|
|
This chapter provides instructions on how to transfer your existing database to the runtime database included in your CiscoSecure Access Control Server (ACS) 2.3 package. It includes the following sections:
Cisco provides two conversion utilities:
Each utility requires the name and path of the original AA database file in addition to the name of the log file for error messages. Make sure you have this information before you try to run the utility.
By default, the upgrade utility for the Terminal Access Controller Access Control System (TACACS+) commits all data from your CiscoSecure ACS 1.x database to the CiscoSecure ACS 2.3 database. The default path of the AA file is /bin/CiscoSecure/samples. The default name of the AA file is aa.database. The default name of the log file is upgrade.log.
Complete the following steps to upgrade from the TACACS+ supported database of CiscoSecure ACS 1.x to the database of CiscoSecure ACS 2.3, which supports both the TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols:
Step 1 Confirm that the AA database file and the upgrade utility reside in the same file system as the database server.
Step 2 To transfer your CiscoSecure 1.x database to CiscoSecure ACS 2.3, use the CSimport command:
{-c|t} -p path -s aa filename -l log filenamewhere:
-c | Commit mode. Sends the content of the old database to the CiscoSecure ACS 2.3 database. |
-t | Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist. |
-p path | Path of the old AA database where the default is /bin/CiscoSecure/samples. |
-s aa filename | Name of the AA database where the default is aa.database. |
-l log filename | Name of the log file where the default is upgrade.log. |
For example:
CSimport -c -p /bin/CiscoSecure/samples -s aa.database -l debug.logmoves the 1.x database from /bin/CiscoSecure/samples/aa.database to the CiscoSecure ACS 2.3 database.
This section provides instructions on how to convert/import an existing RADIUS ACS database to the TACACS+ and RADIUS database of the CiscoSecure ACS 2.3.
The following are examples of files (users, dictionary, and clients) that the import utility recognizes:
steve Password = "testing", Expiration = "Dec 24 1992"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 172.16.3.33
# ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE User-Service-Type 6 integer # Integer Translations # # User Types VALUE User-Service-Type Login-User 1 VALUE User-Service-Type Framed-User 2 VALUE User-Service-Type Dialback-Login-User 3 VALUE User-Service-Type Dialback-Framed-User 4 VALUE User-Service-Type Outbound-User 5 VALUE User-Service-Type Shell-User 6
#
#Client Name Key
CiscoRouter testing123
123.45.67.89 secret
To convert/import an existing RADIUS ACS database:
Step 1 Identify the location of the users, clients, and (optionally) dictionary files. If the location of these files is not the default, /etc/raddb, you will need to explicitly define it.
Step 2 Identify the dictionary name. It must be unique within the database. The dictionary name might also already exist in the database, creating a convenient way to add users to the database.
Step 3 Identify the RADIUS-vendor value to register with this dictionary. Choices are Cisco, IETF, and Ascend. This value identifies a set of extensions typically found in a vendor's RADIUS server implementation.
Step 4 When you first run the import utility, specify test mode as follows:
-t -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr} where:
-t | Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist. |
-p path | Path of the source files. The default directory is /etc/raddb. For example: -p /usr/local/bin |
-l log filename | Name of the log file found in the source path. The default name is import.log. For example: -l migrate.log |
-v radius_vendor | Name of the RADIUS vendor. Valid options are Ascend, IETF, and Cisco. The default vendor name is IETF. For example: -v Cisco |
-d dictionary_name | Name of the RADIUS dictionary. The database contains three dictionaries: IETF, Ascend, and Cisco. The default dictionary name is IETF. For example: -d Cisco100 |
-g group_name | Name of the group to which the specified user belongs. For example: -g staff The import tool will create the specified group if it does not already exist in the CiscoSecure ACS 2.3 database. If you do not enter -g, the records of the users that you are importing will not belong to any group. |
-u | Unchange, meaning if a duplicate user's profile exists, a new profile will not be imported. |
-r | Replace, meaning if a duplicate user's profile exists, the old profile will be replaced with the new one. |
-mu | Merge and unchange, meaning that if a duplicate user's profile exists, the new profile will be appended to the end of the existing profile, as long as the existing profile does not already contain a RADIUS profile with the same dictionary name. |
-mr | Merge and replace, meaning that if a duplicate user's profile exists, append the new profile to the bottom of the existing profile; and if the existing profile contains a RADIUS profile with the same dictionary name as the new profile, replace the existing RADIUS profile with the new RADIUS profile. |
In test mode, all the validation is performed but the data is not yet written to the database. Review the results found in the log file. You can use vi or any text editor to view the log file.
