Home > Articles > Cisco Network Technology > General Networking > Troubleshooting Cisco Secure ACS on Windows

Troubleshooting Cisco Secure ACS on Windows

Chapter Description

Cisco Secure Access Control Server, which is known as CS ACS, fills the server-side requirement of the Authentication, Authorization, and Accounting (AAA) client server equation. For many security administrators, the robust and powerful AAA engine, along with CS ACS's ability to flexibly integrate with a number of external user databases, makes the CS ACS software the first and sometimes only choice for an AAA server-side solution. This chapter explores CS ACS in detail and walks you through troubleshooting steps. The chapter focuses on the approach required to troubleshoot any issue efficiently, either with the CS ACS software itself or with the whole AAA process.

User/NAS Import Options

This feature allows changes either online or offline, and allows updating of the CS ACS database with a colon-delimited file. The following are the actions available for user and NAS:

  • Users: add, change, and delete
  • NAS: add and delete

You must restart CSRadius and CSTacacs for changes to take effect.

The following are some of the important points about importing:

  • The first line must contain ONLINE or OFFLINE.

    This determines if the CSAuth service needs to be stopped during this process.

  • CSUtils cannot distinguish between multiple instances of an external database.

    CSUtil will use the first instance of an external database.

Import User Information

You can add users to the existing database with the entry shown in Example 13-17. This entry adds the user Joe to group 2 in the CS ACS database. It also points authentication for this user to the internal CS ACS database with a password of my1Password.

Example 13-17 Adding a User to CS ACS

ADD:Joe:PROFILE:2:CSDB:my1Password

To change the CS ACS profile for Joe, use the command shown in Example 13-18. This entry updates Joe to group 3 and points the password to the NT domain database.

Example 13-18 Updating a User to CS ACS

UPDATE:Joe:PROFILE:3:EXT_NT

The DELETE entry can be used to delete users as shown in Example 13-19.

Example 13-19 Deleting a User from CS ACS

DELETE:Joe

Import NAS Information

Use the entry shown in Example 13-20 to add an NAS to the CS ACS database. This entry adds the router named router1, using the shared secret of my1NAS. This NAS will use RADIUS.

Example 13-20 Adding NAS

ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDER:"RADIUS (Cisco IOS/PIX)"

If you need to delete a specific NAS, use the command shown in Example 13-21, which deletes NAS router1.

Example 13-21 How to Delete a Specific NAS

DEL_NAS:router1

You can also choose to run all the previously shown procedures using a single text file. Example 13-22 shows a sample text file that contains multiple actions for different users.

Example 13-22 import.txt File Whose Content Can Be Imported Once

OFFLINE
ADD:user01:CSDB:userpassword:PROFILE:1
ADD:user02:EXT_NT:PROFILE:2
ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3
ADD:mary:EXT_NT:CHAP:achappassword
ADD:joe:EXT_SDI
ADD:user4:CSDB:user4password
ADD:user5:CSDB_UNIX:unixpassword
UPDATE:user9:PROFILE:10
DELETE:user10
ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDOR:"TACACS+ (Cisco IOS)":NDG:"California"
DEL_NAS:router2

Compact User Database

When you delete a user from the CS ACS database, the record is marked as deleted. You might need to compact the database to actually remove the "deleted records". Compacting the database addresses this issue. When you compact a database, it first dumps the data, then creates a new database, and finally imports all the data that was dumped earlier. The following is the syntax for compacting a database:

csutil.exe -q -d –n -l

Example 13-23 shows the sample of database compact run.

Example 13-23 Sample Database Compact Command

C:\Program Files\CiscoSecure ACS v3.3\Utils>net stop CSAuth
The CSAuth service is stopping.
The CSAuth service was stopped successfully.


C:\Program Files\CiscoSecure ACS v3.3\Utils>csutil -q -d -n -l
CSUtil v3.3(2.2), Copyright 1997-2004, Cisco Systems Inc
Done

Initializing database....
Done

Initializing database...
Loading database from dump.txt...
Done

C:\Program Files\CiscoSecure ACS v3.3\Utils> 

Export User and Group Information

Export User and Group Information may be useful for troubleshooting the configuration issue by Cisco support. You will need to stop CSAuth before exporting this information.

To export user information to users.txt, enter the following command:

csutil.exe –u

To export group information to groups.txt, enter the following command:

csutil.exe –g

Other features of CSUtil.exe include the following:

  • Export Registry information to setup.txt.
  • Decode CS ACS internal error codes.
  • Recalculate Cyclic Redundancy Check (CRC) values for manually copied files.
  • Import user-defined RADIUS vendors and VSA sets.
6. Common Problems and Resolutions | Next Section Previous Section