Users Guide Cisco AR

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

User Guide for Cisco Access Registrar, 5.1 Release 5.1December 12, 2011

Text Part Number: OL-25652-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

User Guide for Cisco Access Registrar, 5.1 2011 Cisco Systems, Inc. All rights reserved.

OL-25652-01

Proxy Servers 1-15

C H A P T E R 2 Using the aregcmd Comma

General Command SyntaView-Only Administictionary 1-14C O N T E N T S

About This Guide xxxi

How This Book Is Organized xxxi

Obtaining Documentation and Submitting a Service Request xxxii

Notices xxxiiiOpenSSL/Open SSL Project xxxiii

License Issues xxxiii

C H A P T E R 1 Overview 1-1

Cisco Access Registrar Hierarchy 1-2UserLists and Groups 1-2Profiles 1-3Scripts 1-3Services 1-3Session Management Using Resource Managers 1-4

Cisco Access Registrar Directory Structure 1-5

Program Flow 1-5Scripting Points 1-6

Client Scripting 1-6Client or NAS Scripting Points 1-6Authentication and/or Authorization Scripting Points 1-7

Session Management 1-8Failover by the NAS and Session Management 1-8Cross Server Session and Resource Management 1-9

Script Processing Hierarchy 1-11

RADIUS Protocol 1-12Steps to Connection 1-12Types of RADIUS Messages 1-13

Packet Contents 1-13The Attribute DiiiCisco Access Registrar User Guide, 5.1

nds 2-1

x 2-1rator Mode 2-2

ContentsViewOnly Property 2-3Configuration Objects 2-3aregcmd Command Performance 2-3

RPC Bind Services 2-4

aregcmd Commands 2-4add 2-4cd 2-5delete 2-5exit 2-5filter 2-5find 2-6help 2-6insert 2-6login 2-6logout 2-7ls 2-7next 2-7prev 2-8pwd 2-8query-sessions 2-8quit 2-9release-sessions 2-9reload 2-9reset-stats 2-10save 2-10set 2-11start 2-11stats 2-12status 2-13stop 2-14trace 2-14trace-file-count 2-15unset 2-15validate 2-16

aregcmd Command Logging 2-16

aregcmd Command Line Editing 2-17

aregcmd Error Codes 2-17ivCisco Access Registrar User Guide, 5.1

OL-25652-01

ContentsC H A P T E R 3 Using the Graphical User Interface 3-1

Launching the GUI 3-1Disabling HTTP 3-2Disabling HTTPS 3-2Login Page 3-3

Logging In 3-3Logging Out 3-4

Common Methodologies 3-4Filtering Records 3-4Deleting Records 3-4Setting Record Limits per Page 3-4Common Navigations 3-5Relocating Records 3-5

Dashboard 3-6Sessions 3-6

Configuring Cisco Access Registrar 3-6RADIUS 3-7Profiles 3-8

Adding Profile Details 3-9Editing Profile Details 3-9

UserGroups 3-9Adding UserGroup Details 3-10Editing UserGroup Details 3-11

UserList 3-11Adding UserList Details 3-12Editing UserList Details 3-12

Users 3-12Adding User Details 3-13Editing User Details 3-14

Scripts 3-14Adding Script Details 3-15Editing Script Details 3-16

Policies 3-16Adding Policy Details 3-16Editing Policy Details 3-16

Services 3-17Simple Services 3-17ServiceWithRS 3-21vCisco Access Registrar User Guide, 5.1

OL-25652-01

PEAP Service 3-23

ContentsEAP Service 3-26Diameter Service 3-34

Adding Diameter Service Details 3-34Editing Diameter Service Details 3-38

Replication 3-38Adding Replication Details 3-39Editing Replication Member Details 3-40

RADIUS Dictionary 3-40Adding Radius Dictionary Details 3-40Editing Radius Dictionary Details 3-41

Vendor Dictionary 3-41Adding Vendor Dictionary Details 3-41Editing Vendor Dictionary Details 3-42

Vendor Attributes 3-42Adding Vendor Attributes 3-43Editing Vendor Attributes 3-43

Vendors 3-44Adding Vendor Details 3-44Editing Vendor Details 3-45

Translations 3-45Adding Translation Details 3-46Editing Translation Details 3-46

Translation Groups 3-46Adding Translation Group Details 3-47Editing Translation Group Details 3-47

DIAMETER 3-48General 3-48SessionManagement 3-49Applications 3-50Commands 3-52

Advanced 3-53Default 3-54BackingStore/ServerParam 3-58RemoteSessionServer 3-62SNMP 3-64DDNS 3-65ODBCDataSources 3-66Log 3-67Ports 3-69viCisco Access Registrar User Guide, 5.1

OL-25652-01

Interfaces 3-70

ContentsAttribute Groups 3-70Rules 3-71

Setting Rules 3-71Editing Rules 3-72

Session Managers 3-73Adding Session Manager Details 3-73Editing Session Manager Details 3-76

Resource Manager 3-76Adding Resource Manager Details 3-77Editing Resource Manager Details 3-84

Network Resources 3-84Clients 3-84

Adding Client Details 3-85Editing Client Details 3-88

Remote Servers 3-88LDAP 3-88LDAP Accounting 3-92Domain Authentication 3-95ODBC/OCI 3-96ODBC/OCI-Accounting 3-99Others 3-101

Administration 3-104Administrators 3-104

Adding Administrator Details 3-104Editing Administrator Details 3-105

Statistics 3-106Diameter Statistics 3-108Backup and Restore 3-112License Upload 3-112

Read-Only GUI 3-112

C H A P T E R 4 Cisco Access Registrar Server Objects 4-1

Radius 4-2

UserLists 4-3Users 4-4

HiddenAttributes Property 4-4

UserGroups 4-5

Policies 4-5viiCisco Access Registrar User Guide, 5.1

OL-25652-01

Clients 4-6

ContentsVendors 4-9

Scripts 4-10

Services 4-11Types of Services 4-12

Domain Authentication 4-13EAP Services 4-13File 4-13Group 4-14Java 4-16LDAP 4-16Local 4-17ODBC 4-18ODBC-Accounting 4-19Prepaid Services 4-19RADIUS 4-19Radius Query 4-19RADIUS-Session 4-24Rex 4-24WiMAX 4-25Diameter 4-25

Session Managers 4-30Session Creation 4-32Session Notes 4-33Soft Group Session Limit 4-34

Session Correlation Based on User-Defined Attributes 4-34

Resource Managers 4-35Types of Resource Managers 4-36

Gateway Subobject 4-36Group-Session-Limit 4-37Home-Agent 4-37Home-Agent-IPv6 4-37IP-Dynamic 4-37IP-Per-NAS-Port 4-38IPX-Dynamic 4-38Session-Cache 4-38Subnet-Dynamic 4-39User-Session-Limit 4-40USR-VPN 4-40viiiCisco Access Registrar User Guide, 5.1

OL-25652-01

Dynamic-DNS 4-40

ContentsRemote-IP-Dynamic 4-41Remote-User-Session-Limit 4-41Remote-Group-Session-Limit 4-41Remote-Session-Cache 4-41

Profiles 4-41Attributes 4-42

Translations 4-42

TranslationGroups 4-43

Remote Servers 4-43Types of Protocols 4-44

Domain Authentication 4-45Dynamic DNS 4-46LDAP 4-47Map-Gateway 4-50Sigtran 4-51ODBC 4-52ODBC-Accounting 4-53Prepaid-CRB 4-54Prepaid-IS835C 4-55RADIUS 4-55

Rules 4-56

Advanced 4-56RemoteODBCSessionServer 4-68Using the RequireNASsBehindProxyBeInClientList Property 4-69Advance Duplicate Detection Feature 4-69Invalid EAP Packet Processing 4-70Ports 4-70Interfaces 4-70Reply Messages 4-71Attribute Dictionary 4-72

Types 4-73Vendor Attributes 4-74

SNMP 4-74Diameter 4-74

Configuring Diameter TransportManagement Properties 4-75Configuring Diameter SessionManagement 4-77Configuring Diameter Application 4-78Configuring Diameter Commands 4-79ixCisco Access Registrar User Guide, 5.1

OL-25652-01

Configuring Diameter Dictionary 4-85

ContentsC H A P T E R 5 Using the radclient Command 5-1

radclient Command Syntax 5-1

Working with Packets 5-2Creating Packets 5-2Creating CHAP Access-Request Packets 5-2Viewing Packets 5-3Sending Packets 5-3Creating Empty Packets 5-3Setting Packet Fields 5-4Reading Packet Fields 5-4Deleting Packets 5-5

Attributes 5-5Creating Attributes 5-5Setting Multivalued Attributes 5-5Viewing Attributes 5-6Getting Attribute Information 5-6Deleting Attributes 5-7Using the radclient Command 5-7

Example 1 5-7Example 2 5-8Example 3 5-9

Using radclient Test Commands 5-9radclient Variables 5-9Using timetest 5-10Using callsPerSecond 5-11Additional radclient Variables 5-11

C H A P T E R 6 Configuring Local Authentication and Authorization 6-1

Configuring a Local Service and UserList 6-1Configuring a Local Service 6-2Configuring a Userlist 6-3Configuring Cisco Access Registrar to Use the Local Service For AA 6-3Activating the Configuration 6-4

Troubleshooting the Local Service and UserList Configuration 6-4Verifying the Configuration 6-5Configuring Return Attributes and Check-Items 6-6

