Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3092
Views
19
Helpful
4
Replies

Cisco ASC 4.2 + radius + HP procurve switches

Go to solution
azore2007
Level 1
Level 1

‎07-16-2008 06:16 AM - edited ‎03-10-2019 03:58 PM

Hello!

We have mixed network enviroment with cisco / HP equipment.

We are currently evaluating the Cisco ACS 4.2 to manage network access to the network equipment.

The cisco equipment works great but we are having problems the the procurve switches and radius (tacacs works great)

I've googled around and it seems that you need to create a new "vendor-specific attributes (VSAs)" for the procurve switches and edit the radius IETF settings to suit the right variables that needs to match the HP equipment.

Problem is that I cannot find this information anywhere online.

Has anyone else managed to solve this problem?

Would really appreciate the help!

Thanks

BR

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-16-2008 08:40 AM

Generally we need to upload VSA to acs. You need to get ini file from HP. Once you have you need to create vsa and upload it to acs.

As we require to add vendor specific attribute into ACS , then we first need to

create a file "accountActions.csv" using the format specified in "RDBMS Synchronization

Import Definition", once we are ready with the file, then we need to do a RDBMS

Synchorization of the file of ACS SE, and then go to :

Reports and Activity > RDBMS Synchronization, and make sure that synchronization was

successful without any error. Once this is done, we need to re-boot the ACS SE, and then

we can create a new AAA client and use then new RADIUS(xxxx) and the attributes that we

have added can be made visible from :

Interface Configuration > and selecting the newly added VSA Radius attribute.

::RDBMS Synchronization::

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csa

pp40/ugse40/sad.htm#wp756877

::RDBMS Synchronization Import Definition::

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csa

pp40/ugse40/ag.htm

Regards,

~JG

View solution in original post

4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-16-2008 08:40 AM

Generally we need to upload VSA to acs. You need to get ini file from HP. Once you have you need to create vsa and upload it to acs.

As we require to add vendor specific attribute into ACS , then we first need to

create a file "accountActions.csv" using the format specified in "RDBMS Synchronization

Import Definition", once we are ready with the file, then we need to do a RDBMS

Synchorization of the file of ACS SE, and then go to :

Reports and Activity > RDBMS Synchronization, and make sure that synchronization was

successful without any error. Once this is done, we need to re-boot the ACS SE, and then

we can create a new AAA client and use then new RADIUS(xxxx) and the attributes that we

have added can be made visible from :

Interface Configuration > and selecting the newly added VSA Radius attribute.

::RDBMS Synchronization::

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csa

pp40/ugse40/sad.htm#wp756877

::RDBMS Synchronization Import Definition::

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csa

pp40/ugse40/ag.htm

Regards,

~JG

Go to solution
azore2007
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-16-2008 09:20 AM

Thanks for the answer JG

I'll email HP's support and hopefully they can assist with this ini file

Thanks

0 Helpful

Go to solution
alfadi.albaridi
Level 1
Level 1
In response to azore2007

‎07-26-2008 12:55 AM

1. Create an ASCII file on the Cisco ACS

with a name e.g. “HP_VSA.txt“

with the following entries:

[User Defined Vendor]

Name=Hewlett-Packard

IETF Code=11

VSA 2=HP-Command-String

VSA 3=HP-Command-Exception

[HP-Command-String]

Type=STRING

Profile=IN OUT

[HP-Command-Exception]

Type=INTEGER

Profile=IN OUT

Enums=Permit-Deny

[Permit-Deny]

0=permit

1=deny

2. 2. Add the VSA to the Cisco ACS

by executing the following:

c:\....\CSUtil.exe -addUDV slot-number HP_VSA.txt

slot-number: try to put "5"

3. Go to IETF Radius Attributes:

Service-Type “Administrative“ => privilege (manager) mode

Service-Type “NAS prompt“ => login (operator) mode

Best of luck.

Alfadi Albaridi

Go to solution
pkaretnikov
Level 1
Level 1
In response to alfadi.albaridi

‎01-11-2011 03:01 AM

I know this post is old, but it was very useful in getting me pointed in the right direction. I wanted to give a cleaner example of step 2

C:\Program Files (x86)\CiscoSecure ACS v4.2\bin>CSUtil.exe -addUDV 5 HP_VSA.txt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents