|
|
This appendix provides the following configuration listings:
The following listing represents the complete running configuration for the router and NAS used to illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS configurations.
The following example of a local-based router configuration includes both dial-in and EXEC shell access configurations.
maui-rtr-03#show running-config Building configuration... Current configuration: ! ! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr ! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-rtr-03 ! no logging console aaa new-model aaa authentication login default local enable aaa authentication login NO_AUTHEN none aaa authorization exec default local aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default local aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ enable secret 5 xxxxxxxxxxxxxxxxx ! username admin privilege 15 password 7 xxxxxxxxxxxx ! ! ! clock timezone cst -6 clock summer-time CST recurring ip subnet-zero ip domain-name maui-onions.com ip name-server x.x.x.x ip name-server x.x.x.x ! ! ! ! ! ! ! interface Loopback0 ip address 172.22.255.3 255.255.255.255 no ip directed-broadcast ! interface ATM1/0 no ip address no ip directed-broadcast shutdown no atm ilmi-keepalive ! interface Serial2/0 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast shutdown ! interface Serial2/2 no ip address no ip directed-broadcast shutdown ! interface Serial2/3 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/0 ip address 172.22.241.3 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5 ! interface Ethernet3/1 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/2 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/3 no ip address no ip directed-broadcast shutdown ! interface FastEthernet4/0 ip address 172.22.80.1 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5 half-duplex ! router eigrp 69 network 172.22.0.0 ! ip default-gateway 172.22.53.1 ip classless ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! snmp-server engineID local 00000009020000D0BB7F5054 snmp-server community cisco xx snmp-server community rules xx snmp-server trap-source Loopback0 snmp-server contact snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps config snmp-server enable traps envmon tacacs-server host 172.22.53.201 key biteme tacacs-server key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR accounting commands 15 NO_ACCOUNT login authentication NO_AUTHEN transport input none line aux 0 line vty 0 4 ! ntp clock-period 17179912 ntp source Loopback0 ntp update-calendar ntp server 172.22.255.1 end
The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for TACACS+ implementations:
maui-nas-03#show running-config Building configuration... Current configuration: maui-nas-03#sh run Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-nas-03 ! aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NO_AUTHEN none aaa authentication ppp default if-needed group tacacs+ local aaa authorization exec default group tacacs+ if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group tacacs+ ! username admin privilege 15 password 7 xxxxxxxxxxxxx username diallocal access-class 110 password 7 xxxxxxxxxxx username diallocal autocommand ppp spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! ! resource-pool disable ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero no ip domain-lookup ip domain-name maui-onions.com ip name-server 172.22.53.210 ! isdn switch-type primary-ni isdn voice-call-failure 0 partition flash 2 24 8 ! ! ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 clock source line secondary 1 ! controller T1 2 clock source line secondary 2 ! controller T1 3 clock source line secondary 3 ! controller T1 4 clock source line secondary 4 ! controller T1 5 clock source line secondary 5 ! controller T1 6 clock source line secondary 6 ! controller T1 7 clock source line secondary 7 ! ! interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown ! interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable ! interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192 ! interface Dialer1 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink ! router eigrp 69 network 172.22.0.0 ! ip local pool default 172.22.83.2 172.22.83.254 ip default-gateway 172.22.80.1 ip classless ip tacacs source-interface Loopback0 ip http server ! access-list 110 deny tcp any any eq telnet access-list 110 permit tcp any any tacacs-server host 172.22.53.204 tacacs-server key ciscorules snmp-server engineID local 0000000902000050546B87BC snmp-server community xxxxxxxxx RO snmp-server community xxxxxxxxx RW radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules banner login ^CC Welcome to maui-nas-03 Maui-onions Lab Learning Rack ISG ^C ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input none line 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn line aux 0 line vty 0 4 ! end
The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for RADIUS implementations:
maui-nas-03#show running-config Building configuration... Current configuration: maui-nas-03#sh run Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-nas-03 ! aaa new-model aaa authentication login default group radius local aaa authentication login NO_AUTHEN none aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default stop-only group radius aaa accounting network default start-stop group radius ! username admin privilege 15 password 7 xxxxxxxxxxxxx username diallocal access-class 110 password 7 xxxxxxxxxxx username diallocal autocommand ppp spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! ! resource-pool disable ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero no ip domain-lookup ip domain-name maui-onions.com ip name-server 172.22.53.210 ! isdn switch-type primary-ni isdn voice-call-failure 0 partition flash 2 24 8 ! ! ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 clock source line secondary 1 ! controller T1 2 clock source line secondary 2 ! controller T1 3 clock source line secondary 3 ! controller T1 4 clock source line secondary 4 ! controller T1 5 clock source line secondary 5 ! controller T1 6 clock source line secondary 6 ! controller T1 7 clock source line secondary 7 ! ! interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown ! interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable ! interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192 ! interface Dialer1 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink ! router eigrp 69 network 172.22.0.0 ! ip local pool default 172.22.83.2 172.22.83.254 ip default-gateway 172.22.80.1 ip classless ip tacacs source-interface Loopback0 ip http server ! access-list 110 deny tcp any any eq telnet access-list 110 permit tcp any any tacacs-server host 172.22.53.204 tacacs-server key ciscorules snmp-server engineID local 0000000902000050546B87BC snmp-server community xxxxxxxxx RO snmp-server community xxxxxxxxx RW radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules banner login ^CC Welcome to maui-nas-03 Maui-onions Lab Learning Rack ISG ^C ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input none line 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn line aux 0 line vty 0 4 ! end
Configurations addressed in this section focus on router administration configurations. Router administration configurations cause functions to run within the router shell. Examples include commands executed from a the router console, commands executed with a VTY connection, and a shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1 provides commands relevant for a router in a Cisco IOS AAA environment.
| Cisco IOS Command | Description/Application Comment |
|---|---|
| tacacs-server key secret-key | Specifies encryption key; must be the same in AAA server. |
| aaa new-model | Enables AAA. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all PPP interfaces. |
| aaa authentication login default group tacacs+ | Causes router to forward all login requests to AAA server. |
| aaa authorization exec default group tacacs+ if-authenticated | Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server. |
| aaa authorization commands 15 default group tacacs+ if-authenticated | Use command authorization for privilege level 15 commands that must be assigned to router users for successful operation of these commands. |
| aaa accounting exec default start-stop group tacacs+ | Logs EXEC shell information for user profile in start-stop TACACS+ format. |
| aaa accounting commands 15 default stop-only group tacacs+ | Sends TACACS+ accounting stop record at the end of a privilege level 15 command. |
| aaa accounting system default stop-only group tacacs+ | Performs accounting for all system level events not associated with users, such as reloads in stop-start TACACS+ format. |
| ip tacacs source-interface FastEthernet0/0/0 | Specifies this interface IP address for management in the AAA server. |
| ip http server | Enables HTTP server access. |
| ip http authentication aaa | Forces AAA authentication and authorization at privilege level 15. |
| tacacs-server host IP-address | Specifies AAA server. |
Configurations addressed in this section focus on AAA with PPP. These configurations differ from router administration configurations. PPP is a network level function and is separate from router shell functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access a Cisco IOS AAA environment.
 |
Note The following table lists Cisco IOS configuration commands required to support both TACACS+ and RADIUS AAA implementations. |
| IOS Command | Description/Application Comment |
|---|---|
| aaa new-model | Enables authentication, authorization, and accounting. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all ppp interfaces. |
| aaa authentication login default group tacacs+ | Causes router to forward all login requests to a TACACS+ server. |
| aaa authentication login default group radius | Causes router to forward all login requests to a RADIUS server. |