Configuring Per User Return Attributes 6-6Configuring Per User Check-Items 6-7xCisco Access Registrar User Guide, 5.1

OL-25652-01

Verifying the Per User Return Attributes and Check-Items Configuration 6-7

ContentsConfiguring Profiles to Group Attributes 6-8Configuring Return Attributes and Check-Items Using UserGroup 6-9

Return Attribute Precedence 6-10

aregcmd Command Performance 6-10

UserDefined1 Property 6-11

Access-Request Logging 6-11

C H A P T E R 7 RADIUS Accounting 7-1

Understanding RADIUS Accounting 7-1

Setting Up Accounting 7-2Accounting Log File Rollover 7-2

FilenamePrefix 7-3MaxFileSize 7-3MaxFileAge 7-4RolloverSchedule 7-4UseLocalTimeZone 7-5

Oracle Accounting 7-5Configuring Oracle Accounting 7-5

ODBC-Accounting Service 7-5ODBC RemoteServers 7-6Configuration Examples 7-8

Packet Buffering 7-9When Using Packet Buffering 7-9With Packet Buffering Disabled 7-9

Dynamic SQL Feature 7-9

LDAP Accounting 7-10Configuring LDAP Accounting 7-10

LDAP-Accounting Service 7-10LDAP RemoteServers 7-10Configuration Examples 7-13Configuring the LDAP Service for Accounting 7-14Configuring an LDAP-Accounting RemoteServer 7-15Setting LDAP-Accounting As Accounting Service 7-17

MySQL Support 7-18Configuring MySQL 7-18Example Configuration 7-19

Proxying Accounting Records 7-19Configuring the Local Cisco Access Registrar Server 7-19xiCisco Access Registrar User Guide, 5.1

OL-25652-01

Configuring the Local Accounting Service 7-20

ContentsConfiguring the Remote Accounting Service 7-20Configuring the Group Accounting Service 7-20

Configuring the RemoteServer Object 7-21

Accounting Log Examples 7-21Accounting-Start Packet 7-21Accounting Stop Packet 7-22Trace of Successful Accounting 7-22

Sample Error Messages 7-22

C H A P T E R 8 Diameter 8-1

Prerequisites for Diameter 8-2

Diameter Server Startup Log 8-2

Diameter Stack Level Messages 8-3Capabilities Exchange Message 8-3Watchdog Message 8-4Terminating Diameter User Session 8-4

Configuring Authentication and Authorization for Diameter 8-4Configuring Local Authentication and Authorization 8-4

Configuring a Local Service and UserList 8-5Configuring External Authentication Service 8-6

Configuring Diameter Accounting 8-6Understanding Diameter Accounting 8-6Setting Up Local Accounting 8-7Setting up Oracle Accounting 8-7Diameter Accounting Log Examples 8-7

Accounting Event Packet 8-7Accounting Start Packet 8-7Account Interim Packet 8-7Accounting Stop Packet 8-8

Trace of Successful Accounting 8-8

Configuring the Diameter Application in Cisco AR 8-9Importing Application Specific Cisco AVPs to Cisco AR Internal Database 8-9Configuring the Transport Management Properties 8-10Registering Applications IDs 8-11Configuring the Diameter Peers 8-11Configure the Diameter Service 8-12

Writing Diameter Application in Cisco AR 8-17Configuring rex script/service for Diameter 8-17xiiCisco Access Registrar User Guide, 5.1

OL-25652-01

Scripting in Diameter 8-18

ContentsDiameter Environment Variables 8-18Sample rex script/service 8-19Traces/Logs 8-20

Diameter Routing Agent 8-21Diameter Relay Agent 8-21Diameter Proxy Agent 8-22

RoundRobin 8-22FailOver 8-23IMSI Range Based 8-23Configuring Diameter Proxy 8-23Configuring Cisco AR to Demultiplex the Diameter CCR-T 8-26Traces/Logs 8-28Writing Diameter Proxy Extension Scripts 8-30Sample Diameter Proxy Extension Script 8-30Traces/Logs 8-31

Diameter Redirect Agent 8-32Configuring Diameter Redirect Agent 8-33

Importing Diameter Command Codes 8-34

Support for SCTP including Multihoming 8-34

C H A P T E R 9 Extensible Authentication Protocols 9-1

EAP-AKA 9-2Configuring EAP-AKA 9-2Testing EAP-AKA with radclient 9-6

EAP-FAST 9-6Configuring EAP-FAST 9-7EAP-FAST Keystores 9-10Testing EAP-FAST with radclient 9-11

PAC Provisioning 9-12Authentication 9-13

Parameters Used for Certificate-Based Authentication 9-13radclient Command Reference 9-14

PACCredential Export Utility 9-16PAC Export 9-16PAC Display 9-16Syntax Summary 9-17

EAP-GTC 9-17Configuring EAP-GTC 9-17xiiiCisco Access Registrar User Guide, 5.1

OL-25652-01

Testing EAP-GTC with radclient 9-18

ContentsEAP-LEAP 9-19Configuring EAP-LEAP 9-19

EAP-MD5 9-20Configuring EAP-MD5 9-20

EAP-Negotiate 9-20Configuring EAP-Negotiate 9-21Negotiating PEAP Tunnel Services 9-22Testing EAP-Negotiate with radclient 9-22

EAP-MSChapV2 9-22Configuring EAP-MSChapV2 9-22Testing EAP-MSChapV2 with radclient 9-23

EAP-SIM 9-24Configuring EAP-SIM 9-24

EAP-Transport Level Security (TLS) 9-28Configuring EAP-TLS 9-28Testing EAP-TLS with radclient 9-31Testing EAP-TLS with Client Certificates 9-31

EAP-TTLS 9-32Configuring EAP-TTLS 9-32

Creating an EAP-TTLS Service 9-33Configuring an EAP-TTLS Authentication Service 9-36

Testing EAP-TTLS with radclient 9-38Testing EAP-TTLS Using Legacy Methods 9-39Testing EAP-TTLS Using EAP Methods 9-39

rehash-ca-certs Utility 9-40

radclient Command Reference 9-40eap-trace 9-40tunnel 9-41

Protected EAP 9-41PEAP Version 0 9-42

Configuring PEAP Version 0 9-42Testing PEAP Version 0 with radclient 9-45Testing PEAP Version 0 with Client Certificates 9-46

PEAP Version 1 9-46Configuring PEAP Version 1 9-46Testing PEAP Version 1 with radclient 9-49Testing PEAP Version 1 with Client Certificates 9-49

CRL Support for Cisco Access Registrar 9-50xivCisco Access Registrar User Guide, 5.1

OL-25652-01

Configuring Certificate Validation Using CRL 9-50

ContentsUsing Intermediate Certificates in Cisco AR 9-51

C H A P T E R 10 Using WiMAX in Cisco Access Registrar 10-1

WiMAX - An Overview 10-1

WiMAX in Cisco Access Registrar 10-2Direct Interaction Between the ASN GW and Cisco Access Registrar 10-3Interaction Between ASN GW and Cisco Access Registrar Through HA 10-5Prepaid and Hot-Lining 10-6

Configuring WiMAX in Cisco Access Registrar 10-6Configuring the Resource Manager for WiMAX 10-7Configuring the Session Manager for WiMAX 10-8Configuring the Query Service for WiMAX 10-8Configuring WiMAX 10-9

WiMAX - OMA-DM Provisioning Support with BEK key 10-11Configuring WiMax-Provisioning 10-11

WiMax Lawful Interception (LI) Support in Cisco AR 10-12Configuring WiMax-Lawful Intercept 10-15

C H A P T E R 11 Using Extension Points 11-1

Determining the Goal of the Script 11-2

Writing the Script 11-3Choosing the Type of Script 11-3

Request Dictionary Script 11-3Response Dictionary Script 11-4Environment Dictionary Script 11-4

Adding the Script Definition 11-5Adding the Example Script Definition 11-5Choosing the Scripting Point 11-6Testing the Script 11-6

About the Tcl/Tk 8.3 Engine 11-6

Cisco Access Registrar Scripts 11-6ACMEOutgoingScript 11-7AltigaIncomingScript 11-7AltigaOutgoingScript 11-7ANAAAOutgoing 11-7AscendIncomingScript 11-7AscendOutgoingScript 11-7AuthorizePPP 11-7xvCisco Access Registrar User Guide, 5.1

OL-25652-01

AuthorizeService 11-7

ContentsAuthorizeSLIP 11-8AuthorizeTelnet 11-8CabletronIncoming 11-8CabletronOutgoing 11-8CiscoIncoming 11-8CiscoOutgoing 11-8CiscoWithODAPIncomingScript 11-8ExecCLIDRule 11-9ExecDNISRule 11-9ExecFilterRule 11-9ExecNASIPRule 11-9ExecRealmRule 11-9ExecTimeRule 11-9LDAPOutage 11-10MapSourceIPAddress 11-10ParseAAARealm 11-10ParseAAASRealm 11-10ParseAARealm 11-10ParseAASRealm 11-11ParseProxyHints 11-11ParseServiceAndAAARealmHints 11-11ParseServiceAndAAASRealmHints 11-11ParseServiceAndAARealmHints 11-11ParseServiceAndAASRealmHints 11-11ParseServiceAndProxyHints 11-12ParseServiceHints 11-12ParseTranslationGroupsByCLID 11-12ParseTranslationGroupsByDNIS 11-12ParseTranslationGroupsByRealm 11-12UseCLIDAsSessionKey 11-12USRIncomingScript 11-12USRIncomingScript-IgnoreAccountingSignature 11-13USROutgoingScript 11-13

