-
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan
Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000
800 553-NETS (6387)Fax: 408 527-0883
User Guide for Cisco Access Registrar, 5.1 Release 5.1December
12, 2011
Text Part Number: OL-25652-01
-
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN
THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE
ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION
OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING
PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU
ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an
adaptation of a program developed by the University of California,
Berkeley (UCB) as part of UCBs public domain version of the UNIX
operating system. All rights reserved. Copyright 1981, Regents of
the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES
AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR
TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY
INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks
of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to thisURL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are
the property of their respective owners. The use of the word
partner does not imply a partnershiprelationship between Cisco and
any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are
not intended to be actual addresses. Any examples, command display
output, and figures included in the document are shown for
illustrative purposes only. Any use of actual IP addresses in
illustrative content is unintentional and coincidental.
User Guide for Cisco Access Registrar, 5.1 2011 Cisco Systems,
Inc. All rights reserved.
-
OL-25652-01
Proxy Servers 1-15
C H A P T E R 2 Using the aregcmd Comma
General Command SyntaView-Only Administictionary 1-14C O N T E N
T S
About This Guide xxxi
How This Book Is Organized xxxi
Obtaining Documentation and Submitting a Service Request
xxxii
Notices xxxiiiOpenSSL/Open SSL Project xxxiii
License Issues xxxiii
C H A P T E R 1 Overview 1-1
Cisco Access Registrar Hierarchy 1-2UserLists and Groups
1-2Profiles 1-3Scripts 1-3Services 1-3Session Management Using
Resource Managers 1-4
Cisco Access Registrar Directory Structure 1-5
Program Flow 1-5Scripting Points 1-6
Client Scripting 1-6Client or NAS Scripting Points
1-6Authentication and/or Authorization Scripting Points 1-7
Session Management 1-8Failover by the NAS and Session Management
1-8Cross Server Session and Resource Management 1-9
Script Processing Hierarchy 1-11
RADIUS Protocol 1-12Steps to Connection 1-12Types of RADIUS
Messages 1-13
Packet Contents 1-13The Attribute DiiiCisco Access Registrar
User Guide, 5.1
nds 2-1
x 2-1rator Mode 2-2
-
ContentsViewOnly Property 2-3Configuration Objects 2-3aregcmd
Command Performance 2-3
RPC Bind Services 2-4
aregcmd Commands 2-4add 2-4cd 2-5delete 2-5exit 2-5filter
2-5find 2-6help 2-6insert 2-6login 2-6logout 2-7ls 2-7next 2-7prev
2-8pwd 2-8query-sessions 2-8quit 2-9release-sessions 2-9reload
2-9reset-stats 2-10save 2-10set 2-11start 2-11stats 2-12status
2-13stop 2-14trace 2-14trace-file-count 2-15unset 2-15validate
2-16
aregcmd Command Logging 2-16
aregcmd Command Line Editing 2-17
aregcmd Error Codes 2-17ivCisco Access Registrar User Guide,
5.1
OL-25652-01
-
ContentsC H A P T E R 3 Using the Graphical User Interface
3-1
Launching the GUI 3-1Disabling HTTP 3-2Disabling HTTPS 3-2Login
Page 3-3
Logging In 3-3Logging Out 3-4
Common Methodologies 3-4Filtering Records 3-4Deleting Records
3-4Setting Record Limits per Page 3-4Common Navigations
3-5Relocating Records 3-5
Dashboard 3-6Sessions 3-6
Configuring Cisco Access Registrar 3-6RADIUS 3-7Profiles 3-8
Adding Profile Details 3-9Editing Profile Details 3-9
UserGroups 3-9Adding UserGroup Details 3-10Editing UserGroup
Details 3-11
UserList 3-11Adding UserList Details 3-12Editing UserList
Details 3-12
Users 3-12Adding User Details 3-13Editing User Details 3-14
Scripts 3-14Adding Script Details 3-15Editing Script Details
3-16
Policies 3-16Adding Policy Details 3-16Editing Policy Details
3-16
Services 3-17Simple Services 3-17ServiceWithRS 3-21vCisco Access
Registrar User Guide, 5.1
OL-25652-01
PEAP Service 3-23
-
ContentsEAP Service 3-26Diameter Service 3-34
Adding Diameter Service Details 3-34Editing Diameter Service
Details 3-38
Replication 3-38Adding Replication Details 3-39Editing
Replication Member Details 3-40
RADIUS Dictionary 3-40Adding Radius Dictionary Details
3-40Editing Radius Dictionary Details 3-41
Vendor Dictionary 3-41Adding Vendor Dictionary Details
3-41Editing Vendor Dictionary Details 3-42
Vendor Attributes 3-42Adding Vendor Attributes 3-43Editing
Vendor Attributes 3-43
Vendors 3-44Adding Vendor Details 3-44Editing Vendor Details
3-45
Translations 3-45Adding Translation Details 3-46Editing
Translation Details 3-46
Translation Groups 3-46Adding Translation Group Details
3-47Editing Translation Group Details 3-47
DIAMETER 3-48General 3-48SessionManagement 3-49Applications
3-50Commands 3-52
Advanced 3-53Default 3-54BackingStore/ServerParam
3-58RemoteSessionServer 3-62SNMP 3-64DDNS 3-65ODBCDataSources
3-66Log 3-67Ports 3-69viCisco Access Registrar User Guide, 5.1
OL-25652-01
Interfaces 3-70
-
ContentsAttribute Groups 3-70Rules 3-71
Setting Rules 3-71Editing Rules 3-72
Session Managers 3-73Adding Session Manager Details 3-73Editing
Session Manager Details 3-76
Resource Manager 3-76Adding Resource Manager Details 3-77Editing
Resource Manager Details 3-84
Network Resources 3-84Clients 3-84
Adding Client Details 3-85Editing Client Details 3-88
Remote Servers 3-88LDAP 3-88LDAP Accounting 3-92Domain
Authentication 3-95ODBC/OCI 3-96ODBC/OCI-Accounting 3-99Others
3-101
Administration 3-104Administrators 3-104
Adding Administrator Details 3-104Editing Administrator Details
3-105
Statistics 3-106Diameter Statistics 3-108Backup and Restore
3-112License Upload 3-112
Read-Only GUI 3-112
C H A P T E R 4 Cisco Access Registrar Server Objects 4-1
Radius 4-2
UserLists 4-3Users 4-4
HiddenAttributes Property 4-4
UserGroups 4-5
Policies 4-5viiCisco Access Registrar User Guide, 5.1
OL-25652-01
Clients 4-6
-
ContentsVendors 4-9
Scripts 4-10
Services 4-11Types of Services 4-12
Domain Authentication 4-13EAP Services 4-13File 4-13Group
4-14Java 4-16LDAP 4-16Local 4-17ODBC 4-18ODBC-Accounting
4-19Prepaid Services 4-19RADIUS 4-19Radius Query 4-19RADIUS-Session
4-24Rex 4-24WiMAX 4-25Diameter 4-25
Session Managers 4-30Session Creation 4-32Session Notes 4-33Soft
Group Session Limit 4-34
Session Correlation Based on User-Defined Attributes 4-34
Resource Managers 4-35Types of Resource Managers 4-36
Gateway Subobject 4-36Group-Session-Limit 4-37Home-Agent
4-37Home-Agent-IPv6 4-37IP-Dynamic 4-37IP-Per-NAS-Port
