Radius User Defined Vendor (VSA) issue

Unanswered Question
Aug 1st, 2006
User Badges:


Software Version:

CiscoSecure ACS for Windows 2000/NT

Release 3.0(3) Build 6

I've created the ini file below and added it using csutil -addUDV 8 laurel-vsa.ini (tried other slots too).

[User Defined Vendor]


IETF Code=5395

VSA 1=Laurel-Login-Local-User-Name

VSA 2=Laurel-Login-Allowed-Commands

VSA 3=Laurel-Login-Denied-Commands

VSA 4=Laurel-Login-Allow-Config

VSA 5=Laurel-Login-Deny-Config
















C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addUDV 8 laurel-vsa.ini

CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc

Adding or removing vendors requires ACS services to be re-started.

Please make sure regedit is not running as it can prevent registry

backup/restore operations

Are you sure you want to proceed? (y/n)y

Parsing [.\laurel-vsa.ini] for addition at UDV slot [8]

Stopping any running services

Creating backup of current config

Adding Vendor [Laurel] added as [RADIUS (Laurel)]

Adding VSA [Laurel-Login-Local-User-Name]

Adding VSA [Laurel-Login-Allowed-Commands]

Adding VSA [Laurel-Login-Denied-Commands]

Adding VSA [Laurel-Login-Allow-Config]

Adding VSA [Laurel-Login-Deny-Config]


Checking new configuration...

New configuration OK

Re-starting stopped services

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listUDV

CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc

UDV 0 - Unassigned

UDV 1 - Unassigned

UDV 2 - Unassigned

UDV 3 - Unassigned

UDV 4 - Unassigned

UDV 5 - Unassigned

UDV 6 - Unassigned

UDV 7 - Unassigned

UDV 8 - RADIUS (Laurel)

UDV 9 - Unassigned

All this shows that it has worked ok. However, when I look in the Interface Confirguration section on the GUI, its not there, so I can't use it. Is there something I'm missing, is it a bug with this version of ACS?

I cant upgrade at this time as we're planning to migrate to the Cisco Secure Access Control Server Solution Engine 4.0.

Thanks in advance for your help,

Lee Hecken

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 08/02/2006 - 06:25
User Badges:
  • Silver, 250 points or more


All you need do is physically re-start the CSAdmin service:

net stop csadmin

net start csadmin

You'll see the new VSAs. ACS isnt very good at reflecting changes to its "meta config" without csadmin re-starts. This might be documented somewhere in the depths of the user guide :(


heckenl Wed, 08/02/2006 - 06:56
User Badges:

Thanks for your reply Darran,

The ACS server has beed reload since adding the VSAs, however I tried the above just to make sure. Same issue, still not showing under Interface Configuration, just the standard enteries.

Any further suggestions? Do you have an ini file I can try that you've used that does show up?



heckenl Wed, 08/02/2006 - 07:12
User Badges:

Fixed it.

The new VSA doesnt show up in the Interface Configuration section until after you've set it as the 'authenticate using' method for a AAA client! Then you can select which properties you want to use in the user or group sections.



gaattila Wed, 07/23/2008 - 01:39
User Badges:

Hi All,

Ok, I can add UDVs with new vendors. But how can I add new Cisco VSAs? I tried the csutil.exe -addUDV, but I receive a message that "Vendor with IETF code 9 already defined".

I'd like to have the ACS to recognize and report the accountig info sent by a vocie gw.

Any idea?




This Discussion