C H A P T E R 12 Using Replication 12-1

Replication Overview 12-1

How Replication Works 12-2Replication Data Flow 12-2

Master Server 12-3xviCisco Access Registrar User Guide, 5.1

OL-25652-01

ContentsSlave Server 12-3Security 12-3Replication Archive 12-3Ensuring Data Integrity 12-4

Transaction Data Verification 12-4Transaction Order 12-4Automatic Resynchronization 12-4

Full Resynchronization 12-5Understanding Hot-Configuration 12-5Replications Impact on Request Processing 12-5

Replication Configuration Settings 12-6RepType 12-6RepTransactionSyncInterval 12-6

Master 12-6Slave 12-6

RepTransactionArchiveLimit 12-7RepIPAddress 12-7RepPort 12-7RepSecret 12-7RepIsMaster 12-8RepMasterIPAddress 12-8RepMasterPort 12-8Rep Members Subdirectory 12-8Rep Members/Slave1 12-8Name 12-8IPAddress 12-9Port 12-9

Setting Up Replication 12-9Configuring the Master 12-9Configuring The Member 12-10Verifying the Configuration 12-11

Replication Example 12-11Adding a User 12-11

Master Servers Log 12-12Member Servers Log 12-12

Verifying Replication 12-12Master Servers Log 12-12Member Servers Log 12-13xviiCisco Access Registrar User Guide, 5.1

OL-25652-01

Using aregcmd -pf Option 12-13

ContentsMaster Servers Log 12-14Member Servers Log 12-14

An Automatic Resynchronization Example 12-14Master Servers Log 12-15Member Servers Log 12-15

Full Resynchronization 12-15

Replication Setup with More Than One Slave 12-17

Frequently Asked Questions 12-18

Replication Log Messages 12-19Information Log Messages 12-19Warning Log Messages 12-21Error Log Messages 12-22Log Messages You Should Never See 12-23

C H A P T E R 13 Using On-Demand Address Pools 13-1

Cisco-Incoming Script 13-3How the Script Works 13-3CiscoWithODAPIncomingScript 13-3

Vendor Type CiscoWithODAP 13-4

Configuring Cisco Access Registrar to Work with ODAP 13-4Configuration Summary 13-4Detailed Configuration 13-5

Setting Up an ODAP UserList 13-5Adding ODAP Users 13-5Setting Up an ODAP-Users Service 13-6Setting Up an ODAP Accounting Service 13-7Adding Session Managers 13-8Setting Up Resource Managers 13-9Configuring Session Managers 13-13Configure Clients 13-15Save Your Configuration 13-16

C H A P T E R 14 Using Identity Caching 14-1

Overview 14-1

Identity Caching Features 14-2

Configuring Cisco Access Registrar for Identity Caching 14-3

Starting Identity Caching 14-6xviiiCisco Access Registrar User Guide, 5.1

OL-25652-01

XML Interface 14-8

ContentsC H A P T E R 15 Using Trusted ID Authorization with SESM 15-1

Trusted ID Operational Overview 15-1Configuration Overview 15-2Request Processing 15-2Session Cache Life Cycle 15-3Configuration Restrictions 15-3

Software Requirements 15-3Installing Cisco Access Registrar 15-4Running the TrustedIdInstall Program 15-4

Using the TrustedIdInstall.bin GUI 15-4Using the TrustedIdInstall Command Line 15-8

Configuring Cisco Access Registrar for Trusted Identity with SESM 15-12Configuring the RADIUS Ports 15-12Configuring NAS Clients 15-13Configuring AAA and SPE Services 15-13

Configuration Imported by TrustedIdInstall Program 15-13/Radius 15-13/radius/services/spe 15-14/radius/services/trusted-id 15-14/Radius/SessionManagers/session-cache/ 15-14/radius/ResourceManagers/session-cache 15-14/radius/advanced/ 15-14/Radius/Scripts/ChangeServiceType 15-14

Configuring EAP-MD5 Authentication 15-15Creating the CheckEap.tcl Script 15-15Adding the CheckEap.tcl Script 15-15Using the CheckEap.tcl Script 15-16Adding the EAP-MD5 Authentication Service 15-16Adding an LDAP Remote Server 15-17Adding an LDAP Service 15-18Saving the Configuration and Reloading the Server 15-19Cisco SSG VSAs in Cisco Access Registrar Dictionary 15-19

C H A P T E R 16 Using Prepaid Billing 16-1

Overview 16-2

IS835C Prepaid Billing 16-2Configuring IS835C Prepaid Billing 16-3

Setting Up a Prepaid Billing RemoteServer 16-3xixCisco Access Registrar User Guide, 5.1

OL-25652-01

Setting Up an IS835C Prepaid Service 16-4

ContentsSetting Up Local Authentication 16-4Setting Up an Authentication Group Service 16-5

CRB Prepaid Billing 16-7Configuring CRB Prepaid Billing 16-8

Setting Up a Prepaid Billing RemoteServer 16-8Setting Up a CRB Prepaid Service 16-9Setting Up a Local Accounting Service 16-10Setting Up a Local Authentication Service 16-11Setting Up a Prepaid Accounting Group Service 16-12Setting Up an Authentication Group Service 16-14

Configuring CRB Prepaid Billing for SSG 16-15Setting Up an Outgoing Script 16-15Setting Up an Incoming Script 16-16Setting Up a Prepaid Outgoing Script 16-16Add Prepaid Clients 16-17

Generic Call Flow 16-18Access-Request (Authentication) 16-19Access-Accept (Authentication) 16-20Access-Request (Authorization) 16-21Access-Accept (Authorization) 16-21Accounting-Start 16-22Data Flow 16-22Access-Request (Quota Depleted) 16-22Accept-Accept (Quota Depleted) 16-23Accounting Stop (Session End) 16-24Accounting Response (Final Status) 16-24

Vendor-Specific Attributes 16-25

Implementing the Prepaid Billing API 16-27

C H A P T E R 17 Using Cisco Access Registrar Server Features 17-1

Incoming Traffic Throttling 17-2MaximumIncomingRequestRate 17-2MaximumOutstandingRequests 17-2

Backing Store Parsing Tool 17-3

Configurable Worker Threads Enhancement 17-4

Session-Key Lookup 17-5

Query-Notify 17-6Call Flow 17-7xxCisco Access Registrar User Guide, 5.1

OL-25652-01

Configuration Examples 17-8

ContentsMemory and Performance Impact 17-9

Support for Windows Provisioning Service 17-9Call Flow 17-9Example Configuration 17-10

Environment Variables 17-10Master URL Fragments 17-11

Unsupported Features 17-11Account Expiration and Renewal 17-11Password Changing and Force Update 17-12

Command Completion 17-12

Service Grouping Feature 17-13Configuration Example - AccountingGroupService 17-14

Summary of Events 17-16Configuration Example 2 - AuthenticationGroupService 17-17

Summary of Events 17-20

SHA-1 Support for LDAP-Based Authentication 17-20Remote LDAP Server Password Encryption 17-21Dynamic Password Encryption 17-21Logs 17-22

Dynamic Attributes 17-22Object Properties with Dynamic Support 17-22Dynamic Attribute Format 17-24

Tunneling Support Feature 17-25Configuration 17-25Example 17-25Notes 17-26Validation 17-26

xDSL VPI/VCI Support for Cisco 6400 17-26Using User-Name/User-Password for Each Cisco 6400 Device 17-26Format of the New User-Name Attribute 17-27

Apply Profile in Cisco Access Registrar Database to Directory Users 17-27User-Profile 17-27User-Group 17-28Example User-Profile and User-Group Attributes in Directory User Record 17-28

Directory Multi-Value Attributes Support 17-29

MultiLink-PPP (ML-PPP) 17-29

Dynamic Updates Feature 17-30xxiCisco Access Registrar User Guide, 5.1

OL-25652-01

NAS Monitor 17-31

ContentsAutomatic Information Collection (arbug) 17-32Running arbug 17-32Files Generated 17-32

Simultaneous Terminals for Remote Demonstration 17-33

Support for RADIUS Check Item Attributes 17-33Configuring Check Items 17-33

Configuring User Check Items 17-33Configuring Usergroup Check Items 17-34

User-Specific Attributes 17-35

Packet of Disconnect 17-35Configuring Packet of Disconnect 17-35

Configuring the Client Object 17-35Configuring a Resource Manager for POD 17-36

Proxying POD Requests from External Servers 17-37CLI Options for POD 17-37

query-sessions 17-37release-sessions 17-38

Configuring Change of Authorization Requests 17-38Configuring the Client Object 17-39

Dynamic DNS 17-40Configuring Dynamic DNS 17-40Testing Dynamic DNS with radclient 17-42

Dynamic Service Authorization Feature 17-43Configuring Dynamic Service Authorization Feature 17-43

Setting up the Environment Variable 17-43Configuring the Script 17-44

Remote Session Management 17-45

Wx Interface Support for SubscriberDB Lookup 17-46Configuration Examples 17-47

C H A P T E R 18 Directing RADIUS Requests 18-1

Configuring Policies and Rules 18-1Configuring Policies 18-1Configuring Rules 18-2Wildcard Support 18-2Script and Attribute Requirements 18-3Validation 18-3Known Anomalies 18-4xxiiCisco Access Registrar User Guide, 5.1