4-38IPX-Dynamic 4-38Session-Cache 4-38Subnet-Dynamic
4-39User-Session-Limit 4-40USR-VPN 4-40viiiCisco Access Registrar
User Guide, 5.1
OL-25652-01
Dynamic-DNS 4-40
-
ContentsRemote-IP-Dynamic 4-41Remote-User-Session-Limit
4-41Remote-Group-Session-Limit 4-41Remote-Session-Cache 4-41
Profiles 4-41Attributes 4-42
Translations 4-42
TranslationGroups 4-43
Remote Servers 4-43Types of Protocols 4-44
Domain Authentication 4-45Dynamic DNS 4-46LDAP 4-47Map-Gateway
4-50Sigtran 4-51ODBC 4-52ODBC-Accounting 4-53Prepaid-CRB
4-54Prepaid-IS835C 4-55RADIUS 4-55
Rules 4-56
Advanced 4-56RemoteODBCSessionServer 4-68Using the
RequireNASsBehindProxyBeInClientList Property 4-69Advance Duplicate
Detection Feature 4-69Invalid EAP Packet Processing 4-70Ports
4-70Interfaces 4-70Reply Messages 4-71Attribute Dictionary 4-72
Types 4-73Vendor Attributes 4-74
SNMP 4-74Diameter 4-74
Configuring Diameter TransportManagement Properties
4-75Configuring Diameter SessionManagement 4-77Configuring Diameter
Application 4-78Configuring Diameter Commands 4-79ixCisco Access
Registrar User Guide, 5.1
OL-25652-01
Configuring Diameter Dictionary 4-85
-
ContentsC H A P T E R 5 Using the radclient Command 5-1
radclient Command Syntax 5-1
Working with Packets 5-2Creating Packets 5-2Creating CHAP
Access-Request Packets 5-2Viewing Packets 5-3Sending Packets
5-3Creating Empty Packets 5-3Setting Packet Fields 5-4Reading
Packet Fields 5-4Deleting Packets 5-5
Attributes 5-5Creating Attributes 5-5Setting Multivalued
Attributes 5-5Viewing Attributes 5-6Getting Attribute Information
5-6Deleting Attributes 5-7Using the radclient Command 5-7
Example 1 5-7Example 2 5-8Example 3 5-9
Using radclient Test Commands 5-9radclient Variables 5-9Using
timetest 5-10Using callsPerSecond 5-11Additional radclient
Variables 5-11
C H A P T E R 6 Configuring Local Authentication and
Authorization 6-1
Configuring a Local Service and UserList 6-1Configuring a Local
Service 6-2Configuring a Userlist 6-3Configuring Cisco Access
Registrar to Use the Local Service For AA 6-3Activating the
Configuration 6-4
Troubleshooting the Local Service and UserList Configuration
6-4Verifying the Configuration 6-5Configuring Return Attributes and
Check-Items 6-6
Configuring Per User Return Attributes 6-6Configuring Per User
Check-Items 6-7xCisco Access Registrar User Guide, 5.1
OL-25652-01
Verifying the Per User Return Attributes and Check-Items
Configuration 6-7
-
ContentsConfiguring Profiles to Group Attributes 6-8Configuring
Return Attributes and Check-Items Using UserGroup 6-9
Return Attribute Precedence 6-10
aregcmd Command Performance 6-10
UserDefined1 Property 6-11
Access-Request Logging 6-11
C H A P T E R 7 RADIUS Accounting 7-1
Understanding RADIUS Accounting 7-1
Setting Up Accounting 7-2Accounting Log File Rollover 7-2
FilenamePrefix 7-3MaxFileSize 7-3MaxFileAge 7-4RolloverSchedule
7-4UseLocalTimeZone 7-5
Oracle Accounting 7-5Configuring Oracle Accounting 7-5
ODBC-Accounting Service 7-5ODBC RemoteServers 7-6Configuration
Examples 7-8
Packet Buffering 7-9When Using Packet Buffering 7-9With Packet
Buffering Disabled 7-9
Dynamic SQL Feature 7-9
LDAP Accounting 7-10Configuring LDAP Accounting 7-10
LDAP-Accounting Service 7-10LDAP RemoteServers 7-10Configuration
Examples 7-13Configuring the LDAP Service for Accounting
7-14Configuring an LDAP-Accounting RemoteServer 7-15Setting
LDAP-Accounting As Accounting Service 7-17
MySQL Support 7-18Configuring MySQL 7-18Example Configuration
7-19
Proxying Accounting Records 7-19Configuring the Local Cisco
Access Registrar Server 7-19xiCisco Access Registrar User Guide,
5.1
OL-25652-01
Configuring the Local Accounting Service 7-20
-
ContentsConfiguring the Remote Accounting Service
7-20Configuring the Group Accounting Service 7-20
Configuring the RemoteServer Object 7-21
Accounting Log Examples 7-21Accounting-Start Packet
7-21Accounting Stop Packet 7-22Trace of Successful Accounting
7-22
Sample Error Messages 7-22
C H A P T E R 8 Diameter 8-1
Prerequisites for Diameter 8-2
Diameter Server Startup Log 8-2
Diameter Stack Level Messages 8-3Capabilities Exchange Message
8-3Watchdog Message 8-4Terminating Diameter User Session 8-4
Configuring Authentication and Authorization for Diameter
8-4Configuring Local Authentication and Authorization 8-4
Configuring a Local Service and UserList 8-5Configuring External
Authentication Service 8-6
Configuring Diameter Accounting 8-6Understanding Diameter
Accounting 8-6Setting Up Local Accounting 8-7Setting up Oracle
Accounting 8-7Diameter Accounting Log Examples 8-7
Accounting Event Packet 8-7Accounting Start Packet 8-7Account
Interim Packet 8-7Accounting Stop Packet 8-8
Trace of Successful Accounting 8-8
Configuring the Diameter Application in Cisco AR 8-9Importing
Application Specific Cisco AVPs to Cisco AR Internal Database
8-9Configuring the Transport Management Properties 8-10Registering
Applications IDs 8-11Configuring the Diameter Peers 8-11Configure
the Diameter Service 8-12
Writing Diameter Application in Cisco AR 8-17Configuring rex
script/service for Diameter 8-17xiiCisco Access Registrar User
Guide, 5.1
OL-25652-01
Scripting in Diameter 8-18
-
ContentsDiameter Environment Variables 8-18Sample rex
script/service 8-19Traces/Logs 8-20
Diameter Routing Agent 8-21Diameter Relay Agent 8-21Diameter
Proxy Agent 8-22
RoundRobin 8-22FailOver 8-23IMSI Range Based 8-23Configuring
Diameter Proxy 8-23Configuring Cisco AR to Demultiplex the Diameter
CCR-T 8-26Traces/Logs 8-28Writing Diameter Proxy Extension Scripts
8-30Sample Diameter Proxy Extension Script 8-30Traces/Logs 8-31
Diameter Redirect Agent 8-32Configuring Diameter Redirect Agent
8-33
Importing Diameter Command Codes 8-34
Support for SCTP including Multihoming 8-34
C H A P T E R 9 Extensible Authentication Protocols 9-1
EAP-AKA 9-2Configuring EAP-AKA 9-2Testing EAP-AKA with radclient
9-6
EAP-FAST 9-6Configuring EAP-FAST 9-7EAP-FAST Keystores
9-10Testing EAP-FAST with radclient 9-11
PAC Provisioning 9-12Authentication 9-13
Parameters Used for Certificate-Based Authentication
9-13radclient Command Reference 9-14
PACCredential Export Utility 9-16PAC Export 9-16PAC Display
9-16Syntax Summary 9-17
EAP-GTC 9-17Configuring EAP-GTC 9-17xiiiCisco Access Registrar
User Guide, 5.1
OL-25652-01
Testing EAP-GTC with radclient 9-18
-
ContentsEAP-LEAP 9-19Configuring EAP-LEAP 9-19
EAP-MD5 9-20Configuring EAP-MD5 9-20
EAP-Negotiate 9-20Configuring EAP-Negotiate 9-21Negotiating PEAP
Tunnel Services 9-22Testing EAP-Negotiate with radclient 9-22
EAP-MSChapV2 9-22Configuring EAP-MSChapV2 9-22Testing
EAP-MSChapV2 with radclient 9-23
EAP-SIM 9-24Configuring EAP-SIM 9-24
EAP-Transport Level Security (TLS) 9-28Configuring EAP-TLS
