|
|
The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines can be continued on a successive line by ending them with a back-slash (\).
The following is an example CiscoSecure ACS (CSU.cfg) control file. Administrators can customize this example for their own configuration file using the variables listed in Table B-1.
/*
* CiscoSecure Access Control Server Example Control File
*/
/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c" }; /* NAS License Key
goes here */
STRING config_update_log_filename = "/CiscoSecure/logfiles/passwd_chg.log";
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0x7e;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;
NUMBER config_local_timezone = -8; /* set this for your timezone */
NUMBER config_record_write_frequency = 5; /* update frequency in
seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails
accepted */
/*before account is disabled. */
/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"", /* NAS name can go here */
"arachnid", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1 /* trusted NAS for SENDPASS */
},
{
"boggle", /* NAS name */
"heliotrope", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0 /* not a trusted NAS for SENDPASS */
}
};
AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libsdi.so",
"sdi"
}
,
{
"./libenigma.so",
"enigma"
}
,
{
"./libcryptocard.so",
"crypto"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};
AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};
ACCT config_external_acct_symbols = {
{
"./libargs.so",
"accounting_fn"
}
};
ADMIN config_external_admin_symbols = {
"./libadmin.so"
};
DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};
PARSER config_external_parser_symbols = {
"./libt+.so"
};
EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};
The variables shown in Table B-1 are valid in the CSU.cfg file.
| Type | Name | Default | Description | Example |
|---|---|---|---|---|
| List | config_license_key | None | A list of the license keys used to enable the product. | LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" }; |
| String | config_update_log_filename | None | The name of the file that keeps the results of password changes, and so on. | STRING config_update_log_filename = "./updates"; |
| Number | config_expiry_period | 30 (days) | Number of days before a (new) password changed via CHPASS expires. | NUMBER config_expiry_period = 30; |
| Number | config_warning_period | 10 (days) | Number of days before a password expires during which the user is warned that his or her password will expire soon. | NUMBER config_warning_period = 10; |
| Number | config_get_names_from_dns | 1 (true) | Decide if server should perform IP address-to-hostname lookups. | NUMBER config_get_names_from_dns = 0; |
| Number | config_limit_for_idle_connection | 300 (seconds) | Maximum number of seconds to hold an idle NAS connection open. | NUMBER config_limit_for_idle_connection = 300; |
| NAS | config_nas_config | None | Specifies for each NAS client, the NAS host name, the secret encryption key, message catalog, username retries allowed, password retries allowed, default NAS configuration (1/0), trusted NAS for SEND pass (1/0), password expiration period in days. | NAS config_nas_config = { { "NAS_NAMEA", "SECRET12345","./cat_1",1,3,1,1,30 } { "NAS_NAMEB", "SECRET16789","./cat_1",1,3,0,0,30 } } |
| Number | config_nodelay_for_tcp | 1 (on) | Decide whether to TCP_NODELAY on TCP1 sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons. | NUMBER config_nodelay_for_tcp = 1; |
| Number | config_priv_level_for_own_CHPASS | 1 | Privilege level at which a user can change his/her own password. | NUMBER config_priv_level_for_own_CHPASS = 1; |
| Number | config_receive_buffer_size | 16384 (16 KB) | Buffer size to allocate for receive function in each TCP connection. | NUMBER config_receive_buffer_size = 8192; |
| Number | config_send_buffer_size | 16384 (16 KB) | Buffer size to allocate for send function in each TCP connection. | NUMBER config_send_buffer_size = 8192; |
| Number | config_system_logging_level | 0x80 (LOG_LOCAL0) | Syslog facility under which to log. | NUMBER config_system_logging_level 0x80; |
| Number | config_system_priority_level | -4 | System priority to assign the CiscoSecure ACS daemon. | NUMBER config_system_priority_level = -4; |
| Number | config_use_keepalives | 1 (on) | Determines whether SO_KEEPALIVE on TCP sockets should be set. | NUMBER config_use_keepalives = 1; |
| Number | config_logging_configuration | 0x7E | Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and debugging info can be configured through options in the CiscoSecure ACS AAA General web page, described in "Managing General Settings on the ACS" in the chapter "ACS and NAS Management." | NUMBER config_logging_configuration = 0x7E NUMBER config_logging_configuration = 0xffffffff; /* allow RADIUS debug */ NUMBER config_logging_configuration = 0xffffff7f; /* no RADIUS debug */ |
Message catalogs allow system administrators to redefine the set of messages sent by the CiscoSecure ACS to the users connecting to a particular NAS. Message catalogs are editable text files containing message strings that can be customized to support particular groups of users on a per-NAS basis.
