ACS RDBMS Synchronization

Similar Messages

• RDBMS Synchronization problem in ACS Appliance 3.3

  Hi,
  I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
  Thanks in advance
  Best Regards,
  Ahmed

  The format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
  I have attached a sample accountsAction.csv file for you.
  (i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
  (ii) The NDG michasisX has been added.
  (iii) The device C7609-X has been added to the NDG michasisX
  Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
  Then you can add the devices as per the sample file attached.
  Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
  Hope this helps,
  Soumya

• RDBMS Synchronization Options

  I use Cisco ACS 3.3 version. When i want to configure RDBMS Synchronization i can't see the table "FTP Setup Options". I needed this table to configure FTP with the purpose of adding some user options.
  Somebody knows the solution for this problem ?

  Although not strictly supported you can make the software image run like the appliance
  csutil -setPlatform appliance
  This will then enable the appliance features

• RDBMS Synchronization

  The user guide for ACS for Windows ver4.0 states that Cisco ACS can use RDBMS to synchronize its database with a third party RDBMS system and only one primary ACS server needs to interact with the third party system and the other ACSs in the network can be updated by this primary ACS using RDBMS synchronization.
  However, like many other features that suppose to work (e.g. domain stripping for MS AD) this too does not seem to work and there is no detailed documentation on how it actually does it.
  The procedure stated in user guide fails and there are gaps in the documentation.
  Can someone refer to any documentation other than the User Guide for instructions/details of this functionality?
  Thanks in advance.

  I think the easiest solution is to have a single ACS that is populated via RDBMS Sync. This ACS becomes the replication "master" that then pushes its config down to a set of "slaves".
  That is the easiest method but replication is a destructive write onto the slave - so you may choose not to do this.
  An alternative is to use the Sync Partners config (part of RDBMS Sync) which attemtps to process actions in the sync table on multiple ACSs. For this to work you need the "other" ACSs to have the RDBMS Sync'ing ACS server in their network config db.
  You need to make sure that ACS can write to the transaction table too (note CSV datasources no good) in case one of the other ACSs is down.
  If you're having problems check the rdbms sync CSV & service log on the "master" ACS and the csauth service log on the "slave" for errors.

• RDBMS Synchronization with a .CSV file

  Good morning. I am trying to create a testable .csv file that I can import into our ACS on a prescheduled basis.
  Here are my questions about this process:
  1. Do I need to use the PASS_Expire action or is there a STOP_DATE? I have looked at the codes and didn't really see one.
  2. Is there a way that I can extract a copy of the dump.txt or get my actual database exported to a different system?
  3. What are the group's recommendations on synchronization? Are there some lesson's learned I should look out for?
  Thanks
  Dwane

  can you help me add vendor UDV and attributs to ACS.
  I tried it it showing me UDV, but getting a error RDBMS report for one attribut.
  when v3 is integer
  Error: ACS 'ACS_A1' Action failed [SI=6 A=352 UN="" GN="" AI="" VN="Login-Service" V1="2011" V2="10" V3="integer"] Reason: UDV VSA error - User Defined Vendor/VSA operation failed (VSA name not unique)
  when v3 is string
  Error: ACS 'rdevid-4eafe3cf' Action failed [SI=6 A=352 UN="" GN="" AI="" VN="Login-Service" V1="2011" V2="7" V3="string"] Reason: UDV VSA error - User Defined Vendor/VSA operation failed (VSA name not unique)
  actually i am doing it for H3c.dct  it is for 3com.
  Below is the file which i used.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,0,,,350,3COM-H3C,AUTO_ASSIGN_SLOT,2011,,,,,,0
  2,0,,,352,h3c-User-Access-Level,2011,26,integer,,,,,0
  3,0,,,352,Administrator,2011,3,string,,,,,0
  4,0,,,352,Manager-(write),2011,2,string,,,,,0
  5,0,,,352,Monitor-(read),2011,1,string,,,,,0
  6,0,,,352,Login-Service,2011,5,string,,,,,0
  7,0,,,352,SSH,2011,50,string,,,,,0
  8,0,,,352,Terminal,2011,52,string,,,,,0
  9,0,,,353,,2011,221,IN OUT,,,,,0
  10,0,,,355,,,,,,,,,0
  Also please let me know how can delete the UDV if i want to. i tried procedure mentioned in user guide but failed.