9-28Testing EAP-TLS with radclient 9-31Testing EAP-TLS with Client
Certificates 9-31
EAP-TTLS 9-32Configuring EAP-TTLS 9-32
Creating an EAP-TTLS Service 9-33Configuring an EAP-TTLS
Authentication Service 9-36
Testing EAP-TTLS with radclient 9-38Testing EAP-TTLS Using
Legacy Methods 9-39Testing EAP-TTLS Using EAP Methods 9-39
rehash-ca-certs Utility 9-40
radclient Command Reference 9-40eap-trace 9-40tunnel 9-41
Protected EAP 9-41PEAP Version 0 9-42
Configuring PEAP Version 0 9-42Testing PEAP Version 0 with
radclient 9-45Testing PEAP Version 0 with Client Certificates
9-46
PEAP Version 1 9-46Configuring PEAP Version 1 9-46Testing PEAP
Version 1 with radclient 9-49Testing PEAP Version 1 with Client
Certificates 9-49
CRL Support for Cisco Access Registrar 9-50xivCisco Access
Registrar User Guide, 5.1
OL-25652-01
Configuring Certificate Validation Using CRL 9-50
-
ContentsUsing Intermediate Certificates in Cisco AR 9-51
C H A P T E R 10 Using WiMAX in Cisco Access Registrar 10-1
WiMAX - An Overview 10-1
WiMAX in Cisco Access Registrar 10-2Direct Interaction Between
the ASN GW and Cisco Access Registrar 10-3Interaction Between ASN
GW and Cisco Access Registrar Through HA 10-5Prepaid and Hot-Lining
10-6
Configuring WiMAX in Cisco Access Registrar 10-6Configuring the
Resource Manager for WiMAX 10-7Configuring the Session Manager for
WiMAX 10-8Configuring the Query Service for WiMAX 10-8Configuring
WiMAX 10-9
WiMAX - OMA-DM Provisioning Support with BEK key
10-11Configuring WiMax-Provisioning 10-11
WiMax Lawful Interception (LI) Support in Cisco AR
10-12Configuring WiMax-Lawful Intercept 10-15
C H A P T E R 11 Using Extension Points 11-1
Determining the Goal of the Script 11-2
Writing the Script 11-3Choosing the Type of Script 11-3
Request Dictionary Script 11-3Response Dictionary Script
11-4Environment Dictionary Script 11-4
Adding the Script Definition 11-5Adding the Example Script
Definition 11-5Choosing the Scripting Point 11-6Testing the Script
11-6
About the Tcl/Tk 8.3 Engine 11-6
Cisco Access Registrar Scripts 11-6ACMEOutgoingScript
11-7AltigaIncomingScript 11-7AltigaOutgoingScript 11-7ANAAAOutgoing
11-7AscendIncomingScript 11-7AscendOutgoingScript 11-7AuthorizePPP
11-7xvCisco Access Registrar User Guide, 5.1
OL-25652-01
AuthorizeService 11-7
-
ContentsAuthorizeSLIP 11-8AuthorizeTelnet 11-8CabletronIncoming
11-8CabletronOutgoing 11-8CiscoIncoming 11-8CiscoOutgoing
11-8CiscoWithODAPIncomingScript 11-8ExecCLIDRule 11-9ExecDNISRule
11-9ExecFilterRule 11-9ExecNASIPRule 11-9ExecRealmRule
11-9ExecTimeRule 11-9LDAPOutage 11-10MapSourceIPAddress
11-10ParseAAARealm 11-10ParseAAASRealm 11-10ParseAARealm
11-10ParseAASRealm 11-11ParseProxyHints
11-11ParseServiceAndAAARealmHints
11-11ParseServiceAndAAASRealmHints 11-11ParseServiceAndAARealmHints
11-11ParseServiceAndAASRealmHints 11-11ParseServiceAndProxyHints
11-12ParseServiceHints 11-12ParseTranslationGroupsByCLID
11-12ParseTranslationGroupsByDNIS
11-12ParseTranslationGroupsByRealm 11-12UseCLIDAsSessionKey
11-12USRIncomingScript
11-12USRIncomingScript-IgnoreAccountingSignature
11-13USROutgoingScript 11-13
C H A P T E R 12 Using Replication 12-1
Replication Overview 12-1
How Replication Works 12-2Replication Data Flow 12-2
Master Server 12-3xviCisco Access Registrar User Guide, 5.1
OL-25652-01
-
ContentsSlave Server 12-3Security 12-3Replication Archive
12-3Ensuring Data Integrity 12-4
Transaction Data Verification 12-4Transaction Order
12-4Automatic Resynchronization 12-4
Full Resynchronization 12-5Understanding Hot-Configuration
12-5Replications Impact on Request Processing 12-5
Replication Configuration Settings 12-6RepType
12-6RepTransactionSyncInterval 12-6
Master 12-6Slave 12-6
RepTransactionArchiveLimit 12-7RepIPAddress 12-7RepPort
12-7RepSecret 12-7RepIsMaster 12-8RepMasterIPAddress
12-8RepMasterPort 12-8Rep Members Subdirectory 12-8Rep
Members/Slave1 12-8Name 12-8IPAddress 12-9Port 12-9
Setting Up Replication 12-9Configuring the Master
12-9Configuring The Member 12-10Verifying the Configuration
12-11
Replication Example 12-11Adding a User 12-11
Master Servers Log 12-12Member Servers Log 12-12
Verifying Replication 12-12Master Servers Log 12-12Member
Servers Log 12-13xviiCisco Access Registrar User Guide, 5.1
OL-25652-01
Using aregcmd -pf Option 12-13
-
ContentsMaster Servers Log 12-14Member Servers Log 12-14
An Automatic Resynchronization Example 12-14Master Servers Log
12-15Member Servers Log 12-15
Full Resynchronization 12-15
Replication Setup with More Than One Slave 12-17
Frequently Asked Questions 12-18
Replication Log Messages 12-19Information Log Messages
12-19Warning Log Messages 12-21Error Log Messages 12-22Log Messages
You Should Never See 12-23
C H A P T E R 13 Using On-Demand Address Pools 13-1
Cisco-Incoming Script 13-3How the Script Works
13-3CiscoWithODAPIncomingScript 13-3
Vendor Type CiscoWithODAP 13-4
Configuring Cisco Access Registrar to Work with ODAP
13-4Configuration Summary 13-4Detailed Configuration 13-5
Setting Up an ODAP UserList 13-5Adding ODAP Users 13-5Setting Up
an ODAP-Users Service 13-6Setting Up an ODAP Accounting Service
13-7Adding Session Managers 13-8Setting Up Resource Managers
13-9Configuring Session Managers 13-13Configure Clients 13-15Save
Your Configuration 13-16
C H A P T E R 14 Using Identity Caching 14-1
Overview 14-1
Identity Caching Features 14-2
Configuring Cisco Access Registrar for Identity Caching 14-3
Starting Identity Caching 14-6xviiiCisco Access Registrar User
Guide, 5.1
OL-25652-01
XML Interface 14-8
-
ContentsC H A P T E R 15 Using Trusted ID Authorization with
SESM 15-1
Trusted ID Operational Overview 15-1Configuration Overview
15-2Request Processing 15-2Session Cache Life Cycle
15-3Configuration Restrictions 15-3
Software Requirements 15-3Installing Cisco Access Registrar
15-4Running the TrustedIdInstall Program 15-4
Using the TrustedIdInstall.bin GUI 15-4Using the
TrustedIdInstall Command Line 15-8
Configuring Cisco Access Registrar for Trusted Identity with
SESM 15-12Configuring the RADIUS Ports 15-12Configuring NAS Clients
15-13Configuring AAA and SPE Services 15-13
Configuration Imported by TrustedIdInstall Program 15-13/Radius
15-13/radius/services/spe 15-14/radius/services/trusted-id
15-14/Radius/SessionManagers/session-cache/
15-14/radius/ResourceManagers/session-cache 15-14/radius/advanced/
15-14/Radius/Scripts/ChangeServiceType 15-14
Configuring EAP-MD5 Authentication 15-15Creating the
CheckEap.tcl Script 15-15Adding the CheckEap.tcl Script 15-15Using
the CheckEap.tcl Script 15-16Adding the EAP-MD5 Authentication
Service 15-16Adding an LDAP Remote Server 15-17Adding an LDAP
Service 15-18Saving the Configuration and Reloading the Server
