|
|
This appendix provides instructions on how to transfer your existing database to the runtime database included in your CiscoSecure Access Control Server (ACS) 2.1 package, and includes the following sections:
Cisco provides two sorts of conversion utilities:
Each utility requires the name and the path of the original AA database file, and the name of the log file for error messages. Make sure you have this information before you try to run the utility.
By default, the upgrade utility for TACACS+ commits all data from your CiscoSecure ACS 1.x database to the CiscoSecure ACS 2.1 database. The default path of the AA file is /bin/CiscoSecure/samples. The default name of the AA file is aa.database. The default name of the log file is upgrade.log.
Take the following steps to upgrade from the TACACS+ supported database of CiscoSecure ACS 1.x to the database of CiscoSecure ACS 2.1 in which both TACACS+ and RADIUS are supported:
Step 1 Confirm that the AA database file and the upgrade utility reside in the same file system as the database server.
Step 2 To transfer your CiscoSecure 1.x database to the SQLAnywhere database bundled with CiscoSecure ACS 2.1, use the CSimport command:
CSimport {-c|t} -p path -s aa filename -l log filename
where:
| -c | Commit mode. Sends the content of the old database to the new ODBC-compliant SQLAnywhere database |
| -t | Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist |
| -p path | Path of the old AA database where the default is /bin/CiscoSecure/samples |
| -s aa filename | Name of the AA database where the default is aa.database |
| -l log filename | Name of the log file where the default is upgrade.log |
For example:
CSimport -c -p /bin/CiscoSecure/samples -s aa.database -l debug.log
moves the 1.x database from /bin/CiscoSecure/samples/aa.database to the CiscoSecure ACS 2.1 database.
This section provides instructions on how to convert/import an existing RADIUS ACS database to the TACACS+ and RADIUS database of the CiscoSecure ACS 2.1.
The following are examples of files (users, dictionary, and clients) that the import utility recognizes. If you are already familiar with this material.
steve Password = "testing", Expiration = "Dec 24 1992"User-Service-Type = Framed-User,Framed-Protocol = PPP,Framed-Address = 172.16.3.33
# ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE User-Service-Type 6 integer # Integer Translations # # User Types VALUE User-Service-Type Login-User 1 VALUE User-Service-Type Framed-User 2 VALUE User-Service-Type Dialback-Login-User 3 VALUE User-Service-Type Dialback-Framed-User 4 VALUE User-Service-Type Outbound-User 5 VALUE User-Service-Type Shell-User 6
##Client Name KeyCiscoRouter testing123123.45.67.89 secret
To convert/import an existing RADIUS ACS database:
Step 1 Identify the location of the users, clients, and (optionally) dictionary files. If the location of these files is something other than the default, /etc/raddb, you will need to explicitly define it.
Step 2 Identify the dictionary name. The dictionary name must be unique within the database. The dictionary name may also already exist in the database, creating a convenient way to add users to the database.
Step 3 Identify the RADIUS-vendor value to register with this dictionary. This value identifies a set of extensions typically found in a vendor's RADIUS server implementation. Choices are Cisco, IETF, and Ascend.
Step 4 When you first run the import utility, specify test mode as follows:
CSmigrate -t -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}
where:
| -c | -t | Commit mode. Sends the content of the old database to the new ODBC-compliant SQLAnywhere database |
| Test mode. Verifies that the old database contains the correct format of each user profile and that no duplicate users exist | |
| -p path | Path of the source files. The default directory is /etc/raddb; for example: -p /usr/local/bin |
| -l log filename | Name of the log file found in the source path. The default name is import.log. For example: -l migrate.log |
| -v radius_vendor | Name of the RADIUS vendor. Valid options are Ascend, IETF, and Cisco. The default vendor name is IETF. For example: -v Cisco |
| -d dictionary_name | Name of the RADIUS dictionary name. The database contains three dictionaries: IETF, Ascend, and Cisco. The default dictionary name is IETF. For example: -d Cisco100 |
| -g group_name | Name of the group to which the specified user belongs. For example: -g staff. The import tool will create the specified group if it does not already exist in the CiscoSecure ACS 2.1 database. If you do not enter -g, the records of the users that you are importing will not belong to any group. |
| -u | Unchange, meaning if a duplicate user's profile exists, a new profile will not be imported. |
| -r | Replace, meaning if a duplicate user's profile exists, the old profile will be replaced with the new one. |
| -mu | Merge and unchange, meaning that if a duplicate user's profile exists, the new profile will be appended to the end of the existing profile, as long as the existing profile does not already contain a RADIUS profile with the same dictionary name. |
| -mr | Merge and replace, meaning that if duplicate user's profile exists, append the new profile to the bottom of the existing profile; and if the existing profile contains a RADIUS profile with the same dictionary name as the new profile, replace the existing RADIUS profile with the new RADIUS profile. |
In test mode, all the validation is performed but the data is not yet written to the database. Review the results found in the log file. You can use vi or any text editor to view the log file.
Step 5 When you are satisfied with the results of the test mode, rerun the import utility, this time specifying commit mode:
CSmigrate -c -p path -l log filename -v radius_vendor -d dictionary_name -g group_name {-u|r|mu|mr}
For example:
CSmigrate -c -p /etc/raddb -l import.log -v Cisco -d Cisco100 -g staff -mr
moves the database from an existing RADIUS access control server to the CiscoSecure ACS 2.1 database.
|
|