• RDBMS Synchronization Import Definitions

  Hi,
  we want to automatically sychronize our ACS server with an external database including user, groups, network devices and command authorization sets.
  As read in the RDBMS sychronization import definitions there is no possibility to import "command authorization sets".
  Is this correct or does anybody knows if there is a way to do this with ".csv-files"?
  thanks for your answers.
  Torsten Waibel

  If the guide has the actions to import command authorization sets then it is possible otherwise then not possible:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RDBMS.html

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald

• ACS RDBMS adding NDG with Shared Secret

  I have an ACS 4.2 on a SE 1113 and I am using RDBMS to add Network Device Groups. I am able to create the group, but I would like to set the Shared Secret for the group. I am using the action code 250 to add the group but I can not see a way to set the Secret. I can modify the Secret after creating the group using the GUI but it would be better to do it all with RDBMS. Are there any other action codes that can be used on NDGs?
  Thank you.

  Per NDG shared secrets came after NDG addition via dbsync. It looks like this has not been retro-fitted to dbsync.
  This is quite typical as dbsync is the poor unloved child of ACS.

• ACS RDBMS issue

  Hello guys,
  actually I was happy founding the RDBMS function in AAA to get my hundred of aaa clients into the database, but now I am stuck with the a problem.
  I would like to summarize some aaa devices in one AAA entry, which means it will have several ip adresses inside.
  According to the RDBMS function I can only add 1 ip adress per csv-line. Is there no work around to push more in the aaa entry without adding them manually?
  If I try by using several csv-lines with the same name, but different ips, I just get an error.
  Thanks for your help!

  You can not use several IP in one AAA client entry. But you have the following options,
  1. You can define a NDG "network device group" and put the same type of AAA client into the group.
  Or.
  2. You can use "Wildcard asterisk" or IP range to include multiple IP address with one AAA client, like 10.1.1.* or 10.1.1.1-10.1.1.100.

• Deleting or Renaming the AccountAction.csv in RDBMS synchronization

  Good morning all,
  I am trying to finalize a process using the RBDMS Sync on Cisco ACS 4.1 SE. The process will get my AccountActions.csv file, but does not seem to want to rename it. I have the synch occuring every morning at 0300. I guess one question would be, if the file does not change, what will occur? I get an error like this;
  Could not delete CSV file on FTP Server - may process same actions again. (The file may be in use).
  I have set up the FTP server to allow deletion and renaming from this login.
  Any help or direction would be appreciated.
  Thanks
  Dwane

  I would schedule something to rename the account actions csv on the ftp server.. have it run at 04:00
  That way you know it done. Otherwise ACS will simply process all the same actions again.
  This is because RRBMS sync was designed to work with proper databases. There is a field to indicate a row has been processed, but csv files are read only thanks to the retarded Microsoft csv driver.

• ACS 4.2 RDBMS Action 105/108 - How to set to something other than default "RADIUS Token Server"

  I'm trying to create an import script for RDBMS to import users, but cannot figure out how to set the "PASS_TYPE_RADIUS_TOKEN" to something other than the default of "RADIUS Token Server".  We have multiple RADIUS Token Server definitions.
  I can create a user with what I need, except external db password is set to "RADIUS Token Server".  How do I set it to (for example) something like "RADIUS Token Server - xxxx"
  We have more than 1 RADIUS Token Server definition called "RADIUS Token Server - xxxx", "RADIUS Token Server - yyyy". 
  Thanks!

  As per my knowledge you have to update 4.2 ACS to
  5.1, because when you go for RDBMS synchronization it wont allow you, I have faced problem in past while primary ACS was 4.1 and secondary I have 4.2, I have updated primary ACS to 4.2 and everything is working fine.

