|
|
This appendix describes configuration parameters and syntax for the CiscoSecure Acces Control Server (ACS) control file and the message catalogs. It includes the following sections:
The server control file (CSU.cfg) is the main file required for setting up the CiscoSecure ACS software and is located in the /$BASEDIR/config directory. This file includes basic configuration parameters for each network access server (NAS) that is to be serviced, and specifies the following information:
The syntax of the server control file is similar to that of C language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines may be continued on a successive line by ending them with a back-slash (\).
The following is an example CiscoSecure ACS control file. Administrators can customize this example for their own configuration file.
/*
* CiscoSecure ACS Example Control File
*/
/* The license for this server. Multiple license keys may
* be specified, each separated by a comma.
*/
LIST config_license_key = {"061db8afcf66db981f3c" }; /* */
STRING config_update_log_filename = "/$BASEDIR/logfiles/passwd_chg.log";
NUMBER config_system_logging_level = 0 x 80;
/* Default logging configuration - basic information is logged */
NUMBER config_logging_configuration = 0x7e;
/*
* Per-NAS configuration records. The default encryption key is "arachnid"
* for all NAS except 'boggle', which is using "heliotrope".
*/
NAS config_nas_config = {
{
"NAS_NAME", /* NAS name */
"SECRET12345", /* secret key */
"cat_1", /* message_catalogue_filename */
1, /* Authentication: username retries */
3, /* Authentication: password retries */
1, /* is default NAS configuration */
1, /* trusted NAS for SENDPASS */
30 /* Password expiry period in days */
},
{
"boggle", /* NAS name */
"heliotrope", /* secret key */
"", /* message_catalogue_filename */
2, /* Authentication: username retries */
2, /* Authentication: password retries */
0, /* is not the default NAS configuration */
0, /* not a trusted NAS for SENDPASS */
10 /* Password expiry period in days */
}
};
The variables shown in Table B-1 are valid in CiscoSecure ACS software control files.
| Type | Name | Default | Description | Example |
|---|---|---|---|---|
| List | config_license_key | None | A list of the license keys used to enable the product. | LIST config_license_key = {"061db8afcf66db981f3c",\ "7f4f9db4d7ce8ed85b69" }; |
| String | config_update_log_filename | None | The name of the file that keeps the results of password changes, and so on. | STRING config_update_log_filename = "./updates"; |
| Number | config_expiry_period | 30 (days) | Number of days before a (new) password changed via CHPASS expires. | NUMBER config_expiry_period = 30; |
| Number | config_warning_period | 10 (days) | The period, in days, before a password expires during which the user is warned that his or her password will expire soon. | NUMBER config_warning_period = 10; |
| Number | config_get_names_from_dns | 1 (true) | Decide if server should perform IP address-to-hostname lookups. | NUMBER config_get_names_from_dns = 0; |
| Number | config_limit_for_idle_connection | 300 (seconds) | Maximal time to hold an idle NAS connection open, in seconds. | NUMBER config_limit_for_idle_connection = 300; |
| Number | config_nodelay_for_tcp | 1 (on) | Decide whether to TCP_NODELAY on TCP sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons. | NUMBER config_nodelay_for_tcp = 1; |
| Number | config_priv_level_for_own_CHPASS | 1 | Privilege level at which a user can change his/her own password. | NUMBER config_priv_level_for_own_CHPASS = 1; |
| Number | config_receive_buffer_size | 16384 (16KB) | Buffer size to allocate for receive for each TCP connection. | NUMBER config_receive_buffer_size = 8192; |
| Number | config_send_buffer_size | 16384 (16KB) | Buffer size to allocate for send for each TCP connection. | NUMBER config_send_buffer_size = 8192; |
| Number | config_system_logging_level | 0x80 (LOG_LOCAL0) | Syslog facility under which to log. | NUMBER config_system_logging_level 0x80; |
| Number | config_system_priority_level | -4 | System priority to assign the CiscoSecure ACS daemon. | NUMBER config_system_priority_level = -4; |
| Number | config_use_keepalives | 1 (on) | Determines whether SO_KEEPALIVE on TCP sockets should be set. | NUMBER config_use_keepalives = 1; |
| Number | config_logging_configuration | 0x7E | Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and protocol debugging info can be obtained by the logical OR of the values as described in Table B-2. | NUMBER config_logging_configuration = 0x7E NUMBER config_logging_configuration = 0xffffffff; /* allow RADIUS debug */ NUMBER config_logging_configuration = 0xffffff7f; /* no RADIUS debug */ |
The CiscoSecure ACS uses the logging levels DEBUG, INFO, NOTICE, WARNING, ERROR, and ALERT. These logging levels are tied to the operation of CiscoSecure ACS software, not to the interaction of the software with its users. However, much of the output that helps you resolve such problems can be found in the DEBUG level.
