|
|
This chapter describes how to configure and use the CiscoSecure UNIX Server software. It contains the following sections:
To configure and use CiscoSecure UNIX Server software, you need the following files:
The server control file is the main file required for setting up CiscoSecure UNIX Server software. This file includes basic configuration parameters for each network access server that is to be serviced, and specifies the following information:
The Network Access Server-specific parameters are as follows:
The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines may be continued on a successive line by ending them with a back-slash (\). A sample server control file follows:
/*
* CiscoSecure UNIX Server example control file
*/
/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c", \ "7f4f9db4d7ce8ed85b69" }; /* */
/* The pathname of the Configuration Database */
LIST config_aa_database_filename = {"./configuration.database"};
/*
* The pathname of the accounting log file - if this
* variable is not specified then accounting information is not recorded.
*/
STRING config_accounting_database_filename = "/tmp/acct";
/* Default logging configuration - basic information is logged */
NUMBER config_logging_configuration = 0x7e;
/*
* The maximum number of seconds to hold accounting information before
* writing it to the accounting file (if specified).
*/
NUMBER config_accounting_write_frequency = 5;
/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"", /* NAS name */
"arachnid", /* secret key */
"cat_1", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1, /* is default NAS configuration */
1, /* trusted NAS for SENDPASS */
30 /* Password expiry period in days */
},
{
"boggle", /* NAS name */
"heliotrope", /* secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0, /* is not the default NAS configuration */
0, /* not a trusted NAS for SENDPASS */
10 /* Password expiry period in days */
}
};
The variables shown in Table C-1 are valid in CiscoSecure UNIX Server software control files:
Type
Name
Default
Description
Example
List
config_aa_
database_filename
None
A list of the names of the AA databases to load.
LIST config_aa_database_filename = { "./db.1", "./db.2" };
List
config_license_key
None
A list of the license keys used to enable the product.
LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" };
String
config_accounting_
database_filename
None
The name of the accounting database.
STRING config_accounting_database_
filename = "./accounting";
String
config_update_
log_filename
None
The name of the file that keeps the results of password changes, etc.
STRING config_update_log_filename =
"./updates";
Number
config_accounting_
write_frequency
10 (seconds)
How often to slave the accounting data to disk, in seconds.
NUMBER config_accounting_write_
frequency = 20;
Number
config_delay_on_
blocking
100000 (0.1 (seconds)
How long to let the connection 'sleep' when EWOULDBLOCK is returned, in usec.
NUMBER config_delay_on_blocking
= 200000;
Number
config_expiry_
period
30 (days)
How long, in days, before a (new) password changed via CHPASS expires.
NUMBER config_expiry_period =
30;
Number
config_warning_
period
10 (days)
The period, in days, before a password expires during which the user is warned that her password will expire soon.
NUMBER config_warning_period =
10;
Number
config_get_names_
from_dns
1 (true)
Decide if server should perform IP address to hostname lookups.
NUMBER config_get_names_from_dns = 0;
Number
config_limit_for_
idle_connection
300 (seconds)
Maximal time to hold an idle NAS connection open, in seconds.
NUMBER config_limit_for_idle_
connection = 300;
Number
config_nodelay_
for_tcp
1 (on)
Decide whether to TCP_NODELAY on TCP sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons.
NUMBER config_nodelay_for_tcp
=1;
Number
config_priv_level_
for_own_CHPASS
1
Privilege level at which a user may change his/her own password.
NUMBER config_priv_level_for_own_
CHPASS = 1;
Number
config_receive_
buffer_size
16384 (16KB)
Buffer size to allocate for receive for each TCP connection.
NUMBER config_receive_buffer_size =
8192;
Number
config_send_
buffer_size
16384 (16KB)
Buffer size to allocate for send for each TCP connection.
NUMBER config_send_buffer_size
= 8192;
Number
config_system_
logging_level
0x80 (LOG_
LOCAL0)
Syslog facility under which to log.
NUMBER config_system_logging_level
0x80;
Number
config_system_
priority_level
-4
System priority ('nice' value) to assign the ciscoSecure daemon.
NUMBER config_system_priority_level =
-4;
Number
config_use_
keepalives
1 (on)
Decide if SO_KEEPALIVE on TCP sockets should be set, and thus be informed (more) quit the event of a network or NAS failure.
