User Guide for Cisco Secure ACS for Windows Server 3.2
RDBMS Synchronization Import Definitions

Table Of Contents

RDBMS Synchronization Import Definitions

accountActions Specification

accountActions Format

accountActions Mandatory Fields

accountActions Processing Order

Action Codes

Action Codes for Setting and Deleting Values

Action Codes for Creating and Modifying User Accounts

Action Codes for Initializing and Modifying Access Filters

Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Action Codes for Modifying Network Configuration

Cisco Secure ACS Attributes and Action Codes

User-Specific Attributes

User-Defined Attributes

Group-Specific Attributes

An Example of accountActions

RDBMS Synchronization Import Definitions


RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of CiscoSecure AccessControlServer (ACS) for WindowsServer uses a table named "accountActions" as input for automated or manual updates of the CiscoSecure user database. For more information about the RDBMS Synchronization feature and accountActions, see RDBMS Synchronization.

This chapter contains the following topics:

accountActions Specification

Action Codes

CiscoSecure ACS Attributes and Action Codes

An Example of accountActions

accountActions Specification

Whether you create accountActions by hand in a text editor or through automation using a third-party system that writes to accountActions, you must adhere to the accountActions specification and must only use the action codes detailed in Action Codes. Otherwise, RDBMS Synchronization may import incorrect information into the CiscoSecure user database or may fail to occur at all.

accountActions Format

Each row in accountActions has 14 fields (or columns). TableF-1 lists the fields that compose accountActions. TableF-1 also reflects the order in which the fields appear in accountActions.

The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in Action Codes.

To see an example accountActions, see An Example of accountActions.

Table F-1 accountActions Fields 

Field Name
Mnemonic
Type
Size (Max. Length)
Comments

SequenceId

SI

AutoNumber

32

The unique action ID.

Priority

P

Integer

1

The priority with which this update is to be treated. 0 is the lowest priority.

UserName

UN

String

32

The name of the user to which the transaction applies.

GroupName

GN

String

32

The name of the group to which the transaction applies.

Action

A

Number

0-216

The Action required. (See Action Codes.)

ValueName

VN

String

255

The name of the parameter to change.

Value1

V1

String

255

The new value (for numeric parameters, this is a decimal string).

Value2

V2

String

255

The name of a TACACS+ protocol; for example, "ip" or RADIUS VSA Vendor ID.

Value3

V3

String

255

The name of a TACACS+ service; for example, "ppp" or the RADIUS VSA attribute number.

DateTime

DT

DateTime

The date/time the Action was created.

MessageNo

MN

Integer

Used to number related transactions for audit purposes.

ComputerNames

CN

String

32

RESERVED by CSDBSync.

AppId

AI

String

255

The type of configuration parameter to change.

Status

S

Number

32

TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0.


accountActions Mandatory Fields

For all actions, the following three fields cannot be empty and must have a valid value:

Action

DateTime

SequenceID

In addition to the three required fields above, the UserName and GroupName fields are also often required to have a valid value:

If a transaction is acting upon a user account, a valid value is required in the UserName field.

If a transaction is acting upon a group, a valid value is required in the GroupName field.

If a transaction is acting upon AAA client configuration, neither the UserName field nor the GroupName field require a value.


Note The UserName and GroupName fields are mutually exclusive; only one of these two fields can have a value and neither field is always required.


accountActions Processing Order

CiscoSecure ACS reads rows from accountActions and processes them in a specific order. CiscoSecure ACS determines the order first by the values in the Priority fields (mnemonic: P) and then by the values in the Sequence ID fields (mnemonic: SI). CiscoSecure ACS processes the rows with the highest Priority field. The lower the number in the Priority field, the higher the priority. For example, if row A has the value 1 in its Priority field and row B has the value 2 in its Priority field, CiscoSecure ACS would process row A first, regardless of whether row B has a lower sequence ID or not. If rows have an equal priority, CiscoSecure ACS processes them by their sequence ID, with the lowest sequence ID processed first.

Thus, the Priority field (P) enables transactions of higher importance to occur first, such as deleting a user or changing a password. In the most common implementations of RDBMS Synchronization, a third-party system writes to accountActions in batch mode, with all actions (rows) assigned a priority of zero (0).


Note When changing transaction priorities, be careful that they are processed in the correct order; for example, a user account must be created before the user password is assigned.


You can use the MessageNo field (mnemonic: MN) to associate related transactions, such as the addition of a user and subsequent actions to set password values and status. You can use the MessageNo field to create an audit trail for a third-party system that writes to accountActions.

Action Codes

This section provides the action codes valid for use in the Action field (mnemonic: A) of accountActions. The Required column uses the field mnemonic names to indicate which fields should be completed, except for the mandatory fields, which are assumed. For more information about the mnemonic names of accountActions fields, see TableF-1. For more information about the mandatory fields, see accountActions Mandatory Fields.

