Radius User Defined Vendor (VSA) issue

heckenl · ‎08-01-2006

Hi,

Software Version:

CiscoSecure ACS for Windows 2000/NT

Release 3.0(3) Build 6

I've created the ini file below and added it using csutil -addUDV 8 laurel-vsa.ini (tried other slots too).

[User Defined Vendor]

Name=Laurel

IETF Code=5395

VSA 1=Laurel-Login-Local-User-Name

VSA 2=Laurel-Login-Allowed-Commands

VSA 3=Laurel-Login-Denied-Commands

VSA 4=Laurel-Login-Allow-Config

VSA 5=Laurel-Login-Deny-Config

[Laurel-Login-Local-User-Name]

Type=STRING

Profile=OUT

[Laurel-Login-Allowed-Commands]

Type=STRING

Profile=OUT

[Laurel-Login-Denied-Commands]

Type=STRING

Profile=OUT

[Laurel-Login-Allow-Config]

Type=STRING

Profile=OUT

[Laurel-Login-Deny-Config]

Type=STRING

Profile=OUT

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addUDV 8 laurel-vsa.ini

Adding or removing vendors requires ACS services to be re-started.

Please make sure regedit is not running as it can prevent registry

backup/restore operations

Are you sure you want to proceed? (y/n)y

Parsing [.\laurel-vsa.ini] for addition at UDV slot [8]

Stopping any running services

Creating backup of current config

Adding Vendor [Laurel] added as [RADIUS (Laurel)]

Adding VSA [Laurel-Login-Local-User-Name]

Adding VSA [Laurel-Login-Allowed-Commands]

Adding VSA [Laurel-Login-Denied-Commands]

Adding VSA [Laurel-Login-Allow-Config]

Adding VSA [Laurel-Login-Deny-Config]

Done

Checking new configuration...

New configuration OK

Re-starting stopped services

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listUDV

UDV 0 - Unassigned

UDV 1 - Unassigned

UDV 2 - Unassigned

UDV 3 - Unassigned

UDV 4 - Unassigned

UDV 5 - Unassigned

UDV 6 - Unassigned

UDV 7 - Unassigned

UDV 8 - RADIUS (Laurel)

UDV 9 - Unassigned

All this shows that it has worked ok. However, when I look in the Interface Confirguration section on the GUI, its not there, so I can't use it. Is there something I'm missing, is it a bug with this version of ACS?

I cant upgrade at this time as we're planning to migrate to the Cisco Secure Access Control Server Solution Engine 4.0.

Thanks in advance for your help,

Lee Hecken

darpotter · ‎08-02-2006

Hi

All you need do is physically re-start the CSAdmin service:

net stop csadmin

net start csadmin

You'll see the new VSAs. ACS isnt very good at reflecting changes to its "meta config" without csadmin re-starts. This might be documented somewhere in the depths of the user guide :(

Darran

heckenl · ‎08-02-2006

Thanks for your reply Darran,

The ACS server has beed reload since adding the VSAs, however I tried the above just to make sure. Same issue, still not showing under Interface Configuration, just the standard enteries.

Any further suggestions? Do you have an ini file I can try that you've used that does show up?

Thanks,

Lee

heckenl · ‎08-02-2006

Fixed it.

The new VSA doesnt show up in the Interface Configuration section until after you've set it as the 'authenticate using' method for a AAA client! Then you can select which properties you want to use in the user or group sections.

Rgds,

Lee

gaattila · ‎07-23-2008

Hi All,

Ok, I can add UDVs with new vendors. But how can I add new Cisco VSAs? I tried the csutil.exe -addUDV, but I receive a message that "Vendor with IETF code 9 already defined".

I'd like to have the ACS to recognize and report the accountig info sent by a vocie gw.

Any idea?

Thanks,

Attila