OL-25652-01

ContentsRouting Requests 18-4Routing Requests Based on Realm 18-4Routing Requests Based on DNIS 18-5Routing Requests Based on CLID 18-6Routing Requests Based on NASIP 18-7Routing Requests Based on User-Name Prefix 18-7Attribute Translation 18-8

Parsing Translation Groups 18-9Time of Day Access Restrictions 18-10

Setting Time Ranges in ExecTimeRule 18-11ExecTimeRule Example Configuration 18-11Reducing Overhead Using Policies to Group Rules 18-12

Standard Scripts Used with Rules 18-14ExecRealmRule 18-14ExecDNISRule 18-15ExecCLIDRule 18-15ExecNASIPRule 18-15ExecPrefixRule 18-16ExecSuffixRule 18-17ExecTimeRule 18-18ParseTranslationGroupsByRealm 18-19ParseTranslationGroupsByDNIS 18-19ParseTranslationGroupsByCLID 18-19

ParseTranslationGroupsByDNIS 18-19

C H A P T E R 19 Wireless Support 19-1

Mobile Node-Home Agent Shared Key 19-1Use Case Example 19-1Configuring User Attributes 19-2

3GPP2 Home Agent Support 19-3Home-Agent Resource Manager 19-3

Load Balancing 19-3Configuring the Home Agent Resource Manager 19-3

Querying and Releasing Sessions 19-4Access Request Requirements 19-4New 3GPP2 VSAs in the Cisco Access Registrar Dictionary 19-5

Session Correlation Based on User-Defined Attributes 19-5

Managing Multiple Accounting Start/Stop Messages 19-5xxiiiCisco Access Registrar User Guide, 5.1

OL-25652-01

NULL Password Support 19-6

ContentsC H A P T E R 20 Using LDAP 20-1

Configuring LDAP 20-1Configuring the LDAP Service 20-2

MultipleServersPolicy 20-2RemoteServers 20-2

Configuring an LDAP RemoteServer 20-3DNS Look Up and LDAP Rebind Interval 20-6LDAPToRadiusMappings 20-7LDAPToEnvironmentMappings 20-7LDAPToCheckItemMappings 20-7

Setting LDAP As Authentication and Authorization Service 20-7Saving Your Configuration 20-8

CHAP Interoperability with LDAP 20-8Allowing Special Characters in LDAP Usernames 20-8Dynamic LDAP Search Base 20-8

Analyzing LDAP Trace Logs 20-9Successful Bind Message 20-9Bind Failure Messages 20-9Login Failure Messages 20-10

Bind-Based Authentication for LDAP 20-11Configuring Bind-Based Authentication for LDAP 20-11

C H A P T E R 21 Using Open Database Connectivity 21-1

Oracle Software Requirements 21-2

Configuring ODBC/OCI 21-2Configuring an ODBC/OCI Service 21-5Configuring an ODBC/OCI RemoteServer 21-6

ODBC Data Source 21-8SQL Definitions 21-9SQL Syntax Restrictions 21-9Specifying More Than One Search Key 21-10ODBCToRadiusMappings/OCIToRadiusMappings 21-10ODBCToEnvironmentMappings/OCIToEnvironmentMappings 21-11ODBCToCheckItemMappings/OCIToCheckItemMappings 21-11

Configuring an ODBC DataSource 21-11Setting ODBC/OCI As Authentication and Authorization Service 21-12Setting ODBC/OCI As Accounting Service 21-13Saving Your Configuration 21-13xxivCisco Access Registrar User Guide, 5.1

OL-25652-01

Oracle Stored Procedures 21-13

ContentsMySQL Support 21-15MySQL Driver 21-15Configuring a MySQL Datasource 21-15Example Configuration 21-17

C H A P T E R 22 Using SNMP 22-1

Overview 22-1

Supported MIBs 22-1RADIUS-AUTH-CLIENT-MIB 22-1RADIUS-AUTH-SERVER-MIB 22-2RADIUS-ACC-CLIENT-MIB 22-2RADIUS-ACC-SERVER-MIB 22-2CISCO-DIAMETER-BASE-PROTOCOL-MIB 22-2Diameter SNMP and Statistics Support 22-2TACACS+ SNMP and Statistics Support 22-2

SNMP Traps 22-3Supported Traps 22-3

carServerStart 22-4carServerStop 22-4carInputQueueFull 22-4carInputQueueNotVeryFull 22-4carOtherAuthServerNotResponding 22-4carOtherAuthServerResponding 22-5carOtherAccServerNotResponding 22-5carOtherAccServerResponding 22-5carAccountingLoggingFailure 22-6carLicenseUsage 22-6carDiameterPeerDown 22-6carDiameterPeerUp 22-6

Configuring Traps 22-6Directories Searched 22-6Configuration File Types 22-7Switching Configuration Files in Mid-File 22-7

Community String 22-8

C H A P T E R 23 Enforcement of TPS License 23-1

TPS Licensing Features 23-1

Enforcement Rules 23-2xxvCisco Access Registrar User Guide, 5.1

OL-25652-01

Notification Logs 23-2

ContentsNotification - SNMP Traps 23-2

TPS Logging Feature 23-3

C H A P T E R 24 Backing Up the Database 24-1

Configuration 24-1Command Line Utility 24-1

Recovery 24-2

mcdshadow Command Files 24-2

C H A P T E R 25 Using the REX Accounting Script 25-1

Building and Installing the REX Accounting Script 25-1

Configuring the Rex Accounting Script 25-2

Specifying REX Accounting Script Options 25-3Example Script Object 25-4

C H A P T E R 26 Logging Syslog Messages 26-1

syslog Messages 26-1Example 1 26-2Example 2 26-2

Configuring Message Logging (Solaris) 26-3

Configuring Message Logging (Linux) 26-4

Changing Log Directory 26-4

Configuring syslog Daemon (syslogd) 26-5

Managing the Syslog File 26-5Using a cron Program to Manage the syslog Files 26-6

Server Up/Down Status Change Logging 26-6Header Formats 26-6Example Log Messages 26-7

C H A P T E R 27 Troubleshooting Cisco Access Registrar 27-1

Gathering Basic Information 27-1

Troubleshooting Quick Checks 27-2Disk Space 27-2Resource Conflicts 27-2

No Co-Existence With Cisco Network Registrar 27-2Port Conflicts 27-3xxviCisco Access Registrar User Guide, 5.1

OL-25652-01

Server Running Sun SNMP Agent 27-3

ContentsCisco Access Registrar Log Files 27-3Modifying File Sizes for Agent Server and MCD Server Logs 27-3Using xtail to Monitor Log File Activity 27-4

Modifying the Trace Level 27-4Installation and Server Process Start-up 27-5

aregcmd and Cisco Access Registrar Configuration 27-5Running and Stopped States 27-5

RADIUS Request Processing 27-7

Other Troubleshooting Techniques and Resources 27-7aregcmd Stats Command 27-7Core Files 27-8radclient 27-8Cisco Access Registrar Replication 27-8

Checking AR Server Health Status 27-8

A P P E N D I X A Cisco Access Registrar Tcl, REX and Java Dictionaries A-1

Tcl Attribute Dictionaries A-1Attribute Dictionary Methods A-1Tcl Environment Dictionary A-4

REX Attribute Dictionary A-5Attribute Dictionary Methods A-5REX Environment Dictionary A-11

REX Environment Dictionary Methods A-11

Java Attribute Dictionary A-13Java Attribute Dictionary Methods A-13Java Environment Dictionary A-16

Java Environment Dictionary Methods A-16Interface Extension A-17

Interface Extension Methods A-18Interface ExtensionforSession A-18

Interface Extensionforsession Methods A-19Interface Extensionwithinitialization A-19

Interface Extensionwithinitialization Methods A-20Interface ExtensionforSessionwithinitialization A-20

Interface Extensionforsessionwithinitialization Methods A-20Interface MarkerExtension A-20

Variables in the Marker Extension Interface A-21Class Sessionrecord A-24xxviiCisco Access Registrar User Guide, 5.1

OL-25652-01

Session Record Methods A-24

ContentsA P P E N D I X B Environment Dictionary B-1

Cisco Access Registrar Environment Dictionary Variables B-1Accepted-Profiles B-2Accounting-Service B-2Acquire-Dynamic-DNS B-2Acquire-Group-Session-Limit B-2Acquire-Home-Agent B-2Acquire-IP-Dynamic B-2Acquire-IPX-Dynamic B-2Acquire-IP-Per-NAS-Port B-3Acquire-Subnet-Dynamic B-3Acquire-User-Session-Limit B-3Acquire-USR-VPN B-3Allow-Null-Password B-3Authentication-Service B-3Authorization-Service B-3BackingStore-Env-Vars B-4Broadcast-Accounting-Packet B-4Cache-Attributes-In-Session B-4Current-Group-Count B-4Cache-Outer-Identity B-4Destination-IP-Address B-4Destination-Port B-4Disable-Accounting-On-Off-Broadcast B-4DSA-Response-Cache B-5Dynamic-DNS-HostName B-5Dynamic-Search-Filter B-5Dynamic-Search-Path B-5Dynamic-Search-Scope B-5Dynamic-Service-Loop-Limit B-5Dynamic-User-Password-Attribute B-5EAP-Actual-Identity B-6EAP-Authentication-Mode B-6Enforce-Traffic-Throttling B-6Generate-BEK B-6Group-Session-Limit B-6Ignore-Accounting-Signature B-6Incoming-Translation-Groups B-6Master-URL-Fragment B-7xxviiiCisco Access Registrar User Guide, 5.1