• We are unable to manage our ACS

  Accidentally the power to the ACS server was switched off and then on again. But after the power on though the device came up successfully; we are not able to manage it.
  We are unable to manage our ACS. We have a configuration back-up.
  1)       by HTTPS. The cert can not be added manually on the browser in any way. Looks like an application error. Tried several different browsers.
  ACS details:
  CSACSE-1113-K9    Cisco secure ACS 4.x solution engine 1113 Appliance    CSACSE-1113-K9v01
  when i try https:abc001:2002/
  I get he following pop up error message:
  Secure connection failed.
  an error occurred during connection to abc001:2002. certificate type not approved for application.(Error code:sec_error_inadequate_cert_type)
  .the page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  .please contact the web site owners to inform this problem. Alternatively, use the command found in the help menu to report this broken site.
  2) by SSH. xxxxx is the administrator account.
  We can login but there are no commands available
  abc001>help
  command                             Description
  ?                                List commands
  exit                             Log off
  help                             List commands
  csdbsync -syncnow                RDBMS synchronization
  abc001>?
  command                             Description
  ?                                List commands
  exit                             Log off
  help                             List commands
  csdbsync -syncnow                RDBMS synchronization
  2)Tried with a serial cable, but we only get some rubbish on the screen. We tried different serial cables. These cables work on other appliances (WLC controller and Cisco switches) but not on the ACS

  Hi,
  The issue which you are facing comes when you the certificate installed on the ACS is either not correct or has gone corrupt. You would not be able to install a fresh certificate on the ACS Appliance through console or SSH.
  You can open a TAC case and send a backup of the ACS database, they might be able to correct the database. Otherwise the only other option is to reimage the ACS Appliance.
  To access an ACS Appliance from the console, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/instalap.html#wp1065399
  To administer the ACS Appliance, take a backup etc., you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html
  Regards,
  Kush

• Adding RADIUS VSAs on ACS 3.2 SE

  I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
  Using RDBMS synchronization to import the csv file below.
  SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
  1,1,External,163,26,access=look,2334,1
  The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
  From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
  To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
  •V2 = IETF vendor ID (which in this case is 2334)
  •V3 = VSA attribute ID (1)
  •V1 = In this case 'access=look'
  After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
  From the FTP server I can confirm that the file was transferred.
  What I should get is an INFO message similar to:
  08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
  Any ideas as to what is wrong would be much appreciated.
  Cheers,
  Aylmer.

  HI you need to import the RADIUS VSA for PAcketeer from their site.
  The link to the steps as shown below is ( might require u to subscribe & login)
  https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
  IN any case the same content is copied below:-
  Also the stpes on how to do them is listed here
  Create a User Defined Vendor
  First, you need to create a User Defined Vendor.
  1. Create a text file (packet.ini) and enter the following:
  [User Defined Vendor]
  Name=Packeteer
  IETF Code=2334
  VSA 1=Packeteer-AVPair
  [Packeteer-AVPair]
  Type=STRING
  Profile=OUT
  2. Name the file packet.ini.
  Add the Vendor to the Database
  Next, you need to add the above vendor to the database.
  1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
  2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - Unassigned
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
  open slot.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  Adding or removing vendors requires ACS services to be re-started.
  Please make sure regedit is not running as it can prevent registry
  backup/restore operations
  Are you sure you want to proceed? (y/n)y
  Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
  Stopping any running services
  Creating backup of current config
  Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
  Adding VSA [Packeteer-AVPair]
  Done
  Checking new configuration...
  New configuration OK
  Re-starting stopped services
  Verify that Packeteer was added.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - RADIUS (Packeteer)
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  4. Return to ACS Admin and select Network Configuration.
  From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
  5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
  of the form. Be sure the Packeteer-AVPair box is selected and supply either
  "access=touch" or "access=look" in the available entry space.

• Add new OPNET VSA in ACS 4.2

  I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS?  The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files. 
  These are the values that I need added for OPNET.
  When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA):
  Vendor Code: 7119
  VSA: 33
  Thanks for your help.
  Fasih                   

  Well Well Well, you can use the RDBMS synchronization feature to add the new custom vendor to acs with its custom attributes that complement the standard list of IETF.
  What you need to do is to define the accountactions.csv file with the actions needed to add the new custom vendor as well as its attributes.
  As a reference to the way how to implement the accountactions.csv file please check the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RDBMS.html#wp148322
  Walk throught the whole chapter described above.
  One more thing you need to find the dictionary file for OPNET with their custom attributes.
  If You need the fish , just provide the dictionary file and i will make the file to you.
  Pleae make sure to rate correct answers

• ACS external database issue

  Hi
  I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.
  Any assistance would be good...
  Thanks MJ

  Hi JG
  Many thanks for your response, it is configured this way due the documentation below:
  Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.
  These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".
  CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.
  This is from the following link....
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/qu.htm
  Many thanks MJ