User/NAS Import Options
This feature allows changes either online or offline, and allows updating of the CS ACS database with a colon-delimited file. The following are the actions available for user and NAS:
- Users: add, change, and delete
- NAS: add and delete
You must restart CSRadius and CSTacacs for changes to take effect.
The following are some of the important points about importing:
- The first line must contain ONLINE or OFFLINE.
This determines if the CSAuth service needs to be stopped during this process.
- CSUtils cannot distinguish between multiple instances of an external
database.
CSUtil will use the first instance of an external database.
Import User Information
You can add users to the existing database with the entry shown in Example 13-17. This entry adds the user Joe to group 2 in the CS ACS database. It also points authentication for this user to the internal CS ACS database with a password of my1Password.
Example 13-17 Adding a User to CS ACS
ADD:Joe:PROFILE:2:CSDB:my1Password
To change the CS ACS profile for Joe, use the command shown in Example 13-18. This entry updates Joe to group 3 and points the password to the NT domain database.
Example 13-18 Updating a User to CS ACS
UPDATE:Joe:PROFILE:3:EXT_NT
The DELETE entry can be used to delete users as shown in Example 13-19.
Example 13-19 Deleting a User from CS ACS
DELETE:Joe
Import NAS Information
Use the entry shown in Example 13-20 to add an NAS to the CS ACS database. This entry adds the router named router1, using the shared secret of my1NAS. This NAS will use RADIUS.
Example 13-20 Adding NAS
ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDER:"RADIUS (Cisco IOS/PIX)"
If you need to delete a specific NAS, use the command shown in Example 13-21, which deletes NAS router1.
Example 13-21 How to Delete a Specific NAS
DEL_NAS:router1
You can also choose to run all the previously shown procedures using a single text file. Example 13-22 shows a sample text file that contains multiple actions for different users.
Example 13-22 import.txt File Whose Content Can Be Imported Once
OFFLINE ADD:user01:CSDB:userpassword:PROFILE:1 ADD:user02:EXT_NT:PROFILE:2 ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3 ADD:mary:EXT_NT:CHAP:achappassword ADD:joe:EXT_SDI ADD:user4:CSDB:user4password ADD:user5:CSDB_UNIX:unixpassword UPDATE:user9:PROFILE:10 DELETE:user10 ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDOR:"TACACS+ (Cisco IOS)":NDG:"California" DEL_NAS:router2
Compact User Database
When you delete a user from the CS ACS database, the record is marked as deleted. You might need to compact the database to actually remove the "deleted records". Compacting the database addresses this issue. When you compact a database, it first dumps the data, then creates a new database, and finally imports all the data that was dumped earlier. The following is the syntax for compacting a database:
csutil.exe -q -d –n -l
Example 13-23 shows the sample of database compact run.
Example 13-23 Sample Database Compact Command
C:\Program Files\CiscoSecure ACS v3.3\Utils>net stop CSAuth The CSAuth service is stopping. The CSAuth service was stopped successfully. C:\Program Files\CiscoSecure ACS v3.3\Utils>csutil -q -d -n -l CSUtil v3.3(2.2), Copyright 1997-2004, Cisco Systems Inc Done Initializing database.... Done Initializing database... Loading database from dump.txt... Done C:\Program Files\CiscoSecure ACS v3.3\Utils>
Export User and Group Information
Export User and Group Information may be useful for troubleshooting the configuration issue by Cisco support. You will need to stop CSAuth before exporting this information.
To export user information to users.txt, enter the following command:
csutil.exe –u
To export group information to groups.txt, enter the following command:
csutil.exe –g
Other features of CSUtil.exe include the following:
- Export Registry information to setup.txt.
- Decode CS ACS internal error codes.
- Recalculate Cyclic Redundancy Check (CRC) values for manually copied files.
- Import user-defined RADIUS vendors and VSA sets.