I wanted to write a document on how to import RADIUS VSA’s (vendor specific attributes) into cisco’s ACS SE (Solution Engine) appliance, the reason being that I couldn’t find any good examples on the net and cisco’s documentation just wasn’t clear enough.
My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a “return list attribute”. By default ACS doesn’t have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it’s /etc/nokia.dictionary – I’ve a copy here.
In you dictionary file you need to pick out some key elements, firstly the IANA-assigned enterprise code for the vendor and secondly a list of attributes to add. Using my nokia example the vendor code is the top line:
VENDOR Nokia 94
Thus the code is 94 , and everything below that are attributes.
So… Getting started with ACS, firstly if you have AAA clients which you want to use the new attributes you are going to need to delete them, and to be save reboot ACS. Now the import is done via the RDBMS sync process, since you do not have OS level access to ACS you need to upload a file called “accountActions.csv” (case sensitive), uploading this file tells the internal database to perform some commands or actions, examples would be to bulk import some users or bulk group changes, in our case we’re going to insert a new “Vendor” into the RADIUS database, and then insert some attributes.
I have created a file called createVendor_accountActions.csv if you renamed it to accountActions.csv and uploaded it to your ACS box via the RDBMS Sync tool (under system configuration) it’d perform the following actions:
-
- Command -1
- Priority – 8
- Action – 350 (Create new Vendor)
- Vendor Name – Nokia
- ACS Vendor Number – Auto Assigned
- Vendor ID – 94
- Date of DB Transaction – 25/09/2007 13:00
-
- Command – 2
- Priotity – 0
- Action – 355 (Restart ACS Services)
- Date of DB Transaction – 25/09/2007 13:00
The command numbers are just like primary key fields in a database or row numbers in a spreadsheet, they need to be unique and incremental for each csv file, and the priority specify and order to apply the commands, you I guess you could set the priorities all to 0 and rely on the command number to process the file in order, but I set a priority just in case. After you apply the file ACS will be temporarily unavailable as the services restart.
Now, we look at one line of importAttributes_accountActions.csv, again it would need to be renamed to accountActions.csv, before uploaded, and lets take a look at one line.
- Command -1
- Priority – 7
- Action – 352 (Add VSA)
- Attribute Name – Nokia-IMSI
- The vendor to assign the attribute to – 94 (Nokia)
- Attribute ID – 224
- Attribue type – integer ( can only be integer, string or ipaddr)
- Date of DB Transaction – 25/09/2007 13:00
Hopefully this all starts to make sense when looking at your dictionary file, again the final line of the file restarts the services. An important thing to not here is that if you create a new vendor you need to re-start the services before you can apply an attribute to it, and you need to restart the services again to use the attributes… at this point here it’s probably worth mentioning that the version of ACS SE I’m using now (4.1) is a windows appliance, so if at any point your box hasn’t done what you think a reboot won’t hurt 
Now you can add your AAA client and in my example you could set the vendor to RADIUS (Nokia) , if you then go into interface configuration RADIUS (Nokia) will appear, go in there and tick all the boxes for “group”, finally if you go into your group setup at the very bottom will be a list of attributes you’ve imported and can use ! 
Just in can you need them here are my references:
Hi,
I have been following the info you provided along with the Cisco docs but have not been successful. The VSA’s import and are configurable, however the RADIUS client either does not receive them, or is refusing them.
We are using ACS Solution Engine 4.2 and also ACS 4.2 for Windows. If I import using RDBMS on ACS for Windows the VSA’s also do not work. If I use Csutil to import they work fine.
I have included samples of my .csv’s below
Have you come across anything like this before?
James
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,350,APC,AUTO_ASSIGN_SLOT,318,,,,,,0
2,0,,,352,APC-Service-Type,318,1,integer,,,,,0
3,0,,,354,Admin,318,1,1,,,,,0
4,0,,,354,Device,318,1,2,,,,,0
5,0,,,354,Read Only,318,1,3,,,,,0
6,0,,,355,,,,,,,,,0
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,350,Netscreen,AUTO_ASSIGN_SLOT,3224,,,,,,0
2,0,,,352,NS-Admin-Privilege,3224,1,integer,,,,,0
3,0,,,352,NS-Admin-Vsys-Name,3224,2,string,,,,,0
4,0,,,352,NS-User-Group,3224,3,string,,,,,0
5,0,,,352,NS-Primary-DNS-Server,3224,4,ipaddr,,,,,0
6,0,,,352,NS-Secondary-DNS-Server,3224,5,ipaddr,,,,,0
7,0,,,352,NS-Primary-WINS-Server,3224,6,ipaddr,,,,,0
8,0,,,352,NS-Secondary-WINS-Server,3224,7,ipaddr,,,,,0
9,0,,,352,NS-Version,3224,8,string,,,,,0
10,0,,,354,READ_WRITE,3224,1,2,,,,,0
11,0,,,354,VSYS_ADMIN,3224,1,3,,,,,0
12,0,,,354,READ_ONLY,3224,1,4,,,,,0
13,0,,,354,VSYS_READ_ONLY,3224,1,5,,,,,0
14,0,,,355,,,,,,,,,0
Hi James,
The only suggestion I have is to try breaking your .csv’s into two files.
Create the Vendor ID , then import the attributes… in your example, have one file to “create Vendor 3224, NetScreen” then import the NetScreen attributes…..
File1.csv
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,350,Netscreen,AUTO_ASSIGN_SLOT,3224,,,,,,0
2,0,,,355,,,,,,,,,0
File2.csv
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,352,NS-Admin-Privilege,3224,1,integer,,,,,0
2,0,,,352,NS-Admin-Vsys-Name,3224,2,string,,,,,0
3,0,,,352,NS-User-Group,3224,3,string,,,,,0
4,0,,,352,NS-Primary-DNS-Server,3224,4,ipaddr,,,,,0
5,0,,,352,NS-Secondary-DNS-Server,3224,5,ipaddr,,,,,0
6,0,,,352,NS-Primary-WINS-Server,3224,6,ipaddr,,,,,0
7,0,,,352,NS-Secondary-WINS-Server,3224,7,ipaddr,,,,,0
8,0,,,352,NS-Version,3224,8,string,,,,,0
9,0,,,354,READ_WRITE,3224,1,2,,,,,0
10,0,,,354,VSYS_ADMIN,3224,1,3,,,,,0
11,0,,,354,READ_ONLY,3224,1,4,,,,,0
12,0,,,354,VSYS_READ_ONLY,3224,1,5,,,,,0
13,0,,,355,,,,,,,,,0
I hope that helps,
Nick
I am having the exact same problem (even to trying to use a Netscreen appliance) I do not see the NS-Admin-Priv attribute returned. . . have you made any progress?
Hi Nick,
thanks for your perfekt guide. It works for me very well with ACS SE 4.2 and here are two more hints.
You have to create the vendor id first as you recommended and then restart the service. After that wait for about 2 minutes after the services restarted – else the next import failed in my enviroment.
Then import the new vendor attributes. You should see two info messages in the RDBMS log that the imports were successfull. After that a restart service only wouldn’t help. I didn’t see the new radius vendor when i tried to add a new AAA client. But after i restart the whole appliance the new vendor ist there and i can set the attributes without any problem.
Best regards
Steve
you need to add actions 356 and 357 before action 355 in your accountactions.csv file.
Cheers Mark – Adding action 356 & 357 also resolved my problem with no need to break the file down or restart the services.
Below is a dictinary file from a Motorola APEX 1000 headend device. I’m new to ACS and wondering how I can format the CSV for ACS. Thanks for any help.
##############################################################################
#
# Motorola DVS attributes.
#
# "$Id: dictionary.motorola,v 1.0.0.1 2009/09/03 12:15:00 sbattle Exp $"
#
##############################################################################
VENDOR Motorola 161
BEGIN-VENDOR Motorola
ATTRIBUTE Motorola-DVS-User-Access-Level 105 integer
VALUE Motorola-DVS-User-Access-Level Motorola-Administrator 15
VALUE Motorola-DVS-User-Access-Level Motorola-Operator 7
VALUE Motorola-DVS-User-Access-Level Motorola-Monitor 0
ATTRIBUTE Motorola-APEX1000-User-Access-Level 107 integer
VALUE Motorola-APEX1000-User-Access-Level Motorola-Administrator 15
VALUE Motorola-APEX1000-User-Access-Level Motorola-Operator 7
VALUE Motorola-APEX1000-User-Access-Level Motorola-Monitor 0
END-VENDOR Motorola
hi.
i have the same problem as you jeremy
do you have knews on How to convert it to ACS?
thanks
This is quite a challenge to get your head round, but I would recommend you read mine and James examples a few times… I found importing the CSV texts into excel to help visualise it makes it clearer … at a guess you need something like…
Create motorola with a 350 command…
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,350, Motorola,AUTO_ASSIGN_SLOT,161,,,,,,0
2,0,,,355,,,,,,,,,0
Note action 355, saves it to the DB….Then another to add the attributes…
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,,,352,Motorola-DVS-User-Access-Level,161,105,integer,,,,,0
2,0,,,352,Motorola-APEX1000-User-Access-Level,161,107, integer,,,,,0
3,0,,,355,,,,,,,,,0
You probably need some 354 actions to associate the integer value 15 with Motorola-Administrator etc.
HTH,
Nick