A system administrator can customize multiple message catalogs to set up specific TACACS+-enabled NASes to support users of specific language backgrounds logging in to the network.
For example, to set up a specific NAS to display Spanish language messages and prompts to the users dialing-in, a system administrator can edit and rename an existing message catalog, substituting Spanish language message strings for the message strings already there. (A line in a message catalog consists of a CiscoSecure message ID and a message string. The message ID is non-configurable. The message string can be whatever characters you specify.)
The system administrator can then associate that message catalog with the target NAS.
Multiple message catalogs can be set up to support multiple NASes, each NAS with a different user community based on language.
Each TACACS+-enabled NAS served by a CiscoSecure ACS can have a different message catalog assigned to it if necessary.
You can assign TACACS+-enabled NASes a message catalog through the NAS Message Catalog file name field in the AAA NAS page on the CiscoSecure ACS administration web site (See "Managing Profiles for TACACS+-Enabled NASes" in the chapter "ACS and NAS Management.")
The format of a line in the message catalog is:
msg_ID "msg_string "
Where
msg_ID--is a predefined value permanently associated with a specific CiscoSecure message or prompt.
msg_string--is a message string of whatever characters you specify.
For example:
3 "Hello\040there" 2 "ok, what's your password\012"
The formatting and display of messages are determined by the NAS. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character.
For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.
The following list identifies the default message IDs, message names, and message strings used by the CiscoSecure ACS software:
0 AUTHEN_CLIENT_LOGIN_PROMPT "\nUser Access Verification\n" 1 AUTHEN_CLIENT_USERNAME_PROMPT "Username: " 2 AUTHEN_CLIENT_PASSWORD_PROMPT "Password: " 3 AUTHEN_CLIENT_SIGN_ON_MESSAGE "" 4 AUTHEN_CLIENT_CHANGEPASS_INTRO "Change password sequence" 5 AUTHEN_CLIENT_PASSWORDS_IDENTICAL "Error - passwords the same" 6 AUTHEN_CLIENT_PASSWORD_EXPIRED "Your password has expired" 7 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_USERNAME "Too many tries for username" 8 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_PASSWORD "Too many tries for password" 9 AUTHEN_CLIENT_NEW_PASSWORD1 "New password: " 10 AUTHEN_CLIENT_NEW_PASSWORD2 "New password again: " 11 AUTHEN_CLIENT_PASSWORDS_DIFFERENT "The passwords are different" 12 AUTHEN_CLIENT_BAD_PASSWORD "Bad password" 13 AUTHEN_CLIENT_CANT_CHANGE_PASSWORD "You cannot change your password" 14 AUTHEN_CLIENT_ACCOUNT_EXPIRY_WARNING "Your account will expire in %d days" 15 AUTHEN_CLIENT_PASSWORD_EXPIRY_WARNING "Your password will expire in %d days" 16 AUTHEN_CLIENT_NEW_PASSWORD_CRITERIA "A password must be between six and thirteen characters, containing at least one alphabetic and numeric character." 