|
|
This appendix contains details on the CiscoSecure ACS command-line utility, CSUtil.exe. You can use CSUtil to import username, password, and group information all at once from a standard text file to back up and maintain your database.
This section describes how to import a text file into the CiscoSecure user database to add new users to the database or modify users' authentication information. When you install CiscoSecure ACS in the default location, CSUtil is located in the following directory:
C:\Program Files\CiscoSecure ACS v2.3\Utils
You can run the CSUtil utility either online or offline. If you run CSUtil online, database updates are performed while the CiscoSecure ACS continues to run. This slows down the performance of CSUtil.
If you run CSUtil offline, database updates are written directly to the CiscoSecure user database, but CSAuth is stopped. The import is much faster, but services are down as long as CSAuth is stopped.
Enter the following information on a single line with fields separated by colons:
The following examples show the syntax for the import text file:
ADD:user01:CSDB:userpassword:PROFILE:1
ADD:user02:NT::PROFILE:2
ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3
The following is an example import text file:
OFFLINE ADD:user01:CSDB:userpassword:PROFILE:1 ADD:user02:NT::PROFILE:2 ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3 ADD:mary:EXT_NT:CHAP:achappassword ADD:joe:EXT_SDI: ADD:vanessa:CSDB:vanessaspassword ADD:juan:CSDB_UNIX:unixpassword
The following is a list of arguments used with CSUtil. CiscoSecure ACS executes arguments in order from left to right.
CSUtil [-q] [-c] [-d] [-g] [-i filename] [-l filename] [-e errornumber] [-b filename] [-r filename] [-f] [-n] [-s] [-y] [-x]
After you finish creating the import text file, follow these steps:
Step 1 Merge the import text file with the current CiscoSecure user database:
csutil -i filename.txt
Step 2 Overwrite the current CiscoSecure user database with the import text file:
csutil -n -i filename.txt
Step 3 Store group configurations in the groups.txt file and removes all users. It then reloads the group configurations and adds user information from the import.txt file:
csutil -g -n -l groups.txt -i import.txt
 | Caution All user information is destroyed. Group information still exists in the groups.txt file and can be used with the import.atxt file to add new users with existing group information. There is no warning when information is overwritten. |
To facilitate backup and restoration of the CiscoSecure ACS's configuration data and database, the CSUtil.exe utility is provided in the CiscoSecure ACS UTILS directory.
Net stop csauth---Stop the CSAuth authentication service to allow backup to take place.
Csutil -d users_and_groups.txt---Back up the users and groups data to a text file called users_and_groups.txt. To back up only the group data, use the command with a -g instead of a -d command switch.
Net start csauth---Restart the CSAuth authentication service.
The users_and_groups.txt file can then be backed up to tape and stored somewhere safe.
To use CSUtil -b to create a backup file, enter:
csutil -b directoryname
This creates the following files in Utils\SysBackups\directory_name\:
To restore from the backup file, execute the following instructions:
Net stop csauth CSUtil -l users_and groups.txt Net start csauth
Cisco strongly recommends that the above procedure be carried out as a part of a general backup regime that includes backups of the Windows NT Registry using the tools supplied with Windows NT for this purpose. This will allow you to recover your system rapidly if a serious system failure occurs.
Unexpected database file size growth can cause problems with the database. To avoid these problems, CiscoSecure ACS allows you to institute a database maintenance schedule that periodically compacts the database. For your convenience, a Windows NT batch command file, DB_compact.cmd, is included in the CiscoSecure ACS Utils directory.
The VarsDB.MDB file used by CiscoSecure ACS is based on Microsoft ODBC technology. Like most RDMBSes, ODBC uses a deletion scheme that does not actually remove records from the database when they are deleted---records are simply marked as deleted and do not show up in queries. To actually purge the database of the deleted records, a separate process called compaction must be run. In small databases with low transaction rates, it is not particularly important to regularly compact the database because the database will stay a relatively consistent size. In a large database environment with large numbers of deletions, the database file can grow significantly over time. If compaction is not carried out, this can have serious effects on the overall operation of the system.
To avoid unexpected and problematic database file size growth, institute a database maintenance regime that periodically compacts the database. For your convenience, a Windows NT batch command file, DB_compact.cmd, is included in the CiscoSecure ACS Utils directory. DB_compact.cmd executes the following commands:
Because the authentication service is stopped while these commands execute, authentication service is interrupted.
Although DB_compact.cmd should not negatively affect CiscoSecure ACS operation, there is always the possibility of unexpected results with compaction operations. Therefore, it is best to back up the database before database compaction. Then, if something does go wrong when DB_compact.cmd runs, a current backup will be available and service can be restored quickly. See the "Database Backup and Restore Utility" section for information on how to back up the CiscoSecure ACS database using the command-line utility.
|
|