Cisco Acs 5.2 Intresting Configuration Examples

 

 

Table of Contents


 

1.1.       How to configure RDBMS synchronization in Cisco secure  ACS V 3.3
1.2.       Rdbms Core issue
1.3.       Resolution
1.4.       Create a CSV file for accounts
1.5.       Change the Registry Settings on the ACS:
1.6.       Save the changes to the  registry.
1.7.       How to Retrieve and Decrypt Support Bundle in ACS 5.X for troubleshooting authentication, accounting and authorization issues.
1.8.       Backing up Cisco ACS 5.2 database using CLI

 

How to configure RDBMS synchronization in Cisco secure  ACS V 3.3


 

Rdbms Core issue


 

The Relational Database Management Systems (RDBMS) synchronization feature updates the  CiscoSecure user database with information from an Open Database Connectivity (ODBC)-compliant data source.  The ODBC-compliant data source can be the RDBMS database of a third-party  application. It can also be an intermediate file or database that a third-party  system updates. Regardless of where the file or database resides, Cisco Secure  ACS for Windows (ACS) reads the file or database through the ODBC connection. RDBMS synchronization can also be regarded as an Application Program Interface (API) of much of what can be configured for a user,  group, or device through the ACS HTML interface. Alternatively, it is possible to maintain the group through this feature. RDBMS synchronization supports addition, modification, and deletion for all data items it can access.
Synchronization can be configured to occur at regular intervals. Synchronizations can be performed manually, in which case the Cisco Secure user database is updated on demand.
Synchronization performed by a single ACS can  update the internal databases of other ACSes, so that the RDBMS Synchronization configuration only needs to take place on one ACS. ACSes listen on TCP port 2000 for synchronization data. RDBMS Synchronization  communication between ACSes is encrypted with a 128-bit encrypted, proprietary algorithm.

Resolution


 

To perform RDBMS synchronization, follow this procedure:

Create a CSV file for accounts


 

Create an accountactions.csv file and save it to C:\Program Files\CiscoSecure      ACSvx.x\CSDBSync\Databases\CSV(the      assumption is a default installation of ACS).

 

Note: The order of the fields is very important for the RDBMS synchronization. The basic format for the accountactions.csv file is SequenceId, Priority, UserName, GroupName, Action, ValueName, Value1, Value2, Value3, DateTime, Message No., ComputerNames, AppId, Status.

The sequence ID is any unique number because ACS usually starts to apply the codes with highest priority and then lowest ID. This is why the sequence ID must be unique for all the entries, as shown in this example:

1,0,user1,Group 1,100,,password1,,,10/07/2005 0:00,0,,,0
2,0,user2,Group 1,100,,password2,,,10/07/2005 0:00,0,,,0
3,0,user3,Group 1,100,,password3,,,10/07/2005 0:00,0,,,0
4,0,user4,Group 1,100,,password4,,,10/07/2005 0:00,0,,,0

This accountactions file, adds usernames user1,user2,user3,user4 to Group 1, with passwords password1, password2, password3 and password4 respectively.

Note: This file can be created in Microsoft (MS) Excel, as long as these columns are incorporated in the same order. This is an example of how this file is created in MS Excel:

SequenceID 
Priority 
UserName 
GroupName 
Action 
ValueName 
Value1 
Value2 
Value3 
DateTime 
MessageNo 
ComputerNames 
AppId 
Status 

 

Note: The accountactions.csv file must start with a blank line (or a line without actual import definitions), as the first line is skipped by the MS ODBC driver. Also, regardless of the action, fields 1, 2, 5, 10, 11, and 14 (SequenceID, Priority, Action, DateTime, MessageNo, Status) are mandatory. For a detailed description of the fields and action definitions, refer to theRDBMS Synchronization Import Definitions section of User Guide for Cisco Secure ACS for Windows Server Version 3.3.

Change the Registry Settings on the ACS:


 

    1. Access the HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAvx.x\CSDBSync key.
    2. Change the OdbcUpdateTable       value from AccountActions to accountactions.csv.

Save the changes to the  registry.


 

 

Note: Failure to perform this procedure results in the [Microsoft][ODBC Text Driver] Cannot update. Database or object is read-only error message.
Synchronization cannot be performed with a relational database table after the OdbcUpdateTable value has been changed to accountactions.csv. To do so, change the OdbcUpdateTable value back to AccountActions.

Configure a System Data Source Name for RDBMS      synchronization with these steps:
Go to Administrative Tools >       Data Sources (ODBC).
Choose the System DSN tab and click Add.
Choose Microsoft Text       Driver(*.txt,*.csv) and       click Finish.
Enter a name in the Data       Source Name field and a description in the Description field.
Uncheck Use Current Directory and click Select Directory.
Browse to the C:\Program Files\CiscoSecure       ACS vx.x\CSDBSync\Databases\CSV directory       and click OK.
Click on the Options button and then the Define Format button.
Click on accountactions.csv and then OK.
Click OK if the Failed to save table attributes of (null) into       (null) message is received.
Click OK, and then OK again.

