Synchronization of ACS Devices | Cisco Access Control Security: AAA Administration Services

ACS supports the use of an external ODBC database for the automation of your ACS configuration. Two components facilitate this process, CSDBsync, which is the process that actually performs the synchronization, and the accountActions table.

The synchronization with an external database allows you to configure the following based on values contained in the External Database table:

Users
User groups
Network configuration
Custom RADIUS vendors and VSAs

For users, you can configure the following attributes:

Adding a user
Deleting a user
Setting passwords
Setting user group membership
Setting max sessions parameters
Setting network usage quota parameters
Configuring command authorization
Configuring network access restrictions
Configuring time-of-day/day-of-week access restrictions
Assigning IP addresses
Specifying outbound RADIUS attribute values
Specifying outbound TACACS+ attribute values

For user groups, you can configure the following parameters:

Setting max sessions parameters
Setting network usage quota parameters
Configuring command authorization
Configuring network access restrictions
Configuring time-of-day/day-of-week access restrictions
Specifying outbound RADIUS attribute values
Specifying outbound TACACS+ attribute values

For network configuration, you can configure the following:

Adding an AAA client
Deleting an AAA client
Setting AAA client configuration details
Adding an AAA server
Deleting an AAA server
Setting AAA server configuration details
Adding and configuring Proxy Distribution Table entries

For custom RADIUS vendors and VSAs, ACS allows you to create up to 10 IETF-compliant RADIUS vendors, and all VSAs that you add for those servers must be sub-attributes of IETF RADIUS attribute number 26.

Components of Synchronization

When you perform database synchronization, two components work together, the CSDBsync process and the accountActions table. This section should help you to better understand what each component's role in synchronization is and how the two work hand in hand to facilitate synchronization.

CSDBSync

CSDBSync is a service that ACS runs to perform automated user and group account management. This functions by gaining access the ODBC driver Data Source Name (DSN) and thereby accessing the accountActions table. The accountActions table holds information that is needed by CSDBSync.

accountActions Table

The accountActions table is a table on the external ODBC server that contains a set of rows that defines what actions CSDBSync performs in ACS.

CSDBSync and accountActions Table Working Together

The basic process of CSDBSync and accountActions table working together is based on an action in the table. The most common actions are SET_VALUE and DELETE_VALUE. The SET_VALUE has an action code of 1 and the DELETE_VALUE has an action code of 2. CSDBSync reads the accountActions table for a configuration item, such as username, and the action code to determine if it is to add or delete a user from ACS. Each record is then deleted from the RDBMS database.

Cisco recommends that for backup purposes, you create another table and mirror each transaction with CSDBSync to that table. Ensure that that table is backed up frequently. Also, ensure that you perform frequent backups of the ACS database.

NOTE

For a complete list of configurations and action codes, see the user guide that came with your ACS.

Preparing for Synchronization

Before you perform synchronization, you need to complete a few tasks. These tasks enable the ACS to use CSDBSync to communicate with the accountActions table:

Step 1.	First, determine where you will create the accountActions table and the format you will use.
Step 2.	Create the accountActions table on the third-party system.
Step 3.	Create any stored procedures that might be necessary to populate the accountActions table. Refer to the user guide for more detailed information on these stored procedures. NOTE The mechanism for maintaining your accountActions table is unique to your implementation. For information about the format and content of the accountActions table, see "RDBMS Synchronization Import Definitions" in the ACS user guide.
Step 4.	Validate your third-party system to ensure that it updates the accountActions table properly. Rows generated in the accountActions table must be valid.
Step 5.	Set up a system DSN on the ACS. This was discussed in the "External Database Configuration" section earlier in this chapter.
Step 6.	Schedule RDBMS synchronization in ACS. These steps are discussed in the next section.
Step 7.	Configure your external database to begin updating the accountActions table with the information that you want to be imported into the ACS user database.
Step 8.	For troubleshooting, use the RDBMS Synchronization report in the Reports and Activity section. Additionally, you can monitor the CSDBSync service log.

RDBMS Synchronization Options

To enable RDBMS synchronization, you must enable it in interface configuration, under the Advanced Options link. Once enabled, you will find an RDBMS Synchronization link in System Configuration. Begin by selecting the RDBMS Synchronization link in System Configuration. Under the RDBMS Setup heading, select a DSN from the drop-down menu. (This should already be configured.) Also, you need to enter the username and password for the ODBC connection.

Next, you select the synchronization options from the Synchronization Scheduling heading. Here, you can choose a manual synchronization or schedule synchronization based on a time interval or by choosing timeslots from the time grid provided.

Finally, you need to select the AAA server from the list on the left, and use the right arrow to place them in the Partners column. This allows all partner device information to be synchronized.

Note that you can select the Submit button to schedule synchronization, or the Synchronize Now button to force a manual synchronization.

This completes the configuration of synchronization. For more detailed information on synchronization, refer to the user guide provided with your ACS as well as the vendor documentation for your ODBC RDBSM system.