| aaa authentication ppp default if-needed group radius | Use default list for PPP authentication; the if-needed keyword allows clients using "Terminal Window after Dial" option to successfully authenticate to RADIUS server and negotiate PPP, without using Windows dialup networking username and password combination. |
| aaa authentication ppp default if-needed group tacacs+ | Use default list for PPP authentication; the if-needed keyword allows clients using "Terminal Window after Dial" option to successfully authenticate to TACACS+ server and negotiate PPP, without using Windows dialup networking username and password combination. |
| aaa authorization exec default group radius if-authenticated | Use default list to verify authorization. |
| aaa authorization exec default group tacacs+ if-authenticated | Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server. |
| aaa authorization network default group tacacs+ if-authenticated | Use default list for authorization to verify service=-ppp attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through TACACS+. |
| aaa authorization network default group radius if-authenticated | Use default list for authorization to verify Service-Type=Framed attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through RADIUS. |
| aaa accounting exec default start-stop group tacacs+ | Logs EXEC shell information for user profile in start-stop TACACS+ format. |
| aaa accounting network default start-stop group tacacs+ | Logs all network related services requests, such as PPP in stop-start TACACS+ format. |
| aaa accounting exec default start-stop group radius | Logs EXEC shell information for user profile in start-stop RADIUS format. |
| aaa accounting network default start-stop group radius | Logs all network related services requests, such as PPP in stop-start RADIUS format. |
| tacacs-server host IP-address key secret-key | Specifies AAA server. Specifies encryption key; must be the same in AAA server. |
| radius-server host IP-address auth-port 1645 acct-port 1646 key secret-keys | Specifies RADIUS AAA server IP address by using default UDP Port 1645 for authentication and authorization and UDP Port 1646 for accounting. |
This section provides the following listings:
For a complete description of AAA server files, go to:
# cd /opt/ciscosecure/config
# ls
CSConfig.ini CSU.cfg CSU.cfg.sav
# cat CSU.cfg
LIST config_license_key = {"a73dc113d300a5ba3459"};
STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log";
/* store accounting records here when database fails */
/* default = /var/log/CSAccountingLog */
STRING config_acct_filename = "/var/log/CSAccountingLog";
/* AAA Server Metrics */
/* default = 0 (disable) */
NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable */
/* default = 8 seconds */
NUMBER config_metrics_log_interval = 8; /* in seconds */
/* Callerid as Username */
/* default = 1 (enable) */
NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */
/* Use default user profile when user/callerid can't be found */
/* default = 1 (enable) */
NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */
/* AAA Server MaxSessions Configuration */
/* default = 0 (disable) */
NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 24 hours */
NUMBER config_maxsessions_session_timeout = 1440; /* in minutes */
/* default = 60 minutes */
NUMBER config_maxsessions_purge_interval = 60; /* in minutes */
/* AAA Server Distributed MaxSessions Configuration */
/* default = 0 (disable) */
NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 0 (disabled) */
NUMBER config_dms_periodic_stats_interval = 0; /* 0 to disable, otherwise inte
rval in seconds */
/* Cryptocard challenge lookahead */
/* default = 0, which is same as 1, do only 1 challenge, don't look ahead */
/* the maximum number of challenge look ahead is 20 */
NUMBER config_cryptocard_challenge_lookahead = 0;
/* Group Profile Cache Timeout; 0 == no timeout */
/* default = 5 seconds */
NUMBER config_cache_group_timeout = 5; /* in seconds */
/* Per-user accounting function */
/* default = 1 (enable) */
NUMBER config_acct_fn_enable = 1; /* 1 to enable, 0 to disable */
/* Extended Radius support */
NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */
STRING config_server_ip_address = "172.23.25.41";
NUMBER config_token_cache_absolute_timeout = 86400;
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0xffffffff;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;
NUMBER config_local_timezone = -8; /* set this for your timezone */
NUMBER config_use_host_timezone = 0; /* set value to 1 to always use system time */
NUMBER config_record_write_frequency = 5; /* update frequency in seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails accepted *
/
/* before account is disabled. *
/
NAS config_nas_config = {
{
"", /* NAS name can go here */
"ciscorules", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* username retries */
2, /* password retries */
1 /* trusted NAS for SENDPASS */
}
};
AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};
AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};
/*
* Sample of pre/post process configuration.