Configure ACS to use an ODBC Data Source with      these steps:
Go to Interface Configuration >       Advanced Options.
Check the RDBMS Synchronization checkbox and click Submit.
Go to System Configuration >       RDBMS Synchronization.
Choose the newly created ODBC       Data Source from the dropdown list.
Keep the username and password       fields empty.
Synchronization scheduling       must be set to Manually.
Make sure the server is listed       in the Synchronize column of the Synchronization Partners section and       click Submit.
Go back into RDBMS Synchronization and click Synchronize Now. Ideally,       the updates now take place.

 

Note: Unlike other methods of RDBMS synchronization, the lines are not deleted from the .csv file as they are added to the CSDB. This is because the MS ODBC text driver has read-only access. If ACS version 3.0 is run, it may be necessary to change the [accountactions] line in the C:\Program Files\CiscoSecure ACS vx.x\CSDBSync\Databases\CSV\schema.ini file to [accountactions.csv].

Note: RDBMS synchronization attempts made using the text driver with ACS installed on the Win2k Advanced Server do not work. These attempts most likely result in the the ;[Microsoft][ODBC Text Driver] Text file specification field separator matches decimal separator or text delimiters error message.
For additional details, refer to the RDBMS Synchronization section of User Guide for Cisco ACS 3.3

 

How to Retrieve and Decrypt Support Bundle in ACS 5.X for troubleshooting authentication, accounting and authorization issues.


 

Introduction:  This document describes the process of retrieving the support bundle using GUI followed by decrypting the same bundle using CLI.
Requirement:  Support bundle is same as package.cab file of 4.X acs code, however in 5.x, we get support bundle in encrypted format and hence we need to decrypt the bundle to get the actual logs required for troubleshooting issues like, authentication, authorization and accounting.

Prerequisites

  1. ACS appliance running software versions 5.X
  2. Putty software

 

Procedure
Step 1 Login to ACS using GUI, to retrieve the support bundle for decryption using its Ip address https://ip-address-of -acs

Step 2 Enter the credentials to login and you will see the following GUI main page--

Step 3:   Now to retrieve the support bundle, select Monitoring and Reports > Troubleshooting > ACS Support Bundle.

 

acs 5.2 support bundle


Step 4   Ftp the support bundle to a local ftp, i-e, Copy paste the collected support bundle to a local ftp server (172.16.182.201 in our example).

Step 5:  Now SSH to the ACS 5.1 server –  


Step 6:  Now login into ACS using CLI to create a local repository name as FTP(where FTP is just a name of repository) , please refer the following commands once you logged in--

Configure terminal
repository FTP
url ftp://172.16.182.201 (where 172.16.182.201 is the ip address of ftp server)
user cisco password plain cisco123 (this username is the one you define on FTP server to authenticate)
exit
Please refer the screenshot for the same---

 

cli and repository creation

Step 6.5:

Now once the repository (FTP) is created, then we need to decrypt the bundle.

To decrypt the bundle, Enter acs-config mode by entering acs-config and entering the acs admin credentials

acs51/acsadmin(config-acs)# decrypt-support-bundle ftp acs.tar.gzDecrypting Support Bundle...
Repository: ftp
Support Bundle: acs.tar.gz
Decryption completed successfully - decrypted bundle: dec_38134.tar.gz is located on your repository.

Refer the following screenshot for the same----

Once the file is decrypted then please log back to FTP server to retrieve the decrypted file.

The decrypted file in our case is dec_38134.tar.gz (You will get the name of file in “Decryption completed successfully - decrypted bundle: <Name of decrypted bundle>”)

dec_38134.tar.gz is the decrypted support bundle .Just use winzip to open its contents.

You may use the decrypted support bundle for own troubleshooting, or provide the same to Support Community or TAC to get the speedy response on the issues.

Backing up Cisco ACS 5.2 database using CLI


 

 

Login to the Cisco ACS 5.2 applince using console cable to SSH connection
And issue the bellow
Make sure you have an ftp server installed with an ip address 172.16.1.1 and it can be reached via the Cisco ACS server.

conf t

 

repository ftp
url ftp://172.16.1.1/
user anonymous password plain anonymous

 backup backup-name repository ftp

 

Similar Documents For Configuring Different Parameters of the ACS 5.2 Appliance can be found bellow.


 

  1. Cisco ACS 5.2-Virtual-Machine-VMware-Workstation-Installation-Guide
  2. Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example
  3. Cisco-ACS-5.2-Intresting-Configurations
  4. Cisco-ACS-5.2-802.1.x-Authentication-And-Multi-Domain-Authentication-Configuration-Example
  5. Cisco TACACS+ switch template configuration example.
  6. Cisco TACACS + firewall template configuration example.

 

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

 

 

 

Share The Link And Enjoy Thanks !