Blog |Follow Nick on Twitter| About
 

I wanted to write a document on how to import RADIUS VSA's (vendor specific attributes) into cisco's ACS SE (Solution Engine) appliance, the reason being that I couldn't find any good examples on the net and cisco's documentation just wasn't clear enough.

My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a "return list attribute". By default ACS doesn't have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it's /etc/nokia.dictionary - I've a copy here.

In you dictionary file you need to pick out some key elements, firstly the IANA-assigned enterprise code for the vendor and secondly a list of attributes to add. Using my nokia example the vendor code is the top line:

VENDOR Nokia 94

Thus the code is 94 , and everything below that are attributes.

So... Getting started with ACS, firstly if you have AAA clients which you want to use the new attributes you are going to need to delete them, and to be save reboot ACS. Now the import is done via the RDBMS sync process, since you do not have OS level access to ACS you need to upload a file called "accountActions.csv" (case sensitive), uploading this file tells the internal database to perform some commands or actions, examples would be to bulk import some users or bulk group changes, in our case we're going to insert a new "Vendor" into the RADIUS database, and then insert some attributes.

I have created a file called createVendor_accountActions.csv if you renamed it to accountActions.csv and uploaded it to your ACS box via the RDBMS Sync tool (under system configuration) it'd perform the following actions:

    • Command -1
    • Priority - 8
    • Action - 350 (Create new Vendor)
    • Vendor Name - Nokia
    • ACS Vendor Number - Auto Assigned
    • Vendor ID - 94
    • Date of DB Transaction - 25/09/2007 13:00
    • Command - 2
    • Priotity - 0
    • Action - 355 (Restart ACS Services)
    • Date of DB Transaction - 25/09/2007 13:00

The command numbers are just like primary key fields in a database or row numbers in a spreadsheet, they need to be unique and incremental for each csv file, and the priority specify and order to apply the commands, you I guess you could set the priorities all to 0 and rely on the command number to process the file in order, but I set a priority just in case. After you apply the file ACS will be temporarily unavailable as the services restart.

Now, we look at one line of importAttributes_accountActions.csv, again it would need to be renamed to accountActions.csv, before uploaded, and lets take a look at one line.

  • Command -1
  • Priority - 7
  • Action - 352 (Add VSA)
  • Attribute Name - Nokia-IMSI
  • The vendor to assign the attribute to - 94 (Nokia)
  • Attribute ID - 224
  • Attribue type - integer ( can only be integer, string or ipaddr)
  • Date of DB Transaction - 25/09/2007 13:00

Hopefully this all starts to make sense when looking at your dictionary file, again the final line of the file restarts the services. An important thing to not here is that if you create a new vendor you need to re-start the services before you can apply an attribute to it, and you need to restart the services again to use the attributes... at this point here it's probably worth mentioning that the version of ACS SE I'm using now (4.1) is a windows appliance, so if at any point your box hasn't done what you think a reboot won't hurt ;)

Now you can add your AAA client and in my example you could set the vendor to RADIUS (Nokia) , if you then go into interface configuration RADIUS (Nokia) will appear, go in there and tick all the boxes for "group", finally if you go into your group setup at the very bottom will be a list of attributes you've imported and can use ! :cool:

Just in can you need them here are my references:

RDBMS Sync Import Definitions

Importing an accountActions.csv file into ACS SE

Universe CD version of RDBM SSync import Defs

rgds,

Nick

 
Nick Bettison ©