To examine the output, enable DEBUG logging and turn on the relevant bits in the control file using the following information.
| Name | Value | Description |
|---|---|---|
| LOG_DEBUG | 0x2 | Debug messages |
| LOG_INFO | 0x4 | Informational messages |
| LOG_NOTICE | 0x8 | Notices |
| LOG_WARNING | 0x10 | Warnings |
| LOG_ERROR | 0x20 | Errors |
| LOG_ALERT | 0x40 | Alerts |
| Name | Value | Description |
|---|---|---|
| AUTHEN_OK | 0x100 | Successful authentication operations |
| AUTHEN_FAIL | 0x200 | Failed authentication operations |
| AUTHEN_ERROR | 0x400 | Authentication operations that result in an error |
| AUTHEN_OUTPUT | 0x800 | All authentication information |
| Name | Value | Description |
|---|---|---|
| AUTHOR_OK | 0x1000 | Successful authorization operations |
| AUTHOR_FAIL_CMD | 0x2000 | Authorization failed for command |
| AUTHOR_FAIL_ARG | 0x4000 | Authorization failed--bad arguments |
| AUTHOR_FAIL_OTHER | 0x8000 | Authorization failed for other reasons |
| AUTHOR_ERROR | 0x10000 | Authorization errors |
| Name | Value | Description |
|---|---|---|
| ACCOUNT_OK | 0x100000 | Successful accounting operations |
| ACCOUNT_FAIL | 0x200000 | Failed accounting operations |
| ACCOUNT_ERROR | 0x400000 | Errors in accounting operations |
| Name | Value | Description |
|---|---|---|
| ERRNO_INFO | 0x10000000 | Many types of protocol and operational errors. |
| SERVICE_INFO | 0x20000000 | Major protocol operations. |
| PROTOCOL_ERROR | 0x40000000 | TACACS+ protocol errors. |
| PACKET_INFO | 0x80000000 | Display TACACS+ protocol packets. |
| NAS config_nas_config | NONE | A list of NAS configuration records. Each record must contain the values in the order specified in the section "Order of Values in the NAS Configuration Records." |
Each value in a NAS configuration record should be listed in the following order:
An example configuration file follows:
NAS config_nas_config = {
{
"NAS_NAME", /* any NAS name */
"SECRET12345", /* secret encryption key */
"./cat_1", /* message_catalogue_filename */
1, /* username retries */
3, /* password retries */
1, /* this record is the default for any NAS not specifically listed */
1, /* trusted NAS for SENDPASS */
}
};
A catalog of messages forms part of the configurable data of the CiscoSecure ACS. A message catalog contains all messages that should be returned to users during transactions with the NAS and the CiscoSecure ACS software, allowing multiple languages (such as French, German, and English) to be supported by the CiscoSecure ACS software without having to change any major configuration in the CiscoSecure ACS.
The CiscoSecure ACS sends these messages to the NAS in the native language of the users. CiscoSecure ACS software does this by referencing all user messages with a message ID. These message IDs identify a particular message that should be sent to the NAS for display to the user. CiscoSecure ACS software does not use the actual message stored in the message catalog, thus providing language independence. By configuring different message catalogs, the software can support multiple NASs, each with different user communities based on language. A message catalog is associated with a particular NAS by configuration statements in the server control file. Each NAS can have a different message catalog assigned to it if necessary.
Messages in the message catalog are returned to the NAS in response to specific transactions between users and the servers.
The format of the message catalog is message_number message_string.
For example:
3 "Hello\040there" 2 "ok, what's your password\012"
The formatting and display of messages are determined by the NAS. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by three octal digits representing the ASCII value of the character. For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets may contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.
