and VSA set section.

For example, the following vendor and VSA set section defines the vendor "Widget", whose IETF-assigned vendor number is 9999. Vendor Widget has 4 VSAs (thus requiring 4 attribute definition sections):

Attribute Definition

Each RADIUS vendor/VSA import file must have one attribute definition section for each attribute defined in the vendor and VSA set section. The section header of each attribute definition section must match the attribute name defined for that attribute in the vendor and VSA set section. Table D-9 lists the valid keys for an attribute definition section.

For example, the following attribute definition section defines the widget-encryption VSA, which is an integer used for authorization, and for which enumerations exist in the Encryption-Types enumeration section:

Enumeration Definition

Enumeration definitions enable you to associate a text-based name for each valid numeric value of an integer-type attribute. In the Group Setup and User Setup sections of the Cisco Secure ACS HTML interface, the text values you define appear in lists associated with the attributes that use the enumerations. Enumeration definition sections are required only if an attribute definition section references them. Only attributes that are integer-type attributes can reference an enumeration definition section.

The section header of each enumeration definition section must match the value of an Enums key that references it. An enumeration definition section can be referenced by more than one Enums key, thus allowing for reuse of common enumeration definitions. An enumeration definition section can have up to 1000 keys.

Table D-10 lists the valid keys for an enumeration definition section.

For example, the following enumerations definition section defines the Encryption-Types enumeration, which associates the string value 56-bit with the integer 0 and the string value 128-bit with the integer 1:

Example RADIUS Vendor/VSA Import File

The example RADIUS vendor/VSA import file, below, defines the vendor Widget, whose IETF number is 9999. The vendor Widget has 5 VSAs. Of those attributes, 4 are for authorization and one is for accounting. Only one attribute can have multiple instances in a single RADIUS message. Two attributes have enumerations for their valid integer values and they share the same enumeration definition section.