NUMBER config_use_keepalives =
1;
Number
config_logging_
configuration
0x7E
Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and protocol debugging info can be obtained by the logical OR of the values as described in the Table C-2.
NUMBER config_logging_configuration =
0x7E
The logging levels are listed in Table C-2.
| Name | Value | Description |
|---|---|---|
LOG_DEBUG | 0x2 | Debug messages |
LOG_INFO | 0x4 | Informational messages |
LOG_NOTICE | 0x8 | Notices |
LOG_WARNING | 0x10 | Warnings |
LOG_ERROR | 0x20 | Errors |
LOG_ALERT | 0x40 | Alerts |
Authentication information is listed in Table C-3.
| Name | Value | Description |
|---|---|---|
AUTHEN_OK | 0x100 | Successful authentication operations |
AUTHEN_FAIL | 0x200 | Failed authentication operations |
AUTHEN_ERROR | 0x400 | Authentication operations that result in an error |
AUTHEN_OUTPUT | 0x800 | All authentication information |
Authorization information is listed in Table C-4.
| Name | Value | Description |
|---|---|---|
AUTHOR_OK | 0x1000 | Successful authorization operations |
AUTHOR_FAIL_CMD | 0x2000 | Authorization failed for command |
AUTHOR_FAIL_ARG | 0x4000 | Authorization failed---bad arguments |
AUTHOR_FAIL_OTHER | 0x8000 | Authorization failed for other reasons |
AUTHOR_ERROR | 0x10000 | Authorization errors |
Accounting information is listed in Table C-5.
| Name | Value | Description |
|---|---|---|
ACCOUNT_OK | 0x100000 | Successful accounting operations |
ACCOUNT_FAIL | 0x200000 | Failed accounting operations |
ACCOUNT_ERROR | 0x400000 | Errors in accounting operations |
Protocol logging information is listed in Table C-6.
| Name | Value | Description |
|---|---|---|
ERRNO_INFO | 0x10000000 | Many types of protocol and operational errors |
SERVICE_INFO | 0x20000000 | Major protocol operations |
PROTOCOL_ERROR | 0x40000000 | TACACS+ protocol errors |
PACKET_INFO | 0x80000000 | Display TACACS+ protocol packets |
NAS config_nas_config | NONE | A list of NAS configuration records. Each record must contain the values in the order that follows: |
Each value in a NAS Configuration record should be listed in the following order:
1. Network access server name
2. Encryption key
3. Message catalog filename
4. Number of username retries allowed
5. Number of password retries allowed
6. Value of nonzero if this record is the default network access server description
7. A value which is nonzero if the network access server is trusted to send replies to SENDPASS
8. Number of days during which users are warned of a pending password expiration
An example Configuration file follows:
Example:
NAS config_nas_config = {
{
"", /* any NAS name */
"zeotrope", /* secret encryption key */
"./cat_1", /* message_catalogue_filename */
1, /* username retries */
3, /* password retries */
1, /* this record is the default for any NAS not specifically listed */
1, /* trusted NAS for SENDPASS */
5 /* password expiration period, in days */
}
};
A catalog of messages forms part of the configurable data of the CiscoSecure server. A message catalog contains all messages that should be returned to users during transactions with the network access server and the CiscoSecure UNIX Server software, allowing multiple languages (such as French, German, and English) to be supported by the CiscoSecure UNIX Server software without having to change any major configuration in the CiscoSecure server.
CiscoSecure UNIX Server sends these messages to the network access server in the native language of the users. CiscoSecure UNIX Server software does this by referencing all user messages with a message ID. These message IDs identify a particular message that should be sent to the network access server for display to the user. CiscoSecure UNIX Server software does not use the actual message stored in the message catalog, thus providing language independence. By configuring different message catalogs, the software can support multiple network access servers, each with different user communities based on language. A message catalog is associated with a particular network access server by configuration statements in the server control file. Each network access server can have a different message catalog assigned to it if necessary.
Messages in the message catalog are returned to the network access server in response to specific transactions between users and the servers.
The format of the message catalog is message_number message_string
For example:
3 "Hello\040there" 2 "ok, what's your password\012"
The formatting and display of messages is determined by the network access server. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character. For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.
See the section "Message Catalogs" in the appendix "CiscoSecure ACS File Formats and Syntax" for a full list of messages and their message IDs.
Posted: Sun Apr 2 16:22:51 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.