-
CiscoSecure ACS 2.1 for Windows NT User Guide
-
About This Manual
-
Overview
-
User Databases
-
Sophisticated Unknown User Handling
-
User Interface Configuration
-
Distributed System Settings
-
Database Information Management
-
Step-by-Step Configuration
-
Sample Configurations
-
Troubleshooting
-
TACACS+ Attribute Value Pairs
-
RADIUS Attribute Value Pairs
-
Database Import Utility
-
CiscoSecure ACS and Virtual Private Dialup Networks
-
CiscoSecure 2.1 for Windows NT Architecture
-
Table of Contents
CiscoSecure ACS Database UtilitiesDatabase Import Utility
Database Backup and Restore Utility
Database Maintenance
CiscoSecure ACS Database Utilities
The CiscoSecure ACS provides a utility, CSUtil, that simplifies database management. You can use this utility to import username, password, and group information all at once from a standard text file to back up your database and to maintain your database. This appendix contains details on this utility.
Database Import Utility
This section describes how to import a text file into the CiscoSecure User Database. This allows you to add new users to the database and modify users' authentication information. The use of the CSUtil.exe allows you to add or modify information for many users. When the default location is used during installation, the import utility, CSUtil, is located in the following directory:
Note You can also use the database replication feature to replicate user information from one CiscoSecure ACS to another CiscoSecure ACS. See the section "Database Replication" later in this appendix for more information.
Creating the Text File
You have two options for running the CSUtil program:
- ONLINE—Database updates are performed while the CiscoSecure ACS continues to run. This slows down the performance of CSUtil.
- OFFLINE—Database updates are written directly to the CiscoSecure User Database. CSAuth must be stopped to run in this mode. The import is much faster but services are down as long as CSAuth is stopped.
Each entry must have the following information on a single line using colons to delimit the fields:
Note If the username does not exist, an error message is returned. Use the ADD keyword in this case.
- Authentication type
-
- CSDB—Indicates that the name should be authenticated against the CiscoSecure User Database.
- EXT_NT—Indicates that the name should be authenticated against the Windows NT user database.
- EXT_NDS—Indicates that the name should be authenticated against the Novell NDS user database.
- EXT_SDI—Indicates that the name should be authenticated against the SDI user database.
- EXT_ANPI—Indicates that the name should be authenticated against the AXENT user database.
- EXT_Enigma—Indicates that the name should be authenticated against the Safe Word user database.
- CHAP—Indicates that a CHAP password is required for authentication.
- User Group
Note If you do not provide a profile number, the user is added to the default group 0.
Here are examples of the syntax for the import text file:
Importing User Information from a Text File
The following are a list of command arguments used with CSUtil:
CSUtil [-q] [-c] [-d] [-g] [-i file] [-l file] [-m error] [-n] [-x]
- -q: Quiet mode. Does not prompt; use before other options.
- -c: Recalculate database CRC values.
- -d: Dump whole database to dump.txt.
- -g: Dump group information only to group.txt.
- -i: Import users from import.txt or named file.
- -l: Load database from dump.txt or named file (use -n -l to initialize and load).
- -m: Decode error number to ASCII message.
- -n: Create new database and index.
- -x: Help information (display this message).
CSUtil processes parameters left to right, guaranteeing the order in which they are executed.
Enter the following command after you complete creation of the import text file.
Note The database is modified not destroyed. You should see information scrolling down the screen indicating that the information is being modified or merged with the existing database.
Note The existing database is reinitialized and the text file is imported.
csutil -g -n -l groups.txt -i import.txt
Database Backup and Restore Utility
To facilitate backup and restoration of the CiscoSecure ACS's configuration data and database, the CSUtil.exe utility is provided in the CiscoSecure ACS's Utils directory.
CSUtils Backup
To perform a backup of the CiscoSecure ACS user and group data, execute the following instructions from the Windows NT command prompt (DOS window):
Net stop csauth—Stop the CSAuth authentication service to allow backup to take place.
Csutil -d users_and_groups.txt—Backup the users and groups data to a text file called users_and_groups.txt. To back up only the group data, use the command with a -g instead of a -d command switch.
Net start csauth—Restart the CSAuth authentication service.
The users_and_groups.txt file can then be backed up to tape and stored somewhere safe.
To use csutil -b to create a backup file, enter:
This creates the following files in Utils\SysBackups\directory_name\:
- registry.dat
- user.dat
- user.idx
- varsdb.mdb
- A compressed backup file named with the current date and time in the format yyyymmddhhmm.zip. This is written to the CiscoSecure ACS\utils\dbcheckpoint directory. Each backup creates a new file that does not overwrite existing files. The data is stored in compressed format and, therefore, takes up very little space, and the system administrator must still perform the necessary file management to maintain adequate disk capacity.
We strongly recommend that you use the CSUTIL.exe utility to construct an automated procedure to perform regular system backups as part of a comprehensive disaster recovery regime.
CSUtils Restore
To restore from the backup file, execute the following instructions:
We strongly recommend that the above procedure is carried out as a part of a general backup regime that includes backups of the Windows NT system Registry using the tools supplied with Windows NT for this purpose. Rapid recovery can then be achieved if a serious system failure occurs.
Database Maintenance
Unexpected database file size growth can cause problems with the database. To avoid these problems, the CiscoSecure ACS allows you to institute a database maintenance schedule that performs a database compaction on a periodic basis. To facilitate this maintenance, a Windows NT batch command file, DB_compact.cmd, is included in the Utils directory of the CiscoSecure ACS.
The VarsDB.MDB file used by the CiscoSecure ACS is based on Microsoft ODBC technology. In common with most RDMBS, ODBC uses a deletion scheme that does not actually remove records from the database when they are deleted—records are simply marked as deleted and do not show up in queries, and so forth. To actually purge the database of the deleted records, a separate process, called compaction, must be run. In small databases with low transaction rates, it is not particularly important to regularly compact the database, because the database will stay a relatively consistent size. In a large database environment with large numbers of deletions, the database file can grow significantly over time. If compaction is not carried out, this can have serious effects on the overall operation of the system.
In order to avoid unexpected and problematic database file size growth, it is prudent to institute a database maintenance regime that performs a database compaction on a periodic basis. In order to facilitate this, an NT batch command file, DB_compact.cmd, is included with the CiscoSecure ACS (in the Utils directory). This file executes the following commands:
Authentication service will be interrupted while these commands execute because the authentication service is stopped.
Although DB_compact.cmd should not have any negative effect on the CiscoSecure ACS operation, there is always the possibility with compaction operations that something could go wrong. It is, therefore, always a good idea to perform a database backup prior to executing a database compaction. Then, if something does go wrong during the DB_compact.cmd run, a current backup will be available and service can be restored quickly. See the section "Database Backup and Restore Utility" earlier in this appendix for information on how to back up the CiscoSecure ACS database.