15-19Cisco SSG VSAs in Cisco Access Registrar Dictionary 15-19
C H A P T E R 16 Using Prepaid Billing 16-1
Overview 16-2
IS835C Prepaid Billing 16-2Configuring IS835C Prepaid Billing
16-3
Setting Up a Prepaid Billing RemoteServer 16-3xixCisco Access
Registrar User Guide, 5.1
OL-25652-01
Setting Up an IS835C Prepaid Service 16-4
-
ContentsSetting Up Local Authentication 16-4Setting Up an
Authentication Group Service 16-5
CRB Prepaid Billing 16-7Configuring CRB Prepaid Billing 16-8
Setting Up a Prepaid Billing RemoteServer 16-8Setting Up a CRB
Prepaid Service 16-9Setting Up a Local Accounting Service
16-10Setting Up a Local Authentication Service 16-11Setting Up a
Prepaid Accounting Group Service 16-12Setting Up an Authentication
Group Service 16-14
Configuring CRB Prepaid Billing for SSG 16-15Setting Up an
Outgoing Script 16-15Setting Up an Incoming Script 16-16Setting Up
a Prepaid Outgoing Script 16-16Add Prepaid Clients 16-17
Generic Call Flow 16-18Access-Request (Authentication)
16-19Access-Accept (Authentication) 16-20Access-Request
(Authorization) 16-21Access-Accept (Authorization)
16-21Accounting-Start 16-22Data Flow 16-22Access-Request (Quota
Depleted) 16-22Accept-Accept (Quota Depleted) 16-23Accounting Stop
(Session End) 16-24Accounting Response (Final Status) 16-24
Vendor-Specific Attributes 16-25
Implementing the Prepaid Billing API 16-27
C H A P T E R 17 Using Cisco Access Registrar Server Features
17-1
Incoming Traffic Throttling 17-2MaximumIncomingRequestRate
17-2MaximumOutstandingRequests 17-2
Backing Store Parsing Tool 17-3
Configurable Worker Threads Enhancement 17-4
Session-Key Lookup 17-5
Query-Notify 17-6Call Flow 17-7xxCisco Access Registrar User
Guide, 5.1
OL-25652-01
Configuration Examples 17-8
-
ContentsMemory and Performance Impact 17-9
Support for Windows Provisioning Service 17-9Call Flow
17-9Example Configuration 17-10
Environment Variables 17-10Master URL Fragments 17-11
Unsupported Features 17-11Account Expiration and Renewal
17-11Password Changing and Force Update 17-12
Command Completion 17-12
Service Grouping Feature 17-13Configuration Example -
AccountingGroupService 17-14
Summary of Events 17-16Configuration Example 2 -
AuthenticationGroupService 17-17
Summary of Events 17-20
SHA-1 Support for LDAP-Based Authentication 17-20Remote LDAP
Server Password Encryption 17-21Dynamic Password Encryption
17-21Logs 17-22
Dynamic Attributes 17-22Object Properties with Dynamic Support
17-22Dynamic Attribute Format 17-24
Tunneling Support Feature 17-25Configuration 17-25Example
17-25Notes 17-26Validation 17-26
xDSL VPI/VCI Support for Cisco 6400 17-26Using
User-Name/User-Password for Each Cisco 6400 Device 17-26Format of
the New User-Name Attribute 17-27
Apply Profile in Cisco Access Registrar Database to Directory
Users 17-27User-Profile 17-27User-Group 17-28Example User-Profile
and User-Group Attributes in Directory User Record 17-28
Directory Multi-Value Attributes Support 17-29
MultiLink-PPP (ML-PPP) 17-29
Dynamic Updates Feature 17-30xxiCisco Access Registrar User
Guide, 5.1
OL-25652-01
NAS Monitor 17-31
-
ContentsAutomatic Information Collection (arbug) 17-32Running
arbug 17-32Files Generated 17-32
Simultaneous Terminals for Remote Demonstration 17-33
Support for RADIUS Check Item Attributes 17-33Configuring Check
Items 17-33
Configuring User Check Items 17-33Configuring Usergroup Check
Items 17-34
User-Specific Attributes 17-35
Packet of Disconnect 17-35Configuring Packet of Disconnect
17-35
Configuring the Client Object 17-35Configuring a Resource
Manager for POD 17-36
Proxying POD Requests from External Servers 17-37CLI Options for
POD 17-37
query-sessions 17-37release-sessions 17-38
Configuring Change of Authorization Requests 17-38Configuring
the Client Object 17-39
Dynamic DNS 17-40Configuring Dynamic DNS 17-40Testing Dynamic
DNS with radclient 17-42
Dynamic Service Authorization Feature 17-43Configuring Dynamic
Service Authorization Feature 17-43
Setting up the Environment Variable 17-43Configuring the Script
17-44
Remote Session Management 17-45
Wx Interface Support for SubscriberDB Lookup 17-46Configuration
Examples 17-47
C H A P T E R 18 Directing RADIUS Requests 18-1
Configuring Policies and Rules 18-1Configuring Policies
18-1Configuring Rules 18-2Wildcard Support 18-2Script and Attribute
Requirements 18-3Validation 18-3Known Anomalies 18-4xxiiCisco
Access Registrar User Guide, 5.1
OL-25652-01
-
ContentsRouting Requests 18-4Routing Requests Based on Realm
18-4Routing Requests Based on DNIS 18-5Routing Requests Based on
CLID 18-6Routing Requests Based on NASIP 18-7Routing Requests Based
on User-Name Prefix 18-7Attribute Translation 18-8
Parsing Translation Groups 18-9Time of Day Access Restrictions
18-10
Setting Time Ranges in ExecTimeRule 18-11ExecTimeRule Example
Configuration 18-11Reducing Overhead Using Policies to Group Rules
18-12
Standard Scripts Used with Rules 18-14ExecRealmRule
18-14ExecDNISRule 18-15ExecCLIDRule 18-15ExecNASIPRule
18-15ExecPrefixRule 18-16ExecSuffixRule 18-17ExecTimeRule
18-18ParseTranslationGroupsByRealm
18-19ParseTranslationGroupsByDNIS 18-19ParseTranslationGroupsByCLID
18-19
ParseTranslationGroupsByDNIS 18-19
C H A P T E R 19 Wireless Support 19-1
Mobile Node-Home Agent Shared Key 19-1Use Case Example
19-1Configuring User Attributes 19-2
3GPP2 Home Agent Support 19-3Home-Agent Resource Manager
19-3
Load Balancing 19-3Configuring the Home Agent Resource Manager
19-3
Querying and Releasing Sessions 19-4Access Request Requirements
19-4New 3GPP2 VSAs in the Cisco Access Registrar Dictionary
19-5
Session Correlation Based on User-Defined Attributes 19-5
Managing Multiple Accounting Start/Stop Messages 19-5xxiiiCisco
Access Registrar User Guide, 5.1
OL-25652-01
NULL Password Support 19-6
-
ContentsC H A P T E R 20 Using LDAP 20-1
Configuring LDAP 20-1Configuring the LDAP Service 20-2
MultipleServersPolicy 20-2RemoteServers 20-2
Configuring an LDAP RemoteServer 20-3DNS Look Up and LDAP Rebind
Interval 20-6LDAPToRadiusMappings 20-7LDAPToEnvironmentMappings
20-7LDAPToCheckItemMappings 20-7
Setting LDAP As Authentication and Authorization Service
20-7Saving Your Configuration 20-8
CHAP Interoperability with LDAP 20-8Allowing Special Characters
in LDAP Usernames 20-8Dynamic LDAP Search Base 20-8
Analyzing LDAP Trace Logs 20-9Successful Bind Message 20-9Bind
Failure Messages 20-9Login Failure Messages 20-10
Bind-Based Authentication for LDAP 20-11Configuring Bind-Based
Authentication for LDAP 20-11
C H A P T E R 21 Using Open Database Connectivity 21-1
Oracle Software Requirements 21-2
Configuring ODBC/OCI 21-2Configuring an ODBC/OCI Service
21-5Configuring an ODBC/OCI RemoteServer 21-6