18 AUTHEN_USER_NOT_FOUND "Authentication - User not found" 19 AUTHEN_BAD_METHOD_FOR_USER "Authentication - Bad method for user" 20 AUTHEN_BAD_TYPE "Authentication - Bad type" 21 AUTHEN_NO_USERNAME "Authentication - No username specified" 22 AUTHEN_INSUFFICIENT_PRIVILEGE "Authentication - Insufficient privilege" 23 AUTHEN_UNEXPECTED_DATA "Authentication - Unexpected data" 24 AUTHEN_UNEXPECTED_RESERVED_DATA "Authentication - Unexpected reserved data" 25 AUTHEN_INCORRECT_PASSWORD "Authentication - Incorrect password" 26 AUTHEN_ABORTED_SEQUENCE "Authentication - Aborted sequence" 27 AUTHEN_FILEHANDLING_ERROR "Authentication - File handling error" 28 AUTHEN_UNKNOWN_PASSWORD_TYPE "Authen - Unknown password type" 29 AUTHEN_USER_NOT_IN_FILE "Authentication - User not in file" 30 AUTHEN_ERROR_IN_EXTERNAL_FN, "Authentication - Error in external function" 31 AUTHEN_BAD_SERVICE "Authentication - Bad Service" 32 AUTHEN_BAD_ACTION "Authentication - Bad Action" 33 AUTHEN_SENDPASS_OK "Authentication - SENDPASS (ok)" 34 AUTHEN_SENDPASS_FAIL "Authentication - SENDPASS (fail)" 35 PROTOCOL_USERNAME_TOO_LONG "Protocol - Username too long" 36 PROTOCOL_NASNAME_TOO_LONG "Protocol - NAS name too long" 37 PROTOCOL_NASPORT_TOO_LONG "Protocol - NAS port name too long" 38 PROTOCOL_NACADDR_TOO_LONG "Protocol - NAC address too long" 39 PROTOCOL_BAD_PRIVILEGE "Protocol - Invalid privilege field" 40 PROTOCOL_ACTIVE_SESSION "Protocol - Session id in use" 41 PROTOCOL_NO_SESSION "Protocol - No session found" 42 PROTOCOL_INCORRECT_TYPE "Protocol - Incorrect type" 43 PROTOCOL_INCORRECT_SESSION "Protocol - Incorrect session" 44 PROTOCOL_INCORRECT_SEQUENCE "Protocol - Incorrect sequence" 45 PROTOCOL_INCORRECT_VERSION "Protocol - Incorrect version" 46 PROTOCOL_GARBLED "Protocol - Garbled message" 47 PROTOCOL_READ_TIMEOUT "Protocol - Read timeout" 48 PROTOCOL_CONNECTION_CLOSED "Protocol - Connection closed" 49 PROTOCOL_BAD_TYPE "Protocol - Bad type" 50 PROTOCOL_MAX_USERS_EXCEEDED "Maximum number of users exceeded" 51 PROTOCOL_ENCRYPTION_MISMATCH "Mismatched encryption" 52 AUTHOR_NO_SERVICE "Authorization - No service specified" 53 AUTHOR_FAILED_MANDATORY_ARG "Authorization - Failed mandatory argument" 54 AUTHOR_FAILED_COMMAND_LINE "Authorization - Failed command line" 55 AUTHOR_FAILED_SERVICE "Authorization - Failed service" 56 AUTHOR_FAILED_TIME "Authorization - Failed time qualification" 57 AUTHOR_BAD_ARGUMENT "Authorization - Bad argument" 58 AUTHOR_NO_COMMAND "Authorization - No command specified" 59 AUTHOR_FAILED_CMD "Authorization - Failed command" 60 AUTHOR_NO_PROTOCOL "Authorization - No protocol" 61 AUTHOR_UNKNOWN_USER "Authorization - Unknown user" 62 AUTHOR_INVALID_NAS_OR_PORT "Authorization - Unauthorized NAS or PORT" 63 AUTHOR_COMMAND_AUTHORIZED "Authorization - Command authorized"
|
|