Step 5 When you are satisfied with the results of the test mode, rerun the import utility, this time specifying commit mode:
-c -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr} where:
-c specifies commit mode. Sends the content of the old database to the new CiscoSecure ACS 2.3 database.
For example:
CSmigrate -c -p /etc/raddb -l import.log -v Cisco -d Cisco100 -g staff -mrimports the database from an existing RADIUS access control server to the CiscoSecure ACS 2.3 database.
The migration tool has been enhanced to import DES encrypted passwords. When the migration tool encounters this password type in the RADIUS user's file, it DES encrypts the password and sets the password type for that user to DES. For example:
msmart DESPASSWORD = "agent86" Framed-Protocol = PPP, ...
gets converted to and is represented within the CiscoSecure ACS 2.3 database as follows:
user = msmart {
password = DES "*&^@#*!&%" # encrypted "agent86"
radius = IETF {
reply_attributes {
Framed-Protocol = PPP
}
}
}
It is possible that a user's profile contains many password types. The RADIUS server applies the following rules when it comes to passwords:
1. If the RADIUS subprofile contains a password (the part of the user's profile that starts with radius = ), the AAA server uses that password.
2. If the RADIUS subprofile does not contain a password, it applies the user-level password according to the following table:
| NAS Sends Attribute | AAA Server Utilizes User's Profile Password |
User-Password(2) | OTP, file, PAP |
CHAP-Password(3) | CHAP |
ARAP | Ascend-ARA-Password (181) |
There is no way to force the AAA server to apply the DES-assigned password established by the migration/import utility. As a result, the AAA server has been augmented with a command-line argument, -D, that forces the server to apply the DES password to authenticate users. When the -D option is applied, the RADIUS/AAA server will authenticate user's according to the following table (again, assuming no password in a RADIUS subprofile).
| NAS Sends Attribute | AAA Server Utilizes User's Profile Password |
User-Password(2) | DES |
CHAP-Password(3) | CHAP |
ARAP | Ascend-ARA-Password (181) |
The conversion utility, cnv, allows you to import a public domain TACACS+ freeware database into a CiscoSecure ACS 2.x for UNIX database. With cnv, the user can create an intermediate file (import file) that can then be imported in CiscoSecure 2.x RDBMS using CSImport.
However, before the import file can be used, it must be broken into two files. The first section of the import file contains the AAA server control file; the second part contains all the user profiles to import. The import file contains a separator bar, which separates these two sections. Command-line syntax for cnv is as follows:
cnv <old_Config >new_Configwhere
old_Config is the TACACS+ freeware configuration file.
new_Config is the new configuration file that contains the user profiles and AAA server configuration information.
To create an import file from a TACACS+ freeware configuration file named "myoldconfigfile," the system administrator would follow these steps:
Step 1 Enter:
Step 2 Break mynewimportfile into AAA.cnf and newuser.dat. AAA.cnf contains the AAA server configuration information, and newuser.dat contains the user profiles to add to the RDBMS.
Step 3 Run CSimport to import the user profiles:
CSimport -c -p /dir -s newuser.dat
Step 4 Update CSU.cfg with the appropriate AAA server information contained in AAA.cnf.
|
|