ODBC Data Source 21-8SQL Definitions 21-9SQL Syntax Restrictions
21-9Specifying More Than One Search Key
21-10ODBCToRadiusMappings/OCIToRadiusMappings
21-10ODBCToEnvironmentMappings/OCIToEnvironmentMappings
21-11ODBCToCheckItemMappings/OCIToCheckItemMappings 21-11
Configuring an ODBC DataSource 21-11Setting ODBC/OCI As
Authentication and Authorization Service 21-12Setting ODBC/OCI As
Accounting Service 21-13Saving Your Configuration 21-13xxivCisco
Access Registrar User Guide, 5.1
OL-25652-01
Oracle Stored Procedures 21-13
-
ContentsMySQL Support 21-15MySQL Driver 21-15Configuring a MySQL
Datasource 21-15Example Configuration 21-17
C H A P T E R 22 Using SNMP 22-1
Overview 22-1
Supported MIBs 22-1RADIUS-AUTH-CLIENT-MIB
22-1RADIUS-AUTH-SERVER-MIB 22-2RADIUS-ACC-CLIENT-MIB
22-2RADIUS-ACC-SERVER-MIB 22-2CISCO-DIAMETER-BASE-PROTOCOL-MIB
22-2Diameter SNMP and Statistics Support 22-2TACACS+ SNMP and
Statistics Support 22-2
SNMP Traps 22-3Supported Traps 22-3
carServerStart 22-4carServerStop 22-4carInputQueueFull
22-4carInputQueueNotVeryFull 22-4carOtherAuthServerNotResponding
22-4carOtherAuthServerResponding 22-5carOtherAccServerNotResponding
22-5carOtherAccServerResponding 22-5carAccountingLoggingFailure
22-6carLicenseUsage 22-6carDiameterPeerDown 22-6carDiameterPeerUp
22-6
Configuring Traps 22-6Directories Searched 22-6Configuration
File Types 22-7Switching Configuration Files in Mid-File 22-7
Community String 22-8
C H A P T E R 23 Enforcement of TPS License 23-1
TPS Licensing Features 23-1
Enforcement Rules 23-2xxvCisco Access Registrar User Guide,
5.1
OL-25652-01
Notification Logs 23-2
-
ContentsNotification - SNMP Traps 23-2
TPS Logging Feature 23-3
C H A P T E R 24 Backing Up the Database 24-1
Configuration 24-1Command Line Utility 24-1
Recovery 24-2
mcdshadow Command Files 24-2
C H A P T E R 25 Using the REX Accounting Script 25-1
Building and Installing the REX Accounting Script 25-1
Configuring the Rex Accounting Script 25-2
Specifying REX Accounting Script Options 25-3Example Script
Object 25-4
C H A P T E R 26 Logging Syslog Messages 26-1
syslog Messages 26-1Example 1 26-2Example 2 26-2
Configuring Message Logging (Solaris) 26-3
Configuring Message Logging (Linux) 26-4
Changing Log Directory 26-4
Configuring syslog Daemon (syslogd) 26-5
Managing the Syslog File 26-5Using a cron Program to Manage the
syslog Files 26-6
Server Up/Down Status Change Logging 26-6Header Formats
26-6Example Log Messages 26-7
C H A P T E R 27 Troubleshooting Cisco Access Registrar 27-1
Gathering Basic Information 27-1
Troubleshooting Quick Checks 27-2Disk Space 27-2Resource
Conflicts 27-2
No Co-Existence With Cisco Network Registrar 27-2Port Conflicts
27-3xxviCisco Access Registrar User Guide, 5.1
OL-25652-01
Server Running Sun SNMP Agent 27-3
-
ContentsCisco Access Registrar Log Files 27-3Modifying File
Sizes for Agent Server and MCD Server Logs 27-3Using xtail to
Monitor Log File Activity 27-4
Modifying the Trace Level 27-4Installation and Server Process
Start-up 27-5
aregcmd and Cisco Access Registrar Configuration 27-5Running and
Stopped States 27-5
RADIUS Request Processing 27-7
Other Troubleshooting Techniques and Resources 27-7aregcmd Stats
Command 27-7Core Files 27-8radclient 27-8Cisco Access Registrar
Replication 27-8
Checking AR Server Health Status 27-8
A P P E N D I X A Cisco Access Registrar Tcl, REX and Java
Dictionaries A-1
Tcl Attribute Dictionaries A-1Attribute Dictionary Methods
A-1Tcl Environment Dictionary A-4
REX Attribute Dictionary A-5Attribute Dictionary Methods A-5REX
Environment Dictionary A-11
REX Environment Dictionary Methods A-11
Java Attribute Dictionary A-13Java Attribute Dictionary Methods
A-13Java Environment Dictionary A-16
Java Environment Dictionary Methods A-16Interface Extension
A-17
Interface Extension Methods A-18Interface ExtensionforSession
A-18
Interface Extensionforsession Methods A-19Interface
Extensionwithinitialization A-19
Interface Extensionwithinitialization Methods A-20Interface
ExtensionforSessionwithinitialization A-20
Interface Extensionforsessionwithinitialization Methods
A-20Interface MarkerExtension A-20
Variables in the Marker Extension Interface A-21Class
Sessionrecord A-24xxviiCisco Access Registrar User Guide, 5.1
OL-25652-01
Session Record Methods A-24
-
ContentsA P P E N D I X B Environment Dictionary B-1
Cisco Access Registrar Environment Dictionary Variables
B-1Accepted-Profiles B-2Accounting-Service B-2Acquire-Dynamic-DNS
B-2Acquire-Group-Session-Limit B-2Acquire-Home-Agent
B-2Acquire-IP-Dynamic B-2Acquire-IPX-Dynamic
B-2Acquire-IP-Per-NAS-Port B-3Acquire-Subnet-Dynamic
B-3Acquire-User-Session-Limit B-3Acquire-USR-VPN
B-3Allow-Null-Password B-3Authentication-Service
B-3Authorization-Service B-3BackingStore-Env-Vars
B-4Broadcast-Accounting-Packet B-4Cache-Attributes-In-Session
B-4Current-Group-Count B-4Cache-Outer-Identity
B-4Destination-IP-Address B-4Destination-Port
B-4Disable-Accounting-On-Off-Broadcast B-4DSA-Response-Cache
B-5Dynamic-DNS-HostName B-5Dynamic-Search-Filter
B-5Dynamic-Search-Path B-5Dynamic-Search-Scope
B-5Dynamic-Service-Loop-Limit B-5Dynamic-User-Password-Attribute
B-5EAP-Actual-Identity B-6EAP-Authentication-Mode
B-6Enforce-Traffic-Throttling B-6Generate-BEK
B-6Group-Session-Limit B-6Ignore-Accounting-Signature
B-6Incoming-Translation-Groups B-6Master-URL-Fragment
B-7xxviiiCisco Access Registrar User Guide, 5.1
OL-25652-01
-
ContentsMisc-Log-Message-Info B-7Outgoing-Translation-Groups
B-7Pager B-7Query-Service B-7Re-Accounting-Service
B-7Re-Authentication-Service B-7Re-Authorization-Service B-8Realm
B-8Reject-Reason B-8Remote-Server B-8Remove-Session-On-Acct-Stop
B-8Remote-Servers-Tried B-8Request-Authenticator B-8Request-Type
B-9Require-User-To-Be-In-Authorization-List B-9Response-Type
B-10Retrace-Packet B-10Send-PEAP-URI-TLV B-10Session-Key
B-10Session-Manager B-10Session-Notes B-10Session-Service
B-11Set-Session-Mgr-And-Key-Upon-Lookup B-11Skip-Session-Management
B-11Skip-Overriding-Username-With-LDAP-UID
B-11Skip-Overriding-UserName-With-PEAPIdentity
B-11Source-IP-Address B-11Source-Port B-12Subnet-Size-If-No-Match
B-12Trace-Level B-12Unavailable-Resource
B-12Unavailable-Resource-Type B-12UserDefined1
B-12User-Authorization-Script B-12User-Group
B-13User-Group-Session-Limit B-13User-Name B-13User-Profile
B-13User-Session-Limit B-13xxixCisco Access Registrar User Guide,
5.1
OL-25652-01
Virtual-Server-Outgoing-Script B-13
-
ContentsWindows-Domain-Groups B-13X509- Subject-Name B-13
Internal Variables B-14
A P P E N D I X C RADIUS Attributes C-1
RADIUS Attributes C-1Cisco Access Registrar 5.1 Attributes
C-1RADIUS Attributes Numeric List C-4
Vendor-Specific Attributes C-133GPP VSAs C-133GPP2 VSAs C-15ACC