If an action can be applied to either a user or group, "UN|GN" appears, using the vertical bar to indicate that either one of the two fields is required. To make the action affect only the user, leave the group name empty; to make the action affect only the group, leave the user name empty.

This section contains the following topics:

Action Codes for Setting and Deleting Values

Action Codes for Creating and Modifying User Accounts

Action Codes for Initializing and Modifying Access Filters

Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Action Codes for Modifying Network Configuration

Action Codes for Setting and Deleting Values

The two most fundamental action codes are SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2), described in TableF-2.

The SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2) actions, described in TableF-2, instruct RDBMS Synchronization to assign a value to various internal attributes in CiscoSecure ACS. Unless asked to use these action codes for other purposes by a Cisco representative, you can only use these action codes for assigning values to user-defined fields (see User-Specific Attributes).

Table F-2 Action Codes for Setting and Deleting Values 

Action Code
Name
Required
Description

1

SET_VALUE

UN|GN, AI, VN, V1, V2

Sets a value (V1) named (VN) of type (V2) for App ID (AI).

App IDs (AI) can be one of the following:

APP_CSAUTH

APP_CSTACACS

APP_CSRADIUS

APP_CSADMIN

Value types (V2) can be one of the following:

TYPE_BYTE —Single 8-bit number.

TYPE_SHORT —Single 16-bit number.

TYPE_INT —Single 32-bit number.

TYPE_STRING —Single string.

TYPE_ENCRYPTED_STRING —Single string to be saved encrypted.

TYPE_MULTI_STRING —Tab-separated set of substrings.

TYPE_MULTI_INT —Tab-separated set of 32-bit numbers.

For example:

UN = "fred"
AI = "APP_CSAUTH"
VN = "My Value"
V2 = "TYPE_MULTI_STRING"
V1 = "str1tabstr2tabstr3"

2

DELETE_VALUE

UN|GN, AI, VN

Deletes value (VN) for App ID (AI) and user (UN) or group (GN).


Action Codes for Creating and Modifying User Accounts

TableF-3 lists the action codes for creating, modifying, and deleting user accounts.


Note Before you can modify a user account, such as assigning a password, you must create the user account, either in the HTML interface or by using the ADD_USER action (action code: 100).


Transactions using these codes affect the configuration displayed in the User Setup section of the HTML interface. For more information about the User Setup section, see "User Management"

Table F-3 User Creation and Modification Action Codes 

Action Code
Name
Required
Description

100

ADD_USER

UN|GN, V1

Creates a user (32 characters maximum). V1 is used as the initial password. Optionally, the user can also be assigned to a group.

101

DELETE_USER

UN

Removes a user.

102

SET_PAP_PASS

UN, V1

Sets the PAP password for a user (64 ASCII characters maximum). CHAP/ARAP will also default to this.

103

SET_CHAP_PASS

UN, V1

Set the CHAP/ARAP password for a user (64 characters maximum).

104

SET_OUTBOUND_CHAP_PASS

UN, V1

Sets the CHAP/ARAP password for a user (32 characters maximum).

105

SET_T+_ENABLE_PASS

UN, VN, V1, V2, V3

Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15).

The enable type (V3) should be one of the following:

ENABLE_LEVEL_AS_GROUP —Max privilege taken from group setting.

ENABLE_LEVEL_NONE —No T+ enable configured.

ENABLE_LEVEL_STATIC —Value set in V2 used during enable level check.

You can use VN to link the enable password to an external authenticator, as per action 108 SET_PASS_TYPE.

106

SET_GROUP

UN, GN

Sets the CiscoSecure ACS group assignment of the user.

108

SET_PASS_TYPE

UN|GN, V1

Sets the password type of the user. This can be one of the CiscoSecure user database password types or any of the external databases supported:

PASS_TYPE_CSDB —CSDB internal password.

PASS_ TYPE_CSDB_UNIX —CSDB internal password (UNIX encrypted).

PASS_TYPE_NT —External Windows user database password.

PASS_TYPE_NDS —External Novell database password.

PASS_TYPE_LDAP —External generic LDAP database password.

PASS_TYPE_SDI —External RSA Security database password.

PASS_TYPE_ANPI —External PassGo database password.

PASS_TYPE_ENIGMA —External SafeWord database password.

PASS_TYPE_CRYPTO —External CRYPTOCard database password.

PASS_TYPE_ODBC —External ODBC database password.

PASS_TYPE_LEAP —External LEAP proxy RADIUS server database password.

PASS_TYPE_ACTIVCARD —External ActivCard database password.

PASS_TYPE_VASCO —External Vasco database password.