OL-25652-01

ContentsMisc-Log-Message-Info B-7Outgoing-Translation-Groups B-7Pager B-7Query-Service B-7Re-Accounting-Service B-7Re-Authentication-Service B-7Re-Authorization-Service B-8Realm B-8Reject-Reason B-8Remote-Server B-8Remove-Session-On-Acct-Stop B-8Remote-Servers-Tried B-8Request-Authenticator B-8Request-Type B-9Require-User-To-Be-In-Authorization-List B-9Response-Type B-10Retrace-Packet B-10Send-PEAP-URI-TLV B-10Session-Key B-10Session-Manager B-10Session-Notes B-10Session-Service B-11Set-Session-Mgr-And-Key-Upon-Lookup B-11Skip-Session-Management B-11Skip-Overriding-Username-With-LDAP-UID B-11Skip-Overriding-UserName-With-PEAPIdentity B-11Source-IP-Address B-11Source-Port B-12Subnet-Size-If-No-Match B-12Trace-Level B-12Unavailable-Resource B-12Unavailable-Resource-Type B-12UserDefined1 B-12User-Authorization-Script B-12User-Group B-13User-Group-Session-Limit B-13User-Name B-13User-Profile B-13User-Session-Limit B-13xxixCisco Access Registrar User Guide, 5.1

OL-25652-01

Virtual-Server-Outgoing-Script B-13

ContentsWindows-Domain-Groups B-13X509- Subject-Name B-13

Internal Variables B-14

A P P E N D I X C RADIUS Attributes C-1

RADIUS Attributes C-1Cisco Access Registrar 5.1 Attributes C-1RADIUS Attributes Numeric List C-4

Vendor-Specific Attributes C-133GPP VSAs C-133GPP2 VSAs C-15ACC VSAs C-22Altiga VSAs C-27Ascend VSAs C-30Bay Networks VSAs C-45Cabletron VSAs C-46Cisco Access Registrar Internal VSAs C-46Cisco VSAs C-48Compatible VSAs C-51Microsoft VSAs C-51Nomadix VSAs C-53RedBack VSAs C-53RedCreek VSAs C-56TACACS+ VSAs C-56Telebit VSAs C-59Unisphere VSAs C-59USR VSAs C-60WiMax C-86WISPr C-86XML C-87

G L O S S A R Y

I N D E XxxxCisco Access Registrar User Guide, 5.1

OL-25652-01

About This Guide

Revised: August 29, 2011, OL-25652-01

The User Guide for Cisco Access Registrar, 5.1 provides information about how to use Cisco Access Registrar (Cisco AR) 5.1. This preface contains the following sections:

How This Book Is Organized, page xxxi Obtaining Documentation and Submitting a Service Request, page xxxii Notices, page xxxiii

How This Book Is OrganizedThe Cisco AR User Guide is organized as follows: Chapter 1, Overview, provides an overview of Cisco AR. Chapter 2, Using the aregcmd Commands, provides information about using aregcmd commands. Chapter 3, Using the Graphical User Interface, provides information about using the Cisco AR GUI. Chapter 4, Cisco Access Registrar Server Objects, provides information about Cisco AR server objects. Chapter 5, Using the radclient Command, provides information about using radclient commands to test Cisco AR. Chapter 6, Configuring Local Authentication and Authorization, provides information about how to configure local authentication and authorization and helpful examples. Chapter 7, RADIUS Accounting, provides information about RADIUS accounting and how to configure Cisco AR 4.2 to perform accounting. Chapter 8, Diameter provides information about how to configure Cisco AR to perform diameter authentication and authorization, and also provides information about Diameter Accounting.Chapter 9, Extensible Authentication Protocols, provides information about Cisco AR 4.2 support of xxxiCisco Access Registrar User Guide, 5.1

OL-25652-01

EAP authentication methods. Chapter 10, Using WiMAX in Cisco Access Registrar, provides information about Cisco AR 4.2 support for the WiMAX feature.Chapter 11, Using Extension Points, provides information about how to use Cisco AR scripting to customize your RADIUS server. Chapter 12, Using Replication, provides information about how to use the replication feature.

About This Guide Chapter 13, Using On-Demand Address Pools, provides information about using On-Demand Address Pools. Chapter 14, Using Identity Caching, provides information about using the Identity Caching feature. Chapter 15, Using Trusted ID Authorization with SESM, describes how to use Cisco AR with SESM, and how to configure Cisco AR to use the Trusted ID feature. Chapter 16, Using Prepaid Billing, provides information about how to use the Cisco AR prepaid billing feature. Chapter 17, Using Cisco Access Registrar Server Features, provides information about using Cisco AR features.

Chapter 18, Directing RADIUS Requests, provides information about using the Cisco AR Policy Engine. Chapter 19, Wireless Support, provides information about Cisco AR support for wireless features. Chapter 20, Using LDAP, provides information about using an LDAP remote server with Cisco AR. Chapter 21, Using Open Database Connectivity, provides information about a new type of RemoteServer object and a new service to support ODBC. Chapter 22, Using SNMP, provides information about the SNMP MIB and Trap support offered by Cisco AR.Chapter 23, Enforcement of TPS License, provides information on the enforcement of Cisco ARs new license modeltransactions per second(TPS) Licensing.Chapter 24, Backing Up the Database, describes the Cisco AR shadow backup facility, which ensures a consistent snapshot of Cisco ARs database for backup purposes. Chapter 25, Using the REX Accounting Script, describes how to use the REX Accounting scripts. Chapter 26, Logging Syslog Messages, provides information about logging messages via syslog and centralized error reporting for Cisco AR. Chapter 27, Troubleshooting Cisco Access Registrar, provides information about techniques used when troubleshooting Cisco AR and highlights common problems.Appendix A, Cisco Access Registrar Tcl, REX and Java Dictionaries, describes the Tcl and REX dictionaries that are used when writing Incoming or Outgoing scripts for use with Cisco AR. Appendix B, Environment Dictionary, describes the environment variables the scripts use to communicate with Cisco AR or to communicate with other scripts. Appendix C, RADIUS Attributes, lists the RFC 2865 RADIUS attributes with their names and values. An index is also provided.

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.xxxiiCisco Access Registrar User Guide, 5.1

OL-25652-01

About This GuideNoticesThe following notices pertain to this software license.

OpenSSL/Open SSL ProjectThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young ([email protected]).This product includes software written by Tim Hudson ([email protected]).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License:

Copyright 1998-2007 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and

the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

4. The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT xxxiiiCisco Access Registrar User Guide, 5.1

OL-25652-01

About This Guide LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Original SSLeay License:

Copyright 1995-1998 Eric Young ([email protected]). All rights reserved.This package is an SSL implementation written by Eric Young ([email protected]).The implementation was written so as to conform with Netscapes SSL.This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and

the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following

acknowledgement:This product includes cryptographic software written by Eric Young ([email protected]).The word cryptographic can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson ([email protected]).

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].xxxivCisco Access Registrar User Guide, 5.1

OL-25652-01

About This GuidexxxvCisco Access Registrar User Guide, 5.1

OL-25652-01

About This Guide xxxviCisco Access Registrar User Guide, 5.1

OL-25652-01

OL-25652-01

elements. LTE and IMS networks are the most likely to implement these new network elementsincluding Policy and Charging Rules FMobility Management Entities (MME), Online Chtraffic levels grow, these wireless networks are becintelligent Diameter signaling traffic control infraunctions (PCRF), Home Subscriber Servers (HSS), arging Systems (OCS), and others. As a result, as the oming more difficult to manage and scale without an structure.C H A P T E R 1Overview

Revised: September 17, 2011, OL-25652-01

The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar (Cisco AR) as a proxy server. Cisco AR is a RADIUS (Remote Authentication Dial-In User Service) server that enables multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database. Cisco AR handles the following tasks:

Authenticationdetermines the identity of users and whether they can be allowed to access the network

Authorizationdetermines the level of network services available to authenticated users after they are connected

Accountingkeeps track of each users network activity

Session and resource managementtracks user sessions and allocates dynamic resourcesUsing a RADIUS server allows you to better manage the access to your network, as it allows you to store all security information in a single, centralized database instead of distributing the information around the network in many different devices. You can make changes to that single database instead of making changes to every network access server in your network.Cisco Access Registrar Diameter Routing Agent (DRA) provides such signaling infrastructure, allowing complex mesh interconnections of these new network elements in order to:

adequately manage the traffic perform appropriate load balancing for desired load distribution and congestion control provide intelligent message routing (routing to the appropriate elements) that can be customized to

easily adopt to unique requirements allow binding of different protocol interfaces corresponding to a subscriber/network element.