VSAs C-22Altiga VSAs C-27Ascend VSAs C-30Bay Networks VSAs
C-45Cabletron VSAs C-46Cisco Access Registrar Internal VSAs
C-46Cisco VSAs C-48Compatible VSAs C-51Microsoft VSAs C-51Nomadix
VSAs C-53RedBack VSAs C-53RedCreek VSAs C-56TACACS+ VSAs
C-56Telebit VSAs C-59Unisphere VSAs C-59USR VSAs C-60WiMax
C-86WISPr C-86XML C-87
G L O S S A R Y
I N D E XxxxCisco Access Registrar User Guide, 5.1
OL-25652-01
-
About This Guide
Revised: August 29, 2011, OL-25652-01
The User Guide for Cisco Access Registrar, 5.1 provides
information about how to use Cisco Access Registrar (Cisco AR) 5.1.
This preface contains the following sections:
How This Book Is Organized, page xxxi Obtaining Documentation
and Submitting a Service Request, page xxxii Notices, page
xxxiii
How This Book Is OrganizedThe Cisco AR User Guide is organized
as follows: Chapter 1, Overview, provides an overview of Cisco AR.
Chapter 2, Using the aregcmd Commands, provides information about
using aregcmd commands. Chapter 3, Using the Graphical User
Interface, provides information about using the Cisco AR GUI.
Chapter 4, Cisco Access Registrar Server Objects, provides
information about Cisco AR server objects. Chapter 5, Using the
radclient Command, provides information about using radclient
commands to test Cisco AR. Chapter 6, Configuring Local
Authentication and Authorization, provides information about how to
configure local authentication and authorization and helpful
examples. Chapter 7, RADIUS Accounting, provides information about
RADIUS accounting and how to configure Cisco AR 4.2 to perform
accounting. Chapter 8, Diameter provides information about how to
configure Cisco AR to perform diameter authentication and
authorization, and also provides information about Diameter
Accounting.Chapter 9, Extensible Authentication Protocols, provides
information about Cisco AR 4.2 support of xxxiCisco Access
Registrar User Guide, 5.1
OL-25652-01
EAP authentication methods. Chapter 10, Using WiMAX in Cisco
Access Registrar, provides information about Cisco AR 4.2 support
for the WiMAX feature.Chapter 11, Using Extension Points, provides
information about how to use Cisco AR scripting to customize your
RADIUS server. Chapter 12, Using Replication, provides information
about how to use the replication feature.
-
About This Guide Chapter 13, Using On-Demand Address Pools,
provides information about using On-Demand Address Pools. Chapter
14, Using Identity Caching, provides information about using the
Identity Caching feature. Chapter 15, Using Trusted ID
Authorization with SESM, describes how to use Cisco AR with SESM,
and how to configure Cisco AR to use the Trusted ID feature.
Chapter 16, Using Prepaid Billing, provides information about how
to use the Cisco AR prepaid billing feature. Chapter 17, Using
Cisco Access Registrar Server Features, provides information about
using Cisco AR features.
Chapter 18, Directing RADIUS Requests, provides information
about using the Cisco AR Policy Engine. Chapter 19, Wireless
Support, provides information about Cisco AR support for wireless
features. Chapter 20, Using LDAP, provides information about using
an LDAP remote server with Cisco AR. Chapter 21, Using Open
Database Connectivity, provides information about a new type of
RemoteServer object and a new service to support ODBC. Chapter 22,
Using SNMP, provides information about the SNMP MIB and Trap
support offered by Cisco AR.Chapter 23, Enforcement of TPS License,
provides information on the enforcement of Cisco ARs new license
modeltransactions per second(TPS) Licensing.Chapter 24, Backing Up
the Database, describes the Cisco AR shadow backup facility, which
ensures a consistent snapshot of Cisco ARs database for backup
purposes. Chapter 25, Using the REX Accounting Script, describes
how to use the REX Accounting scripts. Chapter 26, Logging Syslog
Messages, provides information about logging messages via syslog
and centralized error reporting for Cisco AR. Chapter 27,
Troubleshooting Cisco Access Registrar, provides information about
techniques used when troubleshooting Cisco AR and highlights common
problems.Appendix A, Cisco Access Registrar Tcl, REX and Java
Dictionaries, describes the Tcl and REX dictionaries that are used
when writing Incoming or Outgoing scripts for use with Cisco AR.
Appendix B, Environment Dictionary, describes the environment
variables the scripts use to communicate with Cisco AR or to
communicate with other scripts. Appendix C, RADIUS Attributes,
lists the RFC 2865 RADIUS attributes with their names and values.
An index is also provided.
Obtaining Documentation and Submitting a Service RequestFor
information on obtaining documentation, submitting a service
request, and gathering additional information, see the monthly
Whats New in Cisco Product Documentation, which also lists all new
and revised Cisco technical documentation,
at:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe
to the Whats New in Cisco Product Documentation as a Really Simple
Syndication (RSS) feed and set content to be delivered directly to
your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.xxxiiCisco
Access Registrar User Guide, 5.1
OL-25652-01
-
About This GuideNoticesThe following notices pertain to this
software license.
OpenSSL/Open SSL ProjectThis product includes software developed
by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).This product includes cryptographic
software written by Eric Young ([email protected]).This product
includes software written by Tim Hudson ([email protected]).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the
conditions of the OpenSSL License and the original SSLeay license
apply to the toolkit. See below for the actual license texts.
Actually both licenses are BSD-style Open Source licenses. In case
of any license issues related to OpenSSL please contact
[email protected].
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights
reserved.Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following
conditions are met:1. Redistributions of source code must retain
the copyright notice, this list of conditions and the
following disclaimer.2. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions,
and
the following disclaimer in the documentation and/or other
materials provided with the distribution.3. All advertising
materials mentioning features or use of this software must display
the following
acknowledgment: This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
4. The names OpenSSL Toolkit and OpenSSL Project must not be
used to endorse or promote products derived from this software
without prior written permission. For written permission, please
contact [email protected].