PASS_TYPE_RADIUS_TOKEN —External RADIUS token server database password.

109

REMOVE_PASS
_STATUS

UN,V1

Removes a password status flag. This results in the status states being linked in a logical XOR condition by the CSAuth server. V1 should contain one of the following:

PASS_STATUS_EXPIRES —Password expires on a given date.

PASS_STATUS_NEVER —Password never expires.

PASS_STATUS_WRONG —Password expires after a given number of login attempts using the wrong password.

PASS_STATUS_DISABLED —The account has been disabled.

110

ADD_PASS
_STATUS

UN, V1

Defines how a password should be expired by CiscoSecure ACS. To set multiple password states for a user, use multiple instances of this action. This results in the status states being linked in a logical XOR condition by the CSAuth server. V1 should contain one of the following:

PASS_STATUS_EXPIRES —Password expires on a given date.

PASS_STATUS_NEVER —Password never expires.

PASS_STATUS_WRONG —Password expires after a given number of login attempts using the wrong password.

PASS_STATUS_RIGHT —Password expires after a given number of login attempts using the correct password.

PASS_STATUS_DISABLED —The account has been disabled.

112

SET_PASS_
EXPIRY_WRONG

UN,V1

Sets the maximum number of bad authentications allowed (automatic reset on good password if not exceeded) and reset current count.

113

SET_PASS
_EXPIRY_DATE

UN,V1

Sets the date on which the account expires. The date format should be YYYYMMDD.

114

SET_MAX
_SESSIONS

UN|GN,V1

Sets the maximum number of simultaneous sessions for a user or group. V1 should contain one of the following values:

MAX_SESSIONS_UNLIMITED

MAX_SESSIONS_AS_GROUP

1-65534

115

SET_MAX
_SESSIONS
_GROUP_USER

GN,V1

Sets the max sessions for a user of the group to one of the following values:

MAX_SESSIONS_UNLIMITED

1-65534

260

SET_QUOTA

VN,V1,V2

Sets a quota for a user or group.

VN defines the quota type. Valid values are:

online time —The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.

sessions —The quota limits the user or group by the number of sessions on the network for the period defined in V2.

V1 defines the quota. If VN is set to sessions, V1 is the maximum number of sessions in the period defined in V2. If VN is set to online time, V1 is the maximum number of seconds.

V2 holds the period for the quota. Valid values are:

QUOTA_PERIOD_DAILY —The quota is enforced in 24-hour cycles, from 12:01 A.M. to midnight.

QUOTA_PERIOD_WEEKLY —The quota is enforced in 7-day cycles, from 12:01 A.M. Sunday until midnight Saturday.

QUOTA_PERIOD_MONTHLY —The quota is enforced in monthly cycles, from 12:01 A.M. on the first of the month until midnight on the last day of the month.

QUOTA_PERIOD_ABSOLUTE —The quota is enforced in an ongoing basis, without an end.

261

DISABLE_QUOTA

UN|GN,VN

Disables a group or user usage quota.

VN defines the quota type. Valid values are:

online time —The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.

sessions —The quota limits the user or group by the number of sessions on the network for the period defined in V2.

262

RESET_
COUNTERS

UN|GN

Resets usage quota counters for a user or group.

263

SET_QUOTA_
APPLY_TYPE

V1

Defines whether a user usage quota is determined by the user group quota or by a quota unique to the user. V1 makes this specification. Valid values for V1 are:

ASSIGNMENT_FROM_USER

ASSIGNMENT_FROM_GROUP

270

SET_DCS_TYPE

UN|GN,
VN,V1, Optionally V2

Sets the type of device command set (DCS) authorization for a group or user.

VN defines the service. Valid service types are:

shell —Cisco IOS shell command authorization.

pixshell —Cisco PIX command authorization.

Note If additional DCS types have been added to your Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as PIX Shell (pixshell).

V1 defines the assignment type. The valid values for VN are:

none —Sets no DCS for the user or group.

as group —For users only, this value signifies that the user DCS settings for the service specified should be the same as the user group DCS settings.

static —Sets a DCS for the user or group for all devices enabled to perform command authorization for the service specified.

If V1 is set to static, V2 is required and must contain the name of the DCS to assign to the user or group for the given service.

ndg —Specifies that command authorization for the user or group is to be done on a per-NDG basis. Use action 271 to add DCS to NDG mappings for the user or group.

Note Changing a user or group assignment type (V1) results in clearing previous data, including NDG to DCS mappings (defined by action 271).

271

SET_DCS_
NDG_MAP

UN|GN,
VN,V1,V2

Maps between the device command set and the NDG when the assignment type specified by a 270 action code is ndg.

VN defines the service. Valid service types are:

shell —Cisco IOS shell command authorization.

pixshell —Cisco PIX command authorization.