Message catalogs allow system administrators to redefine the set of messages sent by the CiscoSecure ACS to the users connecting to a particular NAS. The following list identifies the default message IDs, message names, and message strings used by the CiscoSecure ACS software:
0 AUTHEN_CLIENT_LOGIN_PROMPT "\nUser Access Verification\n" 1 AUTHEN_CLIENT_USERNAME_PROMPT "Username: " 2 AUTHEN_CLIENT_PASSWORD_PROMPT "Password: " 3 AUTHEN_CLIENT_SIGN_ON_MESSAGE "" 4 AUTHEN_CLIENT_CHANGEPASS_INTRO "Change password sequence" 5 AUTHEN_CLIENT_PASSWORDS_IDENTICAL "Error - passwords the same" 6 AUTHEN_CLIENT_PASSWORD_EXPIRED "Your password has expired" 7 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_USERNAME "Too many tries for username" 8 AUTHEN_CLIENT_TOO_MANY_TRIES_FOR_PASSWORD "Too many tries for password" 9 AUTHEN_CLIENT_NEW_PASSWORD1 "New password: " 10 AUTHEN_CLIENT_NEW_PASSWORD2 "New password again: " 11 AUTHEN_CLIENT_PASSWORDS_DIFFERENT "The passwords are different" 12 AUTHEN_CLIENT_BAD_PASSWORD "Bad password" 13 AUTHEN_CLIENT_CANT_CHANGE_PASSWORD "You cannot change your password" 14 AUTHEN_CLIENT_ACCOUNT_EXPIRY_WARNING "Your account will expire in %d days" 15 AUTHEN_CLIENT_PASSWORD_EXPIRY_WARNING "Your password will expire in %d days" 16 AUTHEN_CLIENT_NEW_PASSWORD_CRITERIA "A password must be between six and thirteen characters, containing at least one alphabetic and numeric character." 18 AUTHEN_USER_NOT_FOUND "Authentication - User not found" 19 AUTHEN_BAD_METHOD_FOR_USER "Authentication - Bad method for user" 20 AUTHEN_BAD_TYPE "Authentication - Bad type" 21 AUTHEN_NO_USERNAME "Authentication - No username specified" 22 AUTHEN_INSUFFICIENT_PRIVILEGE "Authentication - Insufficient privilege" 23 AUTHEN_UNEXPECTED_DATA "Authentication - Unexpected data" 24 AUTHEN_UNEXPECTED_RESERVED_DATA "Authentication - Unexpected reserved data" 25 AUTHEN_INCORRECT_PASSWORD "Authentication - Incorrect password" 26 AUTHEN_ABORTED_SEQUENCE "Authentication - Aborted sequence" 27 AUTHEN_FILEHANDLING_ERROR "Authentication - File handling error" 28 AUTHEN_UNKNOWN_PASSWORD_TYPE "Authen - Unknown password type" 29 AUTHEN_USER_NOT_IN_FILE "Authentication - User not in file" 30 AUTHEN_ERROR_IN_EXTERNAL_FN, "Authentication - Error in external function" 31 AUTHEN_BAD_SERVICE "Authentication - Bad Service" 32 AUTHEN_BAD_ACTION "Authentication - Bad Action" 33 AUTHEN_SENDPASS_OK "Authentication - SENDPASS (ok)" 34 AUTHEN_SENDPASS_FAIL "Authentication - SENDPASS (fail)" 35 PROTOCOL_USERNAME_TOO_LONG "Protocol - Username too long" 36 PROTOCOL_NASNAME_TOO_LONG "Protocol - NAS name too long" 37 PROTOCOL_NASPORT_TOO_LONG "Protocol - NAS port name too long" 38 PROTOCOL_NACADDR_TOO_LONG "Protocol - NAC address too long" 39 PROTOCOL_BAD_PRIVILEGE "Protocol - Invalid privilege field" 40 PROTOCOL_ACTIVE_SESSION "Protocol - Session id in use" 41 PROTOCOL_NO_SESSION "Protocol - No session found" 42 PROTOCOL_INCORRECT_TYPE "Protocol - Incorrect type" 43 PROTOCOL_INCORRECT_SESSION "Protocol - Incorrect session" 44 PROTOCOL_INCORRECT_SEQUENCE "Protocol - Incorrect sequence" 45 PROTOCOL_INCORRECT_VERSION "Protocol - Incorrect version" 46 PROTOCOL_GARBLED "Protocol - Garbled message" 47 PROTOCOL_READ_TIMEOUT "Protocol - Read timeout" 48 PROTOCOL_CONNECTION_CLOSED "Protocol - Connection closed" 49 PROTOCOL_BAD_TYPE "Protocol - Bad type" 50 PROTOCOL_MAX_USERS_EXCEEDED "Maximum number of users exceeded" 51 PROTOCOL_ENCRYPTION_MISMATCH "Mismatched encryption" 52 AUTHOR_NO_SERVICE "Authorization - No service specified" 53 AUTHOR_FAILED_MANDATORY_ARG "Authorization - Failed mandatory argument" 54 AUTHOR_FAILED_COMMAND_LINE "Authorization - Failed command line" 55 AUTHOR_FAILED_SERVICE "Authorization - Failed service" 56 AUTHOR_FAILED_TIME "Authorization - Failed time qualification" 57 AUTHOR_BAD_ARGUMENT "Authorization - Bad argument" 58 AUTHOR_NO_COMMAND "Authorization - No command specified" 59 AUTHOR_FAILED_CMD "Authorization - Failed command" 60 AUTHOR_NO_PROTOCOL "Authorization - No protocol" 61 AUTHOR_UNKNOWN_USER "Authorization - Unknown user" 62 AUTHOR_INVALID_NAS_OR_PORT "Authorization - Unauthorized NAS or PORT" 63 AUTHOR_COMMAND_AUTHORIZED "Authorization - Command authorized"
|
|