User/NAS Import Options

User/NAS Import Options
This feature allows changes either online or offline, and allows updating of the CS ACS database with a colon-delimited file. The following are the actions available for user and NAS:

Users: add, change, and delete

NAS: add and delete

You must restart CSRadius and CSTacacs for changes to take effect.

The following are some of the important points about importing:

The first line must contain ONLINE or OFFLINE.

This determines if the CSAuth service needs to be stopped during this process.

CSUtils cannot distinguish between multiple instances of an external database.

CSUtil will use the first instance of an external database.

Import User Information
You can add users to the existing database with the entry shown in Example 13-17. This entry adds the user Joe to group 2 in the CS ACS database. It also points authentication for this user to the internal CS ACS database with a password of my1Password.

Example 13-17. Adding a User to CS ACS
ADD:Joe:PROFILE:2:CSDB:my1Password





To change the CS ACS profile for Joe, use the command shown in Example 13-18. This entry updates Joe to group 3 and points the password to the NT domain database.

Example 13-18. Updating a User to CS ACS
UPDATE:Joe:PROFILE:3:EXT_NT





The DELETE entry can be used to delete users as shown in Example 13-19.

Example 13-19. Deleting a User from CS ACS
DELETE:Joe





Import NAS Information
Use the entry shown in Example 13-20 to add an NAS to the CS ACS database. This entry adds the router named router1, using the shared secret of my1NAS. This NAS will use RADIUS.

Example 13-20. Adding NAS
ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDER:"RADIUS (Cisco IOS/PIX)"





If you need to delete a specific NAS, use the command shown in Example 13-21, which deletes NAS router1.

Example 13-21. How to Delete a Specific NAS
DEL_NAS:router1





You can also choose to run all the previously shown procedures using a single text file. Example 13-22 shows a sample text file that contains multiple actions for different users.

Example 13-22. import.txt File Whose Content Can Be Imported Once
OFFLINE
ADD:user01:CSDB:userpassword:PROFILE:1
ADD:user02:EXT_NT:PROFILE:2
ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3
ADD:mary:EXT_NT:CHAP:achappassword
ADD:joe:EXT_SDI
ADD:user4:CSDB:user4password
ADD:user5:CSDB_UNIX:unixpassword
UPDATE:user9:PROFILE:10
DELETE:user10
ADD_NAS:router1:IP:10.10.10.10:KEY:my1NAS:VENDOR:"TACACS+ (Cisco
IOS)":NDG:"California"
DEL_NAS:router2





Compact User Database
When you delete a user from the CS ACS database, the record is marked as deleted. You might need to compact the database to actually remove the "deleted records". Compacting the database addresses this issue. When you compact a database, it first dumps the data, then creates a new database, and finally imports all the data that was dumped earlier. The following is the syntax for compacting a database:

csutil.exe -q -d n -l



Example 13-23 shows the sample of database compact run.

Example 13-23. Sample Database Compact Command
C:\Program Files\CiscoSecure ACS v3.3\Utils>net stop CSAuth
The CSAuth service is stopping.
The CSAuth service was stopped successfully.


C:\Program Files\CiscoSecure ACS v3.3\Utils>csutil -q -d -n -l
CSUtil v3.3(2.2), Copyright 1997-2004, Cisco Systems Inc
Done

Initializing database....
Done

Initializing database...
Loading database from dump.txt...
Done

C:\Program Files\CiscoSecure ACS v3.3\Utils>





Export User and Group Information
Export User and Group Information may be useful for troubleshooting the configuration issue by Cisco support. You will need to stop CSAuth before exporting this information.

To export user information to users.txt, enter the following command:

csutil.exe u



To export group information to groups.txt, enter the following command:

csutil.exe g



Other features of CSUtil.exe include the following:

Export Registry information to setup.txt.

Decode CS ACS internal error codes.

Recalculate Cyclic Redundancy Check (CRC) values for manually copied files.

Import user-defined RADIUS vendors and VSA sets.