Radius User Defined Vendor (VSA) issue

Unanswered Question
Aug 1st, 2006
User Badges:

Hi,


Software Version:

CiscoSecure ACS for Windows 2000/NT

Release 3.0(3) Build 6


I've created the ini file below and added it using csutil -addUDV 8 laurel-vsa.ini (tried other slots too).


[User Defined Vendor]

Name=Laurel

IETF Code=5395

VSA 1=Laurel-Login-Local-User-Name

VSA 2=Laurel-Login-Allowed-Commands

VSA 3=Laurel-Login-Denied-Commands

VSA 4=Laurel-Login-Allow-Config

VSA 5=Laurel-Login-Deny-Config


[Laurel-Login-Local-User-Name]

Type=STRING

Profile=OUT

[Laurel-Login-Allowed-Commands]

Type=STRING

Profile=OUT

[Laurel-Login-Denied-Commands]

Type=STRING

Profile=OUT

[Laurel-Login-Allow-Config]

Type=STRING

Profile=OUT

[Laurel-Login-Deny-Config]

Type=STRING

Profile=OUT


C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addUDV 8 laurel-vsa.ini

CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc


Adding or removing vendors requires ACS services to be re-started.

Please make sure regedit is not running as it can prevent registry

backup/restore operations


Are you sure you want to proceed? (y/n)y

Parsing [.\laurel-vsa.ini] for addition at UDV slot [8]

Stopping any running services

Creating backup of current config

Adding Vendor [Laurel] added as [RADIUS (Laurel)]

Adding VSA [Laurel-Login-Local-User-Name]

Adding VSA [Laurel-Login-Allowed-Commands]

Adding VSA [Laurel-Login-Denied-Commands]

Adding VSA [Laurel-Login-Allow-Config]

Adding VSA [Laurel-Login-Deny-Config]

Done

Checking new configuration...

New configuration OK

Re-starting stopped services


C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listUDV

CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc

UDV 0 - Unassigned

UDV 1 - Unassigned

UDV 2 - Unassigned

UDV 3 - Unassigned

UDV 4 - Unassigned

UDV 5 - Unassigned

UDV 6 - Unassigned

UDV 7 - Unassigned

UDV 8 - RADIUS (Laurel)

UDV 9 - Unassigned


All this shows that it has worked ok. However, when I look in the Interface Confirguration section on the GUI, its not there, so I can't use it. Is there something I'm missing, is it a bug with this version of ACS?


I cant upgrade at this time as we're planning to migrate to the Cisco Secure Access Control Server Solution Engine 4.0.


Thanks in advance for your help,


Lee Hecken

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Wed, 08/02/2006 - 06:25
User Badges:
  • Silver, 250 points or more

Hi


All you need do is physically re-start the CSAdmin service:


net stop csadmin

net start csadmin


You'll see the new VSAs. ACS isnt very good at reflecting changes to its "meta config" without csadmin re-starts. This might be documented somewhere in the depths of the user guide :(


Darran

heckenl Wed, 08/02/2006 - 06:56
User Badges:

Thanks for your reply Darran,


The ACS server has beed reload since adding the VSAs, however I tried the above just to make sure. Same issue, still not showing under Interface Configuration, just the standard enteries.


Any further suggestions? Do you have an ini file I can try that you've used that does show up?


Thanks,

Lee

heckenl Wed, 08/02/2006 - 07:12
User Badges:

Fixed it.


The new VSA doesnt show up in the Interface Configuration section until after you've set it as the 'authenticate using' method for a AAA client! Then you can select which properties you want to use in the user or group sections.


Rgds,

Lee


gaattila Wed, 07/23/2008 - 01:39
User Badges:

Hi All,


Ok, I can add UDVs with new vendors. But how can I add new Cisco VSAs? I tried the csutil.exe -addUDV, but I receive a message that "Vendor with IETF code 9 already defined".


I'd like to have the ACS to recognize and report the accountig info sent by a vocie gw.


Any idea?


Thanks,

Attila

Actions

This Discussion