*
AUTHOR config_external_author_symbols = {
{
"./libcustomerprovided.so",
"customer_function"
}
};
*
* end sample
*/
ACCT config_external_acct_symbols = {
{
"./libacctmember.so",
"acct_member_fn"
}
};
ADMIN config_external_admin_symbols = {
"./libadmin.so"
};
DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};
PARSER config_external_parser_symbols = {
"./libt+.so"
};
EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};
DMS config_external_dms_symbols = {
"./libCiscoDMS.so"
};
#
#
# #cat CSConfig.ini ############################################################ # # $Archive: $ # # (C) Copyright 1996 Cisco Systems. All rights reserved. # # This is CiscoSecure DBServer main initialization file. # # $Log: $ # # $NoKeyWords: $ # ############################################################ ;<--------------------- Ruler Line --------------------------------------------> ; 1 2 3 4 5 6 7 8 ;2345678901234567890123456789012345678901234567890123456789012345678901234567890 ; ;------------------------------------------------------------------------------- [System] ; Location where the system is installed RootDir=/opt/ciscosecure ; Location of the default profile (default= $RootDir/config/DefaultProfile) DefaultProfile=/opt/ciscosecure/config/DefaultProfile ;------------------------------------------------------------------------------- [System Error] SysErrorFileDir = /opt/ciscosecure/logfiles ; DBServer gets the default path for System error handler here ; if it was not specified at command line with option ; [-LOGPATH path] when starting the DBServer deamon. ; DBServer must have sufficient access privilege to create this : path and the log file if it does not already exist. ; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10 ; (note: Catastrophic errors will shutdown the daemon) MinLogLevel = 8 ;------------------------------------------------------------------------------- [SessionMgr] ; Session Manager configurables, purge interval is in minutes MaxSessions=1000 PurgeInterval=60 ;------------------------------------------------------------------------------- [AccountingMgr] ;If this parameter=enable then log acct packets into cs_accounting_log database table LogRawAccountingPacketToDB = enable ;If we are logging accounting records then this parameter decides whether to buffer the records ; in memory and then save them to the database using a background process. Enabl ing this will ; increase burst authentication performance. ;If enabled the DBServer will create enough buffers to match the value of 2 less than ; the number of database connections available. ; NOTE: There is a risk of losing records that are in memory in the event of the DBServer going ; down ungracefully. BufferAccountingPackets = enable ;This parameter decides the size of each accounting packet buffer. Legal values are from 5 to 1000 AccountingBufferSize = 500 ; if parameter=enable then dbserver will process user max session info and save in memory, ; if disabled then ArchiveMaxSessionInfoToDB will also be disabled. ProcessInMemoryMaxSessionInfo = enable ; If this parameter=enable then log user max session info into cs_user_accounting database table ; Note that if the BufferAccountingPackets parameter is enabled AND ProcessInMemoryMaxSessionInfo ; is enabled then max session info records will be buffered as well. ArchiveMaxSessionInfoToDB = enable ; This is how often (in minutes) the system checks for accounting sessions to ; purge. ; NOTE: The purge interval is actually dependant upon a system background task ; that is not guaranteed to run more frequently than 60 minutes. This ; value is therefore not accurate to the minute and should not be set to ; less than 60. AcctPurgeInterval=60 ; This is how long (in minutes) a session can be considered ; active before it is purged. ; NOTE: This value is dependent on the AcctPurgeInterval setting and is not ; accurate to the minute. It is not intended to be set to less than 60. AcctPurgeTimeOut=1440 ;------------------------------------------------------------------------------- [DBServer] DBServerName = CSdbServer Protocol=TCP MaxPacketSize = 4096 ; Each DBServer process should have it's own unique name. ; Do not put the hostname here in case more than one instance ; of the DBServer is running on the same machine ;The following is for internal use only by the DBServer ;Date format expected from the client application such as the GUI, ;to be used for parsing date/time string. The dbserver will reject ;inputs that contains other date/time format. This format will also ;be used to return date/time strings. ;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Ap r 1 09:26:55 PST 1997" DateFormat = "d MMM yyyy" DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy" ;------------------------------------------------------------------------------- [ValidClients] 100 = sleddog ; Add list of trusted clients above ^^^^ in the format: ; ClientID = Client's Host Name ; CGI stub's clientID=100, and it's host name ; For example 100 = localhost or 100 = 192.92.182.2 ; 101 = 192.92.190.5 ; ;if ValidateClients=true, then we only allow the clients with ids listed ;above to connect to the dbserver ValidateClients = false ;if FastAdminValidateClients = true, then we only allow the clients with ids ;listed below to connect to the FastAdmin FastAdminValidateClients = false ;------------------------------------------------------------------------------- [Protocol TCP] HostName = sleddog Port = 9900 ; Name of host server ; Daemon port number ;Port=5001 ;------------------------------------------------------------------------------- [Workers Pool] ; Maximum numbers of connection workers in pool, beyond which ; newly added workers will be ignored (or deleted). MaxInPool=50 ;------------------------------------------------------------------------------- [Database] DataSource = ORACLE DriverType = JDBC-Weblogic-Oracle ; Specify the rdbms installed and the driver type ; (ODBC or JDBC) that interfaces with the rdbms. ; Driver=ODBC or Driver=JDBC, then go to the [ODBC] ; or [JDBC] section to fill in the URL info. # Oracle with ODBC ;DataSource = ORACLE ;DriverType = ODBC-Visigenic-Oracle # Oracle with JDBC ;DataSource = ORACLE ;DriverType = JDBC-Weblogic-Oracle # SQLAnywhere with ODBC ;DataSource = SQLAnywhere ;DriverType = ODBC-SQLAnywhere # Sybase with ODBC ;DataSource = SYBASE ;DriverType = ODBC-Visigenic-Sybase # Sybase with JDBC ;DataSource = SYBASE ;DriverType = JDBC-Weblogic-Sybase # Test with some other DB that we did not qualify ;DataSource = OtherDB ;DriverType = ODBC-Visigenic # names of data dictionary ProfileAttr = cs_profile_attr_dict ProfileCol = cs_profile_col_dict UserAcct = cs_user_account_attr_dict ;------------------------------------------------------------------------------- [SQLAnywhere] ;this is the bundle database ConnectionLicense = 12 Username = DBA Password = SQL ;------------------------------------------------------------------------------- [OtherDB] ;number of open connections allowed to the data source(based on db license) ConnectionLicense = 1 Username = csecure Password = csecure ;------------------------------------------------------------------------------- [ORACLE] ;number of open connections allowed to the data source(based on db license) ConnectionLicense=4 Username = csecure Password = csecure ;------------------------------------------------------------------------------- [SYBASE] ;number of open connections allowed to the data source(based on db license) ConnectionLicense = 8 Username = csecure Password = csecure ;------------------------------------------------------------------------------- [ODBC-SQLAnywhere] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -u d" ;Property below is required for internal use only: connection usage property PrepareStatement = 0 ;------------------------------------------------------------------------------- [ODBC-Visigenic-Oracle] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:Oracle ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------- [ODBC-Visigenic-Sybase] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:SybaseDBLib ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------- [JDBC-Weblogic-Oracle] ;JDBC driver information Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager Driver=jdbc:weblogic:oracle:ciscosj ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------- [JDBC-Weblogic-Sybase] ;JDBC driver information Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager Driver=jdbc:weblogic:sybase ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------- [ProfileCaching] EnableProfileCaching = OFF ;Polling period in minutes for cs_trans_log table ; Interval in seconds can be specified by fraction. ; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds. ; Setting to 0 disbles polling. DBPollInterval = 30 ;-------------------------------------------------------------------------------
#su - oracle Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 $env HOME=/export/home/oracle HZ=100 LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/ lib LOGNAME=oracle ORACLE_DOC=/doc ORACLE_HOME=/opt/oracle/product/7.3.4 ORACLE_SID=ciscosj ORACLE_TERM=xsun5 ORAENV_ASK=NO PATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/ bin: SHELL=/bin/sh TERM=ansi TMPDIR=/var/tmp TNS_ADMIN=/opt/oracle/product/7.3.4/network/admin TZ=GMT-8
$cd $ORACLE_HOME/
$ls
bin jdbc nlsrtl3 orainst precomp sqlplus
book22 lib ocommon otrace rdbms svrmgr
dbs network oracore3 plsql slax
$cd network/admin
$ls
csmgen.tcl listener.ora tcl7.4 tnsnames.ora
csmman.man sqlnet.fdf tk4.0
$cat listener.ora
#
# Installation Generated Net V2 Configuration
# Version Date: Sep-16-97
# Filename: Listener.ora
#
LISTENER =
(ADDRESS_LIST =
(ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj))
(ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY))
(ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME= sleddog.)
(ORACLE_HOME= /opt/oracle/product/7.3.4)
(SID_NAME = ciscosj)
)
)
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
$ls
csmgen.tcl listener.ora tcl7.4 tnsnames.ora
csmman.man sqlnet.fdf tk4.0
$cat tnsnames.ora
#
# Installation Generated NetV2 Configuration
# Version Date: Sep-30-97
# Filename: Tnsnames.ora
#
ciscosj =
(DESCRIPTION =
(ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
(CONNECT_DATA = (SID = ciscosj))
)
$CSUBASE/logfiles/cs_install.log $CSUBASE/logfiles/cs_shutdown.log $CSUBASE/logfiles/cs_startup.log $CSUBASE/logfiles/csdblog_<date> $CSUBASE/logfiles/passwd_chg.log $CSUBASE/ns-home/CSUServer/logs/access $CSUBASE/ns-home/CSUServer/logs/errors $CSUBASE/ns-home/admserver/errors $CSUBASE/ns-home/admserver/access $CSUBASE/ns-home-httpd-csuserver/logs
Posted: Fri Jun 2 19:51:05 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.