Service providers transform their 3G and 4G wireless networks with complex services, tiered charging, converged billing, and more by introducing increasing numbers and types of Diameter-based network 1-1Cisco Access Registrar User Guide, 5.1

Chapter 1 Overview Cisco Access Registrar HierarchyThis chapter contains the following sections: Cisco Access Registrar Hierarchy, page 1-2 Cisco Access Registrar Directory Structure, page 1-5 Program Flow, page 1-5 RADIUS Protocol, page 1-12

Cisco Access Registrar HierarchyCisco ARs operation and configuration is based on a set of objects. These objects are arranged in a hierarchical structure much like the Windows 95 Registry or the UNIX directory structure. Cisco ARs objects can themselves contain subobjects, just as directories can contain subdirectories. These objects include the following:

Radius the root of the configuration hierarchy UserListscontains individual UserLists which in turn contain users UserGroupscontains individual UserGroups Clientscontains individual Clients Vendorscontains individual Vendors Scriptscontains individual Scripts Servicescontains individual Services SessionManagerscontains individual Session Managers ResourceManagerscontains individual Resource Managers Profilescontains individual Profiles RemoteServerscontains individual RemoteServers Advancedcontains Ports, Interfaces, Reply Messages, and the Attribute dictionary

UserLists and GroupsCisco AR lets you organize your user community through the configuration objects UserLists, users, and UserGroups.

Use UserLists to group users by organization, such as Company A and Company B. Each list contains the actual names of the users.

Use users to store information about particular users, such as name, password, group membership, base profile, and so on.

Use UserGroups to group users by function, such as PPP, Telnet, or multiprotocol users. Groups allow you to maintain common authentication and authorization requirements in one place, and have them referenced by many users.

For more information about UserLists and UserGroups, see UserLists and Groups in Chapter 4, Cisco Access Registrar Server Objects.1-2Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Cisco Access Registrar HierarchyProfilesCisco AR uses Profiles that allow you to group RADIUS attributes to be included in an Access-Accept packet. These attributes include values that are appropriate for a particular user class, such as PPP or Telnet user. The users base profile defines the users attributes, which are then added to the response as part of the authorization process.

Although you can use Group or Profile objects in a similar manner, choosing whether to use one rather than the other depends on your site. If you require some choice in determining how to authorize or authenticate a user session, then creating specific profiles, and specifying a group that uses a script to choose among the profiles is more flexible. In such a situation, you might create a default group and then write a script that selects the appropriate profile based on the specific request. The benefit to this technique is each user can have a single entry, and use the appropriate profile depending on the way they log in. For more information about Profiles, see Profiles in Chapter 4, Cisco Access Registrar Server Objects.

ScriptsCisco AR allows you to create scripts you can execute at various points within the processing hierarchy.

Incoming scriptsenable you to read and set the attributes of the request packet, and set or change the Environment dictionary variables. You can use the environment variables to control subsequent processing, such as specifying the use of a particular authentication service.

Outgoing scriptsenable you to modify attributes returned in the response packet.For more information about Scripts, see Scripts in the Chapter 4, Cisco Access Registrar Server Objects.

ServicesCisco AR uses Services to let you determine how authentication, authorization, and/or accounting are performed.For example, to use Services for authentication:

When you want the authentication to be performed by the Cisco AR RADIUS server, you can specify the local service. In this, case you must specify a specific UserList.

When you want the authentication performed by another server, which might run an independent application on the same or different host than your RADIUS server, you can specify either a radius, ldap, or tacacs-udp service. In this case, you must list these servers by name.

When you have specified more than one authentication service, Cisco AR determines which one to use for a particular Access-Request by checking the following:

When an incoming script has set the Environment dictionary variable Authentication-Service with the name of a Service, Cisco AR uses that service.

Otherwise, Cisco AR uses the default authentication service. The default authentication service is a property of the Radius object.1-3Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Cisco Access Registrar HierarchyCisco AR chooses the authentication service based on the variable Authentication-Service, or the default. The properties of that Service, specify many of the details of that authentication service, such as, the specific user list to use or the specific application (possibly remote) to use in the authentication process.

For more information about Services, see Services in the Chapter 4, Cisco Access Registrar Server Objects.

Session Management Using Resource ManagersCisco AR lets you track user sessions, and/or allocate dynamic resources to users for the lifetime of their session. You can define one or more Session Managers, and have each one manage the sessions for a particular group or company.

Session Managers use Resource Managers, which in turn manage resources of a particular type as described below.

IP-Dynamicmanages a pool of IP addresses and allows you to dynamically allocate IP addresses from that pool

IP-Per-NAS-Portallows you to associate ports to specific IP addresses, and thus ensure each NAS port always gets the same IP address

IPX-Dynamicmanages a pool of IPX network addresses Group-Session-Limitmanages concurrent sessions for a group of users; that is, it keeps track of

how many sessions are active and denies new sessions after the configured limit has been reached User-Session-Limitmanages per-user concurrent sessions; that is, it keeps track of how many

sessions each user has and denies the user a new session after the configured limit has been reached USR-VPNmanages Virtual Private Networks (VPNs) that use USR NAS Clients.

For more information about Session Managers, see Session Managers in Chapter 4, Cisco Access Registrar Server Objects.If necessary, you can create a complex relationship between the Session Managers and the Resource Managers.

When you need to share a resource among Session Managers, you can create multiple Session Managers that refer to the same Resource Manager. For example, if one pool of IP addresses is shared by two departments, but each department has a separate policy about how many users can be logged in concurrently, you might create two Session Managers and three Resource Managers. One dynamic IP Resource Manager that is referenced by both Session Managers, and two concurrent session Resource Managers, one for each Session Manager. In addition, Cisco AR lets you pose queries about sessions. For example, you can query Cisco AR about which session (and thus which NAS-Identifier, NAS-Port and/or User-Name) owns a particular resource, as well as query Cisco AR about how many resources are allocated or how many sessions are active. 1-4Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Cisco Access Registrar Directory StructureCisco Access Registrar Directory StructureThe installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 1-1.

Program FlowWhen a NAS sends a request packet to Cisco AR with a name and password, Cisco AR performs the following actions. Table 1-2 describes the flow without regard to scripting points.

Table 1-1 /opt/CSCOar Subdirectories

Subdirectory Description

.system Contains ELFs, or binary SPARC executables that should not be run directly.bin Contains shell scripts and programs frequently used by a network

administrator; programs that can be run directly.conf Contains configuration files.data Contains the radius directory, which contains session backing files; and the

db directory, which contains configuration database files .examples Contains documentation, sample configuration scripts, and shared library

scripts.lib Contains Cisco AR software library files.logs Contains system logs and is the default directory for RADIUS accounting.odbc Contains Cisco AR ODBC files.scripts Contains sample scripts that you can modify to automate configuration, and

to customize your RADIUS server.temp Used for temporary storage.ucd-snmp Contains the UCD-SNMP software Cisco AR uses.usrbin Contains a symbolic link that points to bin.

Table 1-2 From Access-Request to Access-Accept

Cisco AR Server Action Explanation

Receives an Access-Request The Cisco AR server receives an Access-Request packet from a NAS.

Determines whether to accept the request

The Cisco AR server checks to see if the clients IP address is listed in /Radius/Clients//.

Invokes the policy SelectPolicy if it exists

The Cisco AR Policy Engine provides an interface to define and configure a policy and to apply the policy to the corresponding access-request packets.

Performs authentication and/or authorization

Directs the request to the appropriate service, which then performs authentication and/or authorization according to the type specified in /Radius/Services//.

Performs session management Directs the request to the appropriate Session Manager.1-5Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program FlowScripting PointsCisco AR lets you invoke scripts you can use to affect the Request, Response, or Environment dictionaries.

Client Scripting

Though, Cisco AR allows external code (Tcl/C/C++/Java) to be used by means of a script, custom service, policy engine, and so forth, while processing request, response, or while working with the environment dictionaries, it shall not be responsible for the scripts used and will not be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of the script.

Client or NAS Scripting Points

Table 1-3 shows the location of the scripting points within the section that determines whether to accept the request from the client or NAS. Note, the scripting points are indicated with the asterisk (*) symbol.

Performs resource management for each Resource Manager in the SessionManager

Directs the request to the appropriate resource manager listed in /Radius/SessionManagers///, which then allocates or checks the resource according to the type listed in /Radius///.

Sends an Access-Accept Creates and formats the response, and sends it back to the client (NAS).

Table 1-2 From Access-Request to Access-Accept (continued)

Cisco AR Server Action Explanation

Table 1-3 Client or NAS Scripting Points

Action Explanation

Receives an Access-Request.

The Cisco AR RADIUS server receives an Access-Request packet from a NAS.

Determines whether to accept the request.

The clients IP address listed in /Radius/Clients//IPAddress.

*Executes the servers incoming script.

A script referred to in /Radius/IncomingScript.

*Executes the vendors incoming script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a script referred to in /Radius/Vendors//IncomingScript.

*Executes the clients incoming script.

A script referred to in /Radius/Clients//IncomingScript.

Determines whether to accept requests from this specific NAS.1-6Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program FlowAuthentication and/or Authorization Scripting Points

Table 1-4 shows the location of the scripting points within the section that determines whether to perform authentication and/or authorization.

/Radius/Advanced/RequireNASsBehindProxyBeInClientList set to TRUE.The NASs Identifier listed in /Radius/Clients/, or its NAS-IP-Address listed in /Radius/Clients//IPAddress.

If the clients IP address listed in /Radius/Clients//IPAddress is different:*Executes the vendors incoming script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a script referred to in /Radius/Vendors//IncomingScript.

*Executes the clients incoming script.

The client listed in the previous /Radius/Clients/Name, and is a script referred to in /Radius/Clients/Name/IncomingScript.