5. Products derived from this software may not be called OpenSSL
nor may OpenSSL appear in their names without prior written
permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the
following acknowledgment:This product includes software developed
by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT xxxiiiCisco
Access Registrar User Guide, 5.1
OL-25652-01
-
About This Guide LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes
cryptographic software written by Eric Young ([email protected]).
This product includes software written by Tim Hudson
([email protected]).
Original SSLeay License:
Copyright 1995-1998 Eric Young ([email protected]). All rights
reserved.This package is an SSL implementation written by Eric
Young ([email protected]).The implementation was written so as to
conform with Netscapes SSL.This library is free for commercial and
non-commercial use as long as the following conditions are adhered
to. The following conditions apply to all code found in this
distribution, be it the RC4, RSA, lhash, DES, etc., code; not just
the SSL code. The SSL documentation included with this distribution
is covered by the same copyright terms except that the holder is
Tim Hudson ([email protected]).Copyright remains Eric Youngs, and
as such any Copyright notices in the code are not to be removed. If
this package is used in a product, Eric Young should be given
attribution as the author of the parts of the library used. This
can be in the form of a textual message at program startup or in
documentation (online or textual) provided with the
package.Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following
conditions are met:1. Redistributions of source code must retain
the copyright notice, this list of conditions and the
following disclaimer.2. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions
and
the following disclaimer in the documentation and/or other
materials provided with the distribution.3. All advertising
materials mentioning features or use of this software must display
the following
acknowledgement:This product includes cryptographic software
written by Eric Young ([email protected]).The word cryptographic
can be left out if the routines from the library being used are not
cryptography-related.
4. If you include any Windows specific code (or a derivative
thereof) from the apps directory (application code) you must
include an acknowledgement: This product includes software written
by Tim Hudson ([email protected]).
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.The license and distribution terms for any publicly
available version or derivative of this code cannot be changed.
i.e. this code cannot simply be copied and put under another
distribution license [including the GNU Public License].xxxivCisco
Access Registrar User Guide, 5.1
OL-25652-01
-
About This GuidexxxvCisco Access Registrar User Guide, 5.1
OL-25652-01
-
About This Guide xxxviCisco Access Registrar User Guide, 5.1
OL-25652-01
-
OL-25652-01
elements. LTE and IMS networks are the most likely to implement
these new network elementsincluding Policy and Charging Rules
FMobility Management Entities (MME), Online Chtraffic levels grow,
these wireless networks are becintelligent Diameter signaling
traffic control infraunctions (PCRF), Home Subscriber Servers
(HSS), arging Systems (OCS), and others. As a result, as the oming
more difficult to manage and scale without an structure.C H A P T E
R 1Overview
Revised: September 17, 2011, OL-25652-01
The chapter provides an overview of the RADIUS server, including
connection steps, RADIUS message types, and using Cisco Access
Registrar (Cisco AR) as a proxy server. Cisco AR is a RADIUS
(Remote Authentication Dial-In User Service) server that enables
multiple dial-in Network Access Server (NAS) devices to share a
common authentication, authorization, and accounting database.
Cisco AR handles the following tasks:
Authenticationdetermines the identity of users and whether they
can be allowed to access the network
Authorizationdetermines the level of network services available
to authenticated users after they are connected
Accountingkeeps track of each users network activity
Session and resource managementtracks user sessions and
allocates dynamic resourcesUsing a RADIUS server allows you to
better manage the access to your network, as it allows you to store
all security information in a single, centralized database instead
of distributing the information around the network in many
different devices. You can make changes to that single database
instead of making changes to every network access server in your
network.Cisco Access Registrar Diameter Routing Agent (DRA)
provides such signaling infrastructure, allowing complex mesh
interconnections of these new network elements in order to:
adequately manage the traffic perform appropriate load balancing
for desired load distribution and congestion control provide
intelligent message routing (routing to the appropriate elements)
that can be customized to
easily adopt to unique requirements allow binding of different
protocol interfaces corresponding to a subscriber/network
element.
Service providers transform their 3G and 4G wireless networks
with complex services, tiered charging, converged billing, and more
by introducing increasing numbers and types of Diameter-based
network 1-1Cisco Access Registrar User Guide, 5.1
-
Chapter 1 Overview Cisco Access Registrar HierarchyThis chapter
contains the following sections: Cisco Access Registrar Hierarchy,
page 1-2 Cisco Access Registrar Directory Structure, page 1-5
Program Flow, page 1-5 RADIUS Protocol, page 1-12
Cisco Access Registrar HierarchyCisco ARs operation and
configuration is based on a set of objects. These objects are
arranged in a hierarchical structure much like the Windows 95
Registry or the UNIX directory structure. Cisco ARs objects can
themselves contain subobjects, just as directories can contain
subdirectories. These objects include the following:
Radius the root of the configuration hierarchy UserListscontains
individual UserLists which in turn contain users UserGroupscontains
individual UserGroups Clientscontains individual Clients
Vendorscontains individual Vendors Scriptscontains individual
Scripts Servicescontains individual Services
SessionManagerscontains individual Session Managers
ResourceManagerscontains individual Resource Managers
Profilescontains individual Profiles RemoteServerscontains
individual RemoteServers Advancedcontains Ports, Interfaces, Reply
Messages, and the Attribute dictionary
UserLists and GroupsCisco AR lets you organize your user
community through the configuration objects UserLists, users, and
UserGroups.
Use UserLists to group users by organization, such as Company A
and Company B. Each list contains the actual names of the
users.
Use users to store information about particular users, such as
name, password, group membership, base profile, and so on.
Use UserGroups to group users by function, such as PPP, Telnet,
or multiprotocol users. Groups allow you to maintain common
authentication and authorization requirements in one place, and
have them referenced by many users.
For more information about UserLists and UserGroups, see
UserLists and Groups in Chapter 4, Cisco Access Registrar Server
Objects.1-2Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview Cisco Access Registrar HierarchyProfilesCisco
AR uses Profiles that allow you to group RADIUS attributes to be
included in an Access-Accept packet. These attributes include
values that are appropriate for a particular user class, such as
PPP or Telnet user. The users base profile defines the users
attributes, which are then added to the response as part of the
authorization process.
Although you can use Group or Profile objects in a similar
manner, choosing whether to use one rather than the other depends
on your site. If you require some choice in determining how to
authorize or authenticate a user session, then creating specific
profiles, and specifying a group that uses a script to choose among
the profiles is more flexible. In such a situation, you might
create a default group and then write a script that selects the
appropriate profile based on the specific request. The benefit to
this technique is each user can have a single entry, and use the
appropriate profile depending on the way they log in. For more
information about Profiles, see Profiles in Chapter 4, Cisco Access
Registrar Server Objects.
ScriptsCisco AR allows you to create scripts you can execute at
various points within the processing hierarchy.
Incoming scriptsenable you to read and set the attributes of the
request packet, and set or change the Environment dictionary
variables. You can use the environment variables to control
subsequent processing, such as specifying the use of a particular
authentication service.
Outgoing scriptsenable you to modify attributes returned in the
response packet.For more information about Scripts, see Scripts in
the Chapter 4, Cisco Access Registrar Server Objects.
ServicesCisco AR uses Services to let you determine how
authentication, authorization, and/or accounting are performed.For
example, to use Services for authentication:
When you want the authentication to be performed by the Cisco AR
RADIUS server, you can specify the local service. In this, case you
must specify a specific UserList.
When you want the authentication performed by another server,
which might run an independent application on the same or different
host than your RADIUS server, you can specify either a radius,
ldap, or tacacs-udp service. In this case, you must list these
servers by name.
When you have specified more than one authentication service,
Cisco AR determines which one to use for a particular
Access-Request by checking the following:
When an incoming script has set the Environment dictionary
variable Authentication-Service with the name of a Service, Cisco
AR uses that service.