Note If additional DCS types have been added to your Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as PIX Shell (pixshell).

V1 defines the name of the NDG. Use the name of the NDG as it appears in the HTML interface. For example, if you have configured an NDG named "East Coast NASes" and want to use action 271 to apply a DCS to that NDG, V1 should be "East Coast NASes".

V2 defines the name of the DCS. Use the name of the DCS as it appears in the HTML interface. For example, if you have configured a DCS named "Tier2 PIX Admin DCS" and want to use action 271 to apply it to an NDG, V2 should be "Tier2 PIX Admin DCS".


Action Codes for Initializing and Modifying Access Filters

TableF-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users.

Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see "User Management" For more information about the Group Setup section, see "User Group Management"

Table F-4 Action Codes for Initializing and Modifying Access Filters 

Action Code
Name
Required
Description

120

INIT_NAS_ACCESS_
CONTROL

UN|GN,V1

Clears the AAA client access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following values:

ACCESS_PERMIT

ACCESS DENY

121

INIT_DIAL_ACCESS_
CONTROL

UN|GN,V1

Clears the dial-up access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following values:

ACCESS_PERMIT

ACCESS DENY

122

ADD_NAS_ACCESS_
FILTER

UN|GN,V1

Adds a AAA client filter for the user|group.

V1 should contain a single (AAA client name, AAA client port, remote address, CLID) tuple; for example:

NAS01,tty0,0898-69696969

Optionally, the AAA client name can be "All AAA clients" to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports.

123

ADD_DIAL_ACCESS_FILTER

UN|GN, V1, V2

Adds a dial-up filter for the user|group.

V1 should contain one of the following values:

Calling station ID

Called station ID

Calling and called station ID; for example:

01732-875374,0898-69696969

AAA client IP address, AAA client port; for example:

10.45.6.123,tty0

V2 should contain the filter type as one of the following values:

CLID —The user is filtered by the calling station ID.

DNIS —The user is filtered by the called station ID.

CLID/DNIS —The user is filtered by both calling and called station IDs.

AAA client/PORT —The user is filtered by AAA client IP and AAA client port address.

130

SET_TOKEN_CACHE_SESSION

GN, V1

Enables/disables token caching for an entire session; V1 is 0=disable, 1=enable.

131

SET_TOKEN_CACHE_TIME

GN, V1

Sets the duration that tokens are cached. V1 is the token cache duration in seconds.

140

SET_TODDOW_
ACCESS

UN|GN, V1

Sets periods during which access is permitted. V1 contains a string of 168 characters. Each character represents a single hour of the week. A "1" represents an hour that is permitted, while a "0" represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is "111111111111" and so on.

150

SET_STATIC_IP

UN, V1, V2

Configures the (TACACS+ and RADIUS) IP address assignment for this user.

V1 holds the IP address in the following format:

xxx.xxx.xxx.xxx

V2 should be one of the following:

ALLOC_METHOD_STATIC —The IP address in V1 is assigned to the user in the format xxx.xxx.xxx.xxx.

ALLOC_METHOD_NAS_POOL —The IP pool named in V1 (configured on the AAA client) will be assigned to the user.

ALLOC_METHOD_AAA_POOL —The IP pool named in V1 (configured on the AAA server) will be assigned to the user.

ALLOC_METHOD_CLIENT —The dial-in client will assign its own IP address.

ALLOC_METHOD_AS_GROUP —The IP address assignment configured for the group will be used.

151

SET_CALLBACK_NO

UN|GN, V1

Sets the callback number for this user or group (TACACS+ and RADIUS). V1 should be one of the following:

Callback number —The phone number the AAA client is to call back.

none —No callback is allowed.

roaming —The dial-up client determines the callback number.

as group —Use the callback string or method defined by the group.


Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

TableF-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for CiscoSecure ACS groups and users. In the event that CiscoSecure ACS has conflicting user and group settings, user settings always override group settings.

Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see "User Management" For more information about the Group Setup section, see "User Group Management"

Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings 

Action Code
Name
Required
Description

161

DEL_RADIUS_ATTR

UN|GN, VN, Optionally V2, V3

Deletes the named RADIUS attribute for the group or user, where:

VN = "Vendor-Specific"

V2 = IETF vendor ID

V3 = VSA attribute ID

For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair:

VN = "Vendor-Specific"
V2 = "9"
V3 = "1"

163

ADD_RADIUS_ ATTR

UN|GN, VN, V1, Optionally V2, V3

Adds the numbered attribute (VN) to value (V) for the user/group (UN|GN). For example, to set the IETF RADIUS Reply-Message attribute (attr. 18) for a group:

GN = "Group 1"
VN = "18"
V1 = "Greetings"

As another example, to set the IETF RADIUS Framed-IP-Address attribute (attr. 9) for a user:

UN = "fred"
VN = "9"
V1 = "10.1.1.1"

To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:

V2 = IETF vendor ID

V3 = VSA attribute ID

For example, to add the Cisco IOS/PIX RADIUS cisco-av-pair attribute with a value of "addr-pool=pool1":

V2 = "9"
V3 = "1"
V1 = "addr-pool=pool1"

RADIUS attribute values can be one of the following:

INTEGER

TIME

IP ADDRESS

STRING

170

ADD_TACACS_SERVICE

UN|GN, VN, V1, V3, Optionally V2

Permits the service for that user or group of users. For example:

GN = "Group 1"
V1 = "ppp"
V2 = "ip"

or

UN = "fred"
V1 = "ppp"
V2 = "ip"

or

UN = "fred"
V1= "exec"

171

REMOVE_
TACACS_
SERVICE

UN|GN, V1

Optionally V2

Denies the service for that user or group of users. For example:

GN = "Group 1"
V1 = "ppp"
V2 = "ip"

or

UN = "fred"
V1 = "ppp"
V2 = "ip"

or

UN = "fred"
V1 = "exec"

This also resets the valid attributes for the service.

172

ADD_TACACS_ATTR

UN|GN, VN, V1, V3

Optionally V2

Sets a service-specific attribute. The service must already have been permitted either via the HTML interface or using Action 170:

GN = "Group 1"
VN = "routing"
V1 = "ppp"
V2 = "ip"
V3 = "true"

or

UN = "fred"
VN = "route"
V1 = "ppp"
V2 = "ip"
V3 = 10.2.2.2

173

REMOVE_
TACACS_ATTR

UN|GN, VN, V1

Optionally V2

Removes a service-specific attribute:

GN = "Group 1"
V1 = "ppp"
V2 = "ip"
VN = "routing"

or

UN = "fred"
V1 = "ppp"
V2 = "ip"
VN = "route"

174

ADD_IOS_
COMMAND

UN|GN, VN, V1

Authorizes the given CiscoIOS command and determines if any arguments given to the command are to be found in a defined set or are not to be found in a defined set. The defined set is created using Actions 176 and 177:

GN = "Group 1"
VN = "telnet"
V1 = "permit"

or

UN = "fred"
VN = "configure"
V1 = "deny"

The first example permits the Telnet command to be authorized for users of Group 1. Any arguments can be supplied to the Telnet command as long as they are not matched against any arguments defined via Action 176.

The second example permits the configure command to be authorized for user fred, but only if the arguments supplied are permitted by the filter defined by a series of Action 176.

175

REMOVE_IOS_COMMAND

UN|GN, VN

Removes command authorization for the user or group:

GN = "Group 1"
VN = "telnet"

or

UN = "fred"
VN = "configure"

Users of Group 1 can no longer use the CiscoIOS telnet command.

User fred can no longer use the configure command.

176

ADD_IOS_
COMMAND_
ARG

UN|GN, VN, V1, V2

Specifies a set of command-line arguments that are either permitted or denied for the CiscoIOS command contained in VN. The command must have already been added via Action 174:

GN = "Group 1"
VN = "telnet"
V1 = "permit"
V2 = "10.1.1.2"

or

UN = "fred"
VN = "show"
V1 = "deny"
V2 = "run"

The first example will allow the telnet command with argument 10.1.1.2 to be used by any user in Group 1.

The second example ensures that user fred cannot issue the CiscoIOS command show run .

177

REMOVE_IOS_COMMAND_
ARG

UN|GN, VN, V2

Removes the permit or deny entry for the given CiscoIOS command argument:

GN = "Group 1"
VN = "telnet"
V2 = "10.1.1.1"

or

UN = "fred"
VN = "show"
V2 = "run"

178

SET_PERMIT_DENY_
UNMATCHED_IOS_
COMMANDS

UN|GN, V1

Sets unmatched Cisco IOS command behavior. The default is that any CiscoIOS commands not defined via a combination of Actions 174 and 175 will be denied. This behavior can be changed so that issued CiscoIOS commands that do not match any command/command argument pairs are authorized:

GN = "Group 1"
V1 = "permit"

or

UN = "fred"
V1 = "deny"

The first example will permit any command not defined by Action 174.

179

REMOVE_ALL_IOS_
COMMANDS

UN|GN

This action removes all CiscoIOS commands defined for a particular user or group.

210

RENAME_
GROUP

GN,V1

Renames an existing group to the name supplied in V1.

211

RESET_
GROUP

GN

Resets a group back to the factory default.

212

SET_VOIP

GN, V1

Enables or disables Voice over IP (VoIP) support for the group named, as follows:

GN = name of group

V1 = ENABLE or DISABLE


Action Codes for Modifying Network Configuration

TableF-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration displayed in the Network Configuration section of the HTML interface. For more information about the Network Configuration section, see "Network Configuration"

Table F-6 Action Codes for Modifying Network Configuration 

Action Code
Name
Required
Description

220

ADD_NAS

VN, V1, V2, V3

Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3). Valid vendors are as follows:

VENDOR_ID_IETF_RADIUS —For IETF RADIUS.

VENDOR_ID_CISCO_RADIUS —For Cisco IOS/PIX RADIUS.

VENDOR_ID_CISCO_TACACS —For Cisco TACACS+.

VENDOR_ID_ASCEND_RADIUS —For Ascend RADIUS.

VENDOR_ID_ALTIGA_RADIUS —For Cisco VPN 3000 RADIUS.

VENDOR_ID_COMPATIBLE_RADIUS —For Cisco VPN 5000 RADIUS.

VENDOR_ID_AIRONET_RADIUS —For Cisco Aironet RADIUS.

VENDOR_ID_NORTEL_RADIUS —For Nortel RADIUS.

VENDOR_ID_JUNIPER_RADIUS —For Juniper RADIUS.

VENDOR_ID_CBBMS_RADIUS —For Cisco BBMS RADIUS.

For example:

VN = AS5200-11
V1 = 192.168.1.11
V2 = byZantine32
V3 = VENDOR_ID_CISCO_RADIUS

221

SET_NAS_
FLAG

VN, V1

Sets one of the per-AAA client flags (V1) for the named AAA client (VN). Use the action once for each flag required. Valid values for per-AAA client flags are as follows:

FLAG_SINGLE_CONNECT

FLAG_LOG_KEEP_ALIVE

FLAG_LOG_TUNNELS

222

DEL_HOST

VN

Deletes the named AAA client (VN).

223

ADD_NAS_BY_IETF_
CODE

VN,V1, V2, V3

Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and the enterprise code for the vendor (V3).

230

ADD_AAA_SERVER

VN, V1, V2

Adds a new AAA server named (VN) with IP address (V1), shared secret key (V2).

231

SET_AAA_TYPE

VN, V1

Sets the AAA server type for server (VN) to value in V1, which should be one of the following:

TYPE_ACS

TYPE_TACACS

TYPE_RADIUS

The default is AAA_SERVER_TYPE_ACS

232

SET_AAA_FLAG

VN, V1

Sets one of the per-AAA client flags (V1) for the named AAA server (VN):

FLAG_LOG_KEEP_ALIVE

FLAG_LOG_TUNNELS

Use the action once for each flag required.

233

SET_AAA_TRAFFIC_
TYPE

VN, V1

Sets the appropriate traffic type (V1) for the named AAA server (VN):

TRAFFIC_TYPE_INBOUND

TRAFFIC_TYPE_OUTBOUND

TRAFFIC_TYPE_BOTH

The default is TRAFFIC_TYPE_BOTH.

234

DEL_AAA_SERVER

VN

Deletes the named AAA server (VN).

240

ADD_
PROXY

VN, V1, V2, V3

Adds a new proxy markup (VN) with markup type (V1) strip markup flag (V2) and accounting flag (V3).

The markup type (V1) must be one of the following:

MARKUP_TYPE_PREFIX

MARKUP_TYPE_SUFFIX

The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding.

The accounting flag (V3) should be one of the following:

ACCT_FLAG_LOCAL

ACCT_FLAG_REMOTE

ACCT_FLAG_BOTH

241

ADD_
PROXY_
TARGET

VN, V1

Adds to named proxy markup (VN) the host name (V1). The host should already be configured on the CiscoSecure ACS.

Note The order in which proxy targets are added sets the proxy search order; the first target added is the first target proxied to, and so on. The order must be changed through the HTML interface.

242

DEL_
PROXY

VN

Deletes the named proxy markup (VN).

250

ADD_NDG

VN

Creates a network device group (NDG) named (VN).

251

DEL_NDG

VN

Deletes the named NDG.

252

ADD_HOST_TO_NDG

VN, V1

Adds to the named AAA client/AAA server (VN) the NDG (V1).

270

SET_DCS_
ASSIGNMENT

271

ADD_NDG_TO_DCS_
MAPPING

300

RESTART_
PROTO_
MODULES

Restarts the CSRadius and CSTacacs services to apply new settings.

350

ADD_UDV

VN, V1, V2

Adds a RADIUS vendor to the CiscoSecure ACS vendor database. Vendors added to CiscoSecure ACS by this method are know as User-Defined Vendors (UDV).

VN contains the name of the Vendor.

Note Cisco Secure ACS adds "RADIUS(...)" to the name entered in the Variable Name field. For example, if you enter the name "MyCo", Cisco Secure ACS displays "RADIUS (MyCo)" in the HTML interface.