Table 1-3 Client or NAS Scripting Points (continued)

Action Explanation

Table 1-4 Authentication and Authorization Scripting Points

Action Explanation

Determines Service to use for authentication and/or authorization.

The Service name defined in the Environment dictionary variable Authentication-Service, and is the same as the Service defined in the Environment dictionary variable Authorization-Service.The Service name referred to by /Radius/DefaultAuthenticationService, and is the same as the Service defined in /Radius/DefaultAuthorizationService.

Performs authentication and/or authorization. If the Services are the same, perform authentication and authorization.If the Services are different, just perform authentication.

*Executes the Services incoming script. A script referred to in /Radius/Services//IncomingScript.

Performs authentication and/or authorization. Based on the Service type defined in /Radius/Services//.

*Executes the Services outgoing script. A script referred to in /Radius/Services//OutgoingScript.

Determines whether to perform authorization. The Service name defined in /Radius/DefaultAuthorizationService, if different than the Authentication Service.1-7Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program FlowSession ManagementThe Session Management feature requires the client (NAS or proxy) to send all RADIUS accounting requests to the Cisco AR server performing session management. (The only exception is if the clients are USR/3Com Network Access Servers configured to use the USR/3Com RADIUS resource management feature.) This information is used to keep track of user sessions, and the resources allocated to those sessions.When another accounting RADIUS server needs this accounting information, the Cisco AR server performing session management might proxy it to this second server. In Cisco AR 5.0, a major command is introducedcount-sessions. The count-session lr all command helps to count the total sessions in Cisco AR. The options are similar to the query-session command options. The query-session command displays cached attributes in addition to session details.Table 1-5 describes how Cisco AR handles session management.

Failover by the NAS and Session Management

When a Network Access Servers primary RADIUS server is performing session management, and the NAS determines the server is not responding and begins sending requests to its secondary RADIUS server, the following occurs:

The secondary server will not know about the current active sessions that are maintained on the primary server. Any resources managed by the secondary server must be distinct from those managed by the primary server, otherwise it will be possible to have two sessions with the same resources (for example, two sessions with the same IP address).

*Executes the Services incoming script. A script referred to in /Radius/Services//IncomingScript.

Performs authorization. Checks that the Service type is defined in /Radius/Services//.

*Executes the Services outgoing script. A script referred to in /Radius/Services//OutgoingScript.

Table 1-4 Authentication and Authorization Scripting Points (continued)

Action Explanation

Table 1-5 Session Management Processing

Action Explanation

Determines whether to perform session management.

The session management defined in the Environment dictionary variable Session-Manager.The session management name referred to in /Radius/DefaultSessionManager.

Performs session management. Selects Session Manager as defined in/Radius/SessionManagers/.1-8Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program Flow The primary server will miss important information that allows it to maintain a correct model of what sessions are currently active (because the authentication and accounting requests are being sent to the secondary server). This means when the primary server comes back online and the NAS begins using it, its knowledge of what sessions are active will be out-of-date and the resources for those sessions are allocated even if they are free to allocate to someone else.For example, the user-session-limit resource might reject new sessions because the primary server does not know some of the users using the resource logged out while the primary server was offline. It might be necessary to release sessions manually using the aregcmd command release-session.

Note It might be possible to avoid this situation by having a disk drive shared between two systems with the second RADIUS server started up once the primary server has been determined to be offline. For more information on this setup, contact Technical Support.

Cross Server Session and Resource Management

Prior to Cisco AR 1.6, sessions and resources were managed locally, meaning that in a multi-Cisco AR server environment, resources such as IP addresses, user-based session limits, and group-based session limits were divided between all the Cisco AR servers. It also meant that, to ensure accurate session tracking, all packets relating to one user session were required to go to the same Cisco AR server.Cisco AR 1.6 and above can manage sessions and resources across AAA Server boundaries. A session can be created by an Access-Request sent to AR1, and it can be removed by an Accounting-Stop request sent to AR2, as shown in Figure 1-1. This enables accurate tracking of User and Group session limits across multiple AAA Servers, and IP addresses allocated to sessions are managed in one place.

Figure 1-1 Multiple Cisco AR Servers

All resources that must be shared cross multiple front line Cisco ARs are configured in the Central Resource Cisco AR. Resources that are not shared can still be configured at each front line Cisco AR as done prior to the Cisco AR 1.6 release. When the front line Cisco AR receives the access-request, it does the regular AA processing. If the packet is not rejected and a Central Resource Cisco AR is also configured, the front line Cisco AR will proxy the packet1 to the configured Central Resource Cisco AR. If the Central Resource Cisco AR returns the requested resources, the process continues to the local session management (if local session manager is configured) for allocating any local resources. If the Central Resource Cisco AR cannot allocate the requested resource, the packet is rejected.When the Accounting-Stop packet arrives at the frontline Cisco AR, Cisco AR does the regular accounting processing. Then, if the front line Cisco AR is configured to use Central Resource Cisco AR, a proxy packet will be sent to Central Resource Cisco AR for it to release all the allocated resources for this session. After that, any locally allocated resources are released by the local session manager.

1. The proxy packet is actually a resource allocation request, not an Access Request. 1-9Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program FlowSession-Service Service Step and Radius-Session Service

A new Service step has been added in the processing of Access-Request and Accounting packets. This is an additional step after the AA processing for Access packet or Accounting processing for Accounting packet, but before the local session management processing. The Session-Service should have a service type of radius-session.An environment variable Session-Service is introduced to determine the Session-Service dynamically. You can use a script or the rule engine to set the Session-Service environment variable.

Configure Front Line Access Registrar

To use a Central Resource server, the DefaultSessionService property must be set or the Session-Service environment variable must be set through a script or the rule engine. The value in the Session-Service variable overrides the DefaultSessionService.The configuration parameters for a Session-Service service type are the same as those for configuring a radius service type for proxy, except the service type is radius-session.The configuration for a Session-Service Remote Server is the same as configuring a proxy server.[ //localhost/Radius ]

Name = RadiusDescription = Version = 1.6R0IncomingScript = OutgoingScript = DefaultAuthenticationService = local-usersDefaultAuthorizationService = local-usersDefaultAccountingService = local-fileDefaultSessionService = Remote-Session-ServiceDefaultSessionManager = session-mgr-1

[ //localhost/Radius/Services ]Remote-Session-Service/

Name = Remote-Session-ServiceDescription = Type = radius-sessionIncomingScript = OutgoingScript = OutagePolicy = RejectAllOutageScript = MultipleServersPolicy = FailoverRemoteServers/1. central-server

[ //localhost/Radius/RemoteServers ]central-server/

Name = central-serverDescription = Protocol = RADIUSIPAddress = 209.165.200.224Port = 1645ReactivateTimerInterval = 300000SharedSecret = secretVendor = IncomingScript = OutgoingScript = MaxTries = 3InitialTimeout = 2000AccountingPort = 16461-10Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview Program FlowConfigure Central Cisco AR

Resources at the Central Resource server are configured the same way as local resources are configured. These resources are local resources from the Central Resource servers point of view.

Script Processing HierarchyFor request packets, the script processing order is from the most general to the most specific. For response packets, the processing order is from the most specific to the most general.Table 1-6, Table 1-7, and Table 1-8 show the overall processing order and flow:(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.

Note The client and the NAS can be the same entity, except when the immediate client is acting as a proxy for the actual NAS.

Table 1-6 Cisco AR Processing Hierarchy for Incoming Scripts

Overall Flow Sequence Incoming Scripts

1) Radius.2) Vendor of the immediate client.3) Immediate client.4) Vendor of the specific NAS.5) Specific NAS.6) Service.

Table 1-7 Cisco AR Processing Hierarchy for Authentication/Authorization Scripts

Overall Flow Sequence Authentication/Authorization Scripts

7) Group Authentication.8) User Authentication.9) Group Authorization.10) User Authorization.11) Session Management.

Table 1-8 Cisco AR Processing Hierarchy for Outgoing Script

Overall Flow Sequence Outgoing Scripts

12) Service.13) Specific NAS.14) Vendor of the specific NAS.15) Immediate client.1-11Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview RADIUS ProtocolRADIUS Protocol Cisco AR is based on a client/server model, which supports AAA (authentication, authorization, and accounting). The client is the Network Access Server (NAS) and the server is Cisco AR. The client passes user information on to the RADIUS server and acts on the response it receives. The server, on the other hand, is responsible for receiving user access requests, authenticating and authorizing users, and returning all of the necessary configuration information the client can then pass on to the user.The protocol is a simple packet exchange in which the NAS sends a request packet to the Cisco AR with a name and a password. Cisco AR looks up the name and password to verify it is correct, determines for which dynamic resources the user is authorized, then returns an accept packet that contains configuration information for the user session (Figure 1-2).

Figure 1-2 Packet Exchange Between User, NAS, and RADIUS

Cisco AR can also reject the packet if it needs to deny network access to the user. Or, Cisco AR can issue a challenge that the NAS sends to the user, who then creates the proper response and returns it to the NAS, which forwards the challenge response to Cisco AR in a second request packet.In order to ensure network security, the client and server use a shared secret, which is a string they both know, but which is never sent over the network. User passwords are also encrypted between the client and the server to protect the network from unauthorized access.

Steps to ConnectionThree participants exist in this interaction: the user, the NAS, and the RADIUS server. The following steps describe the receipt of an access request through the sending of an access response.

Step 1 The user, at a remote location such as a branch office or at home, dials into the NAS, and supplies a name and password.

Step 2 The NAS picks up the call and begins negotiating the session.a. The NAS receives the name and password.

16) Vendor of the immediate client.17) Radius.

Table 1-8 Cisco AR Processing Hierarchy for Outgoing Script (continued)

Overall Flow Sequence Outgoing Scripts

NAS

Radius22

036

Janexyz

request

response

Name=JanePassword=xyz1-12Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview RADIUS Protocolb. The NAS formats this information into an Access-Request packet.c. The NAS sends the packet on to the Cisco AR server.

Step 3 The Cisco AR server determines what hardware sent the request (NAS) and parses the packet.a. It sets up the Request dictionary based on the packet information.b. It runs any incoming scripts, which are user-written extensions to Cisco AR. An incoming script can

examine and change the attributes of the request packet or the environment variables, which can affect subsequent processing.

c. Based on the scripts or the defaults, it chooses a service to authenticate and/or authorize the user.Step 4 Cisco ARs authentication service verifies the username and password is in its database. Or, Cisco AR

delegates the authentication (as a proxy) to another RADIUS server, an LDAP, or TACACS server.Step 5 Cisco ARs authorization service creates the response with the appropriate attributes for the users

session and puts it in the Response dictionary.Step 6 If you are using Cisco AR session management at your site, the Session Manager calls the appropriate

Resource Managers that allocate dynamic resources for this session.Step 7 Cisco AR runs any outgoing scripts to change the attributes of the response packet.Step 8 Cisco AR formats the response based on the Response dictionary and sends it back to the client (NAS).Step 9 The NAS receives the response and communicates with the user, which might include sending the user

an IP address to indicate the connection has been successfully established.

Types of RADIUS MessagesThe client/server packet exchange consists primarily of the following types of RADIUS messages:

Access-Requestsent by the client (NAS) requesting access Access-Rejectsent by the RADIUS server rejecting access Access-Acceptsent by the RADIUS server allowing access Access-Challengesent by the RADIUS server requesting more information in order to allow

access. The NAS, after communicating with the user, responds with another Access-Request.When you use RADIUS accounting, the client and server can also exchange the following two types of messages:

Accounting-Requestsent by the client (NAS) requesting accounting Accounting-Responsesent by the RADIUS server acknowledging accounting

Packet Contents

The information in each RADIUS message is encapsulated in a UDP (User Datagram Protocol) data packet. A packet is a block of data in a standard format for transmission. It is accompanied by other information, such as the origin and destination of the data. Table 1-9 lists a description of the five fields in each message packet. 1-13Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview RADIUS ProtocolThe Attribute Dictionary

The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting attributes that can be part of a clients or users configuration. The dictionary entries translate an attribute into a value Cisco AR uses to parse incoming requests and generate responses. Attributes have a human-readable name and an enumerated equivalent from 1-255.Sixty three standard attributes exist, which are defined in RFC 2138 and 2139. There also are additional vendor-specific attributes that depend on the particular NAS you are using. Some sample attributes include:

User-Namethe name of the user User-Passwordthe users password NAS-IP-Addressthe IP address of the NAS NAS-Portthe NAS port the user is dialed in to Framed Protocolsuch as SLIP or PPP Framed-IP-Addressthe IP address the client uses for the session Filter-IDvendor-specific; identifies a set of filters configured in the NAS

Table 1-9 RADIUS Packet Fields

Fields Description

Code Indicates message type: Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, or Accounting-Response.

Identifier Contains a value that is copied into the servers response so the client can correctly associate its requests and the servers responses when multiple users are being authenticated simultaneously.

Length Provides a simple error-checking device. The server silently drops a packet if it is shorter than the value specified in the length field, and ignores the octets beyond the value of the length field.

Authenticator Contains a value for a Request Authenticator or a Response Authenticator. The Request Authenticator is included in a clients Access-Request. The value is unpredictable and unique, and is added to the client/server shared secret so the combination can be run through a one-way algorithm. The NAS then uses the result in conjunction with the shared secret to encrypt the users password.

Attribute(s) Depends on the type of message being sent. The number of attribute/value pairs included in the packets attribute field is variable, including those required or optional for the type of service requested.1-14Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview RADIUS Protocol Callback-Numberthe actual callback number.

Proxy ServersAny one or all of the RADIUS servers three functions: authentication, authorization, or accounting can be subcontracted to another RADIUS server. Cisco AR then becomes a proxy server. Proxying to other servers enables you to delegate some of the RADIUS servers functions to other servers.You could use Cisco AR to proxy to an LDAP server for access to directory information about users in order to authenticate them. Figure 1-3 shows user joe initiating a request, the Cisco AR server proxying the authentication to the LDAP server, and then performing the authorization and accounting processing in order to enable joe to log in.

Figure 1-3 Proxying to an LDAP Server for Authentication

NASAccessregistrar

LDAP

2203

5

user=joepassword=xyz request

response

1

6

2

5

3 4

Authorizationaccounting

Authentication1-15Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 1 Overview RADIUS Protocol1-16Cisco Access Registrar User Guide, 5.1

OL-25652-01

OL-25652-01

contain spaces, you must quote the arguments. For example, when you use the argument, Local Users, you must enclose the phrase in quotes. The aregcmd command can contain a maximum ocharacters for the entire command.f 255 characters when specifying a parameter and 511 C H A P T E R 2Using the aregcmd Commands

Revised: September 17, 2011, OL-25652-01

This chapter describes how to use each of the aregcmd commands. The Cisco AR 4.2 aregcmd command is a command-line based configuration tool. It allows you to set any Cisco Access Registrar (Cisco AR) configurable option, as well as, start and stop the server and check statistics. This chapter contains the following sections:

General Command Syntax, page 2-1 aregcmd Commands, page 2-4 aregcmd Command Logging, page 2-16 aregcmd Command Line Editing, page 2-17 aregcmd Error Codes, page 2-17

General Command SyntaxCisco AR stores its configuration information in a hierarchy. Using the aregcmd command cd (change directory) you can move through this information in the same manner as you would through any hierarchical file system. Or you can supply full pathnames to these commands to affect another part of the hierarchy, and thus avoid explicitly using the cd command to change to that part of the tree.aregcmd command parsing is case insensitive, which means you can use upper or lowercase letters to designate elements. In addition, when you reference existing elements in the configuration, you need only specify enough of the elements name to distinguish it from the other elements at that level. For example, instead of entering cd Administrators, you can enter cd ad when no other element at the current level begins with ad. aregcmd command parsing is command-line order dependent; that is, the arguments are interpreted based on their position on the command line. To indicate an empty string as a place holder on the command line, use either single (') or double quotes (""). In addition, when you use any arguments that 2-1Cisco Access Registrar User Guide, 5.1

Chapter 2 Using the aregcmd Commands General Command SyntaxThe aregcmd command syntax is:aregcmd [-C ] [-N ] [-P ] [-V][-f ] [-l ] [-n] [ []] [-p] [-q] [-v]

-CSpecifies the name of the cluster to log into by default -NSpecifies the name of the administrator -PSpecifies the password -VSpecifies view-only mode -fSpecifies a file that can contain a series of commands -lSpecifies a directory where the Cisco AR license file is stored and returns information about

licensed components -nTurns off prefix mode -pSpecifies prefix mode -qTurns off verbose mode -vSpecifies verbose mode

Note The verbose (-v) and prefix (-p) modes are on by default when you run aregcmd interactively (for example, not entered on the command line or not running commands from a script file). Otherwise, verbose and prefix modes are off.

When you include a command (with the appropriate arguments) on the command line, aregcmd runs only that one command and saves any changes.

View-Only Administrator ModePrevious releases of Cisco AR provided only super-user administrative access. If you were able to log in to aregcmd, you could do anything to the system, including starting and stopping the system and changing the configuration. Cisco AR provides view-only administrative access. View-only access restricts an administrator to only being able to observe the system and prevents that user from making changes.

View-only access can be encountered in three ways: Specific administrators can be restricted to view-only access whenever they log in. Administrators not restricted to view-only access can choose to start aregcmd in a view-only mode.

This might be used when an administrator wants to ensure that he or she does not make any changes. When an administrator who is not view-only logs in to a slave server, they will be unable to make

changes to any parts of the configuration other than /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the properties in /Radius/Advanced. This is because the rest of the configuration is replicated from the master server and changes directly to the slave will cause problems.

Note When a user logs in, the system determines whether a users session is view-only or not. If the configuration is changed after a user has logged in, that change does not take effect until the affected user logs out and logs back in. 2-2Cisco Access Registrar User Guide, 5.1

OL-25652-01

Chapter 2 Using the aregcmd Commands General Command SyntaxViewOnly Property

The ViewOnly property has been added to the Administrators configuration. The default setting for the ViewOnly property is FALSE. The following shows the default setting for the admin user:

cd /Administrators/admin

[ //localhost/Administrators/admin ]Name = adminDescription = Password = ViewOnly = FALSE

You can designate specific administrators to be view-only administrators by setting the new ViewOnly property to TRUE. If that property is set to TRUE, any time the administrator logs in to aregcmd the session will be in view-only mode. If set to FALSE, when the administrator logs in to a master server, the session will be full super-user capability. If the administrator logs in to a slave, they only part of the configuration they will be able to modify is that part under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the properties in /Radius/Advanced. When in a view-only session, the following commands will cause an error: add, delete, set, unset,