Otherwise, Cisco AR uses the default authentication service. The
default authentication service is a property of the Radius
object.1-3Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview Cisco Access Registrar HierarchyCisco AR
chooses the authentication service based on the variable
Authentication-Service, or the default. The properties of that
Service, specify many of the details of that authentication
service, such as, the specific user list to use or the specific
application (possibly remote) to use in the authentication
process.
For more information about Services, see Services in the Chapter
4, Cisco Access Registrar Server Objects.
Session Management Using Resource ManagersCisco AR lets you
track user sessions, and/or allocate dynamic resources to users for
the lifetime of their session. You can define one or more Session
Managers, and have each one manage the sessions for a particular
group or company.
Session Managers use Resource Managers, which in turn manage
resources of a particular type as described below.
IP-Dynamicmanages a pool of IP addresses and allows you to
dynamically allocate IP addresses from that pool
IP-Per-NAS-Portallows you to associate ports to specific IP
addresses, and thus ensure each NAS port always gets the same IP
address
IPX-Dynamicmanages a pool of IPX network addresses
Group-Session-Limitmanages concurrent sessions for a group of
users; that is, it keeps track of
how many sessions are active and denies new sessions after the
configured limit has been reached User-Session-Limitmanages
per-user concurrent sessions; that is, it keeps track of how
many
sessions each user has and denies the user a new session after
the configured limit has been reached USR-VPNmanages Virtual
Private Networks (VPNs) that use USR NAS Clients.
For more information about Session Managers, see Session
Managers in Chapter 4, Cisco Access Registrar Server Objects.If
necessary, you can create a complex relationship between the
Session Managers and the Resource Managers.
When you need to share a resource among Session Managers, you
can create multiple Session Managers that refer to the same
Resource Manager. For example, if one pool of IP addresses is
shared by two departments, but each department has a separate
policy about how many users can be logged in concurrently, you
might create two Session Managers and three Resource Managers. One
dynamic IP Resource Manager that is referenced by both Session
Managers, and two concurrent session Resource Managers, one for
each Session Manager. In addition, Cisco AR lets you pose queries
about sessions. For example, you can query Cisco AR about which
session (and thus which NAS-Identifier, NAS-Port and/or User-Name)
owns a particular resource, as well as query Cisco AR about how
many resources are allocated or how many sessions are active.
1-4Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview Cisco Access Registrar Directory
StructureCisco Access Registrar Directory StructureThe installation
process populates the /opt/CSCOar directory with the subdirectories
listed in Table 1-1.
Program FlowWhen a NAS sends a request packet to Cisco AR with a
name and password, Cisco AR performs the following actions. Table
1-2 describes the flow without regard to scripting points.
Table 1-1 /opt/CSCOar Subdirectories
Subdirectory Description
.system Contains ELFs, or binary SPARC executables that should
not be run directly.bin Contains shell scripts and programs
frequently used by a network
administrator; programs that can be run directly.conf Contains
configuration files.data Contains the radius directory, which
contains session backing files; and the
db directory, which contains configuration database files
.examples Contains documentation, sample configuration scripts, and
shared library
scripts.lib Contains Cisco AR software library files.logs
Contains system logs and is the default directory for RADIUS
accounting.odbc Contains Cisco AR ODBC files.scripts Contains
sample scripts that you can modify to automate configuration,
and
to customize your RADIUS server.temp Used for temporary
storage.ucd-snmp Contains the UCD-SNMP software Cisco AR
uses.usrbin Contains a symbolic link that points to bin.
Table 1-2 From Access-Request to Access-Accept
Cisco AR Server Action Explanation
Receives an Access-Request The Cisco AR server receives an
Access-Request packet from a NAS.
Determines whether to accept the request
The Cisco AR server checks to see if the clients IP address is
listed in /Radius/Clients//.
Invokes the policy SelectPolicy if it exists
The Cisco AR Policy Engine provides an interface to define and
configure a policy and to apply the policy to the corresponding
access-request packets.
Performs authentication and/or authorization
Directs the request to the appropriate service, which then
performs authentication and/or authorization according to the type
specified in /Radius/Services//.
Performs session management Directs the request to the
appropriate Session Manager.1-5Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview Program FlowScripting PointsCisco AR lets you
invoke scripts you can use to affect the Request, Response, or
Environment dictionaries.
Client Scripting
Though, Cisco AR allows external code (Tcl/C/C++/Java) to be
used by means of a script, custom service, policy engine, and so
forth, while processing request, response, or while working with
the environment dictionaries, it shall not be responsible for the
scripts used and will not be liable for any direct, indirect,
incidental, special, exemplary, or consequential damages
(including, but not limited to, procurement of substitute goods or
services; loss of use, data, or profits; or business interruption)
however caused and on any theory of liability, whether in contract,
strict liability, or tort (including negligence or otherwise)
arising in any way out of the use of the script.
Client or NAS Scripting Points
Table 1-3 shows the location of the scripting points within the
section that determines whether to accept the request from the
client or NAS. Note, the scripting points are indicated with the
asterisk (*) symbol.
Performs resource management for each Resource Manager in the
SessionManager
Directs the request to the appropriate resource manager listed
in /Radius/SessionManagers///, which then allocates or checks the
resource according to the type listed in /Radius///.
Sends an Access-Accept Creates and formats the response, and
sends it back to the client (NAS).
Table 1-2 From Access-Request to Access-Accept (continued)
Cisco AR Server Action Explanation
Table 1-3 Client or NAS Scripting Points
Action Explanation
Receives an Access-Request.
The Cisco AR RADIUS server receives an Access-Request packet
from a NAS.
Determines whether to accept the request.
The clients IP address listed in /Radius/Clients//IPAddress.
*Executes the servers incoming script.
A script referred to in /Radius/IncomingScript.
*Executes the vendors incoming script.
The vendor listed in /Radius/Clients/Name/Vendor, and is a
script referred to in /Radius/Vendors//IncomingScript.
*Executes the clients incoming script.
A script referred to in /Radius/Clients//IncomingScript.
Determines whether to accept requests from this specific
NAS.1-6Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview Program FlowAuthentication and/or
Authorization Scripting Points
Table 1-4 shows the location of the scripting points within the
section that determines whether to perform authentication and/or
authorization.
/Radius/Advanced/RequireNASsBehindProxyBeInClientList set to
TRUE.The NASs Identifier listed in /Radius/Clients/, or its
NAS-IP-Address listed in /Radius/Clients//IPAddress.
If the clients IP address listed in /Radius/Clients//IPAddress
is different:*Executes the vendors incoming script.
The vendor listed in /Radius/Clients/Name/Vendor, and is a
script referred to in /Radius/Vendors//IncomingScript.
*Executes the clients incoming script.
The client listed in the previous /Radius/Clients/Name, and is a
script referred to in /Radius/Clients/Name/IncomingScript.
Table 1-3 Client or NAS Scripting Points (continued)
Action Explanation
Table 1-4 Authentication and Authorization Scripting Points
Action Explanation
Determines Service to use for authentication and/or
authorization.
The Service name defined in the Environment dictionary variable
Authentication-Service, and is the same as the Service defined in
the Environment dictionary variable Authorization-Service.The
Service name referred to by /Radius/DefaultAuthenticationService,
and is the same as the Service defined in
/Radius/DefaultAuthorizationService.
Performs authentication and/or authorization. If the Services
are the same, perform authentication and authorization.If the
Services are different, just perform authentication.
*Executes the Services incoming script. A script referred to in
/Radius/Services//IncomingScript.
Performs authentication and/or authorization. Based on the
Service type defined in /Radius/Services//.
*Executes the Services outgoing script. A script referred to in
/Radius/Services//OutgoingScript.
Determines whether to perform authorization. The Service name
defined in /Radius/DefaultAuthorizationService, if different than
the Authentication Service.1-7Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview Program FlowSession ManagementThe Session
Management feature requires the client (NAS or proxy) to send all
RADIUS accounting requests to the Cisco AR server performing
session management. (The only exception is if the clients are
USR/3Com