V1 contains the user-defined vendor slot number or AUTO_ASSIGN_SLOT. CiscoSecure ACS has ten vendor slots, numbered 0 through 9. If you specify AUTO_ASSIGN_SLOT, CiscoSecure ACS selects the next available slot for your vendor.

Note If you want to replicate UDVs between Cisco Secure ACSes, you must assign the UDV to the same slot number on both Cisco Secure ACSes.

V2 contains the IANA-assigned enterprise code for the vendor.

351

DEL_UDV

V1

Removes the vendor with the IETF code specified in V1 and any defined VSAs.

Note Action code 351 does not remove any instances of VSAs assigned to Cisco Secure ACS groups or users. If Cisco Secure ACS has AAA clients configured with the UDV specified in V1, the delete operation fails.

352

ADD_VSA

VN, V1, V2, V3

Adds a new VSA to the vendor specified by the vendor IETF code in V1.

VN is the VSA name. If the vendor name is MyCo and the attribute is assigned a group ID, we recommend prefixing the vendor name or an abbreviation to all VSAs. For example, VSAs could be "MyCo-Assigned-Group-Id".

Note VSA names must be unique to both the vendor and to the Cisco Secure ACS dictionary. For example, "MyCo-Framed-IP-Address" is allowed but "Framed-IP-Address" is not, because "Framed-IP-Address" is used by IETF action code 8 in the RADIUS attributes.

V2 is the VSA number. This must be in the 0-255 range.

V3 is the VSA type as one of following values:

INTEGER

STRING

IPADDR

By default, VSAs are assumed to be outbound (or authorization) attributes. If the VSA is either multi-instance or used in accounting messages, use SET_VSA_PROFILE (Action code 353).

353

SET_VSA_
PROFILE

V1, V2, V3

Sets the inbound/outbound profile of the VSA. The profile specifies usage "IN" for accounting, "OUT" for authorization, or "MULTI" if more than a singe instance is allowed per RADIUS message. Combinations are allowed.

V1 contains the vendor IETF code.

V2 contains the VSA number.

V3 contains the profile, one of the following:

IN
OUT
IN OUT
MULTI OUT
MULTI IN OUT

354

ADD_VSA_ENUM

VN, V1, V2, V3

Sets meaningful enumerated values, if the VSA attribute has enumerated. In the User Setup section, the CiscoSecure ACS HTML interface displays the enumeration strings in a list.

VN contains the VSA Enum Name.

V1 contains the vendor IETF code.

V2 contains the VSA number.

V3 contains the VSA Enum Value.

Example:

VN = Disabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 0

or

VN = Enabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 1

355

ADOPT_
NEW_UDV_OR_VSA

Restarts the CSAdmin, CSRadius, and CSLog services. These services must be restarted before new UDVs or VSAs can become usable.


Cisco Secure ACS Attributes and Action Codes

This section complements the previous section by providing an inverse reference; it provides topics with tables that list CiscoSecure ACS attributes, their data types and limits, and the action codes you can use to act upon the CiscoSecure ACS attributes.

This section contains the following topics:

User-Specific Attributes

User-Defined Attributes

Group-Specific Attributes

User-Specific Attributes

TableF-7 lists the attributes that define a CiscoSecure ACS user, including their data types, limits, and default values. It also provides the action code you can use in accountActions to affect each attribute. Although there are many actions available, adding a user requires only one transaction: ADD_USER. You can safely leave other user attributes at their default values. The term NULL is not simply an empty string, but means not set; that is, the value will not be processed. Some features are processed only if they have a value assigned to them. For more information about action codes, see Action Codes.

Table F-7 User-Specific Attributes 

Attribute
Actions
Logical Type
Limits
Default

Username

100, 101

String

1-64 characters

ASCII/PAP Password

100, 102

String

4-32 characters

Random string

CHAP Password

103

String

4-32 characters

Random string

Outbound CHAP Password

104

String

4-32 characters

NULL

TACACS+ Enable Password

105

String Password

4-32 characters

NULL

Integer privilege level

0-15 characters

NULL

Group

106

String

0-100 characters

"Default Group"

Password Supplier

107

Enum

See TableF-3.

LIBRARY_CSDB

Password Type

108

Enum

See TableF-3.

PASS_TYPE_CSDB (password is cleartext PAP)

Password Expiry Status

109, 110

Bitwise Enum

See TableF-3.

PASS_STATUS_
NEVER (never expires)

Expiry Data

112, 113

Short wrong max/current

0-32,767

Expiry date

Max Sessions

114

Unsigned short

0-65535

MAX_SESSIONS_AS
_GROUP

TODDOW Restrictions

140

String

168 characters

111111111111

NAS Access Control

120, 122

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See TableF-4.)

0-31 KB

Dial-Up Access Control

121, 123

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See TableF-4.)

0-31 KB

Static IP Address

150

Enum scheme

(See TableF-4.)

Client

String IP/Pool name

0-31 KB

NULL

Callback Number

151

String

0-31 KB

NULL

TACACS Attributes

160, 162

Formatted String

0-31 KB

NULL

RADIUS Attributes

170, 173

Formatted String

0-31 KB

NULL

UDF 1

1, 2

String Real Name

0-31 KB

NULL

UDF 2

1, 2

String Description

0-31 KB

NULL

UDF 3

1, 2

String

0-31 KB

NULL

UDF 4

1, 2

String

0-31 KB

NULL

UDF 5

1, 2

String

0-31 KB

NULL


User-Defined Attributes

User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure CiscoSecure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see User Data Configuration Options.

RDBMS Synchronization can set UDAs by using the SET_VALUE action (code 1) to create a value called "USER_DEFINED_FIELD_0" or "USER_DEFINED_FIELD_1". For accountActions rows defining a UDA value, the AppId (AI) field must contain "APP_ CSAUTH" and the Value2(V2) field must contain "TYPE_STRING".

TableF-8 lists the data fields that define UDAs. For more information about action codes, see Action Codes.

Table F-8 User-Defined Attributes 

Action
Username (UN)
ValueName (VN)
Value1 (V1)
Value2 (V2)
AppId (AI)

1

fred

USER_DEFINED_FIELD_0

SS123456789

TYPE_STRING

APP_CSAUTH

1

fred

USER_DEFINED_FIELD_1

Engineering

TYPE_STRING

APP_CSAUTH

1

fred

USER_DEFINED_FIELD_2

949-555-1111

TYPE_STRING

APP_CSAUTH



Note If more than two UDAs are created, only the first two are passed to accounting logs.


Group-Specific Attributes

TableF-9 lists the attributes that define a CiscoSecure ACS group, including their data types, limits, and default values. It also provides the action code you can use in your accountActions table to affect each field. For more information about action codes, see Action Codes.

Table F-9 Group-Specific Attributes 

Attribute
Actions
Logical Type
Limits
Default

Max Sessions

114

Unsigned short

0-65534

MAX_SESSIONS_
UNLIMITED

Max Sessions for user of group

115

Unsigned short

0-65534

MAX_SESSIONS_
UNLIMITED

Token caching for session

130

Bool

T/F

NULL

Token caching for duration

131

Integer time in seconds

0-65535

NULL

TODDOW Restrictions

140

String

168 characters

111111111111

NAS Access Control

120, 122

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See TableF-4.)

0-31 KB

Dial-Up Access Control

121, 123

Bool enabled

T/F

NULL

Bool permit/deny

T/F

ACL String (See TableF-4.)

0-31 KB

Static IP Address

150

Enum scheme

(See TableF-4.)

Client

String IP/Pool name

0-31 KB

NULL

TACACS Attributes

160, 162

Formatted String

0-31 KB

NULL

RADIUS Attributes

170, 173

Formatted String

0-31 KB

NULL

VoIP Support

212

Bool disabled

T/F

NULL


An Example of accountActions

TableF-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes. First user "fred" is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to "Group 2." His account expires after December31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token caching, and some RADIUS attributes.


Note This example omits several columns that should appear in any accountActions table. The omitted columns are Sequence ID (SI), Priority (P), DateTime (DT), and MessageNo (MN).


Table F-10 Example accountActions Table 

Action
User name (UN)
Group Name (GN)
Value Name (VN)
Value1 (V1)
Value2 (V2)
Value3 (V3)
AppId (AI)

100

fred

fred

102

fred

freds_password

103

fred

freds_chap_password

104

fred

freds_outbound_
password

105

fred

freds_enable_password

10

106

fred

Group 2

150

fred

123.123.123.123

151

fred

01832-123900

109

fred

PASS_STATUS_
NEVER

110

fred

PASS_STATUS_
WRONG

110

fred

PASS_STATUS_
EXPIRES

112

fred

10

113

fred

19991231

114

fred

50

115

fred

50

120

fred

ACCESS_PERMIT

121

fred

ACCESS_DENY

122

fred

NAS01,tty0,
01732-975374

123

fred

01732-975374,01622-123123

CLID/
DNIS

1

fred

USER_
DEFINED_FIELD_0

Fred Jones

TYPE_
STRING

APP_
CSAUTH

140

Group 2

[a string of 168 ones (1)]

130

Group 2

DISABLE

131

Group 2

61

163

Group 2

Reply-
Message

Welcome to Your Internet Service

163

Group 2

Vendor-
Specific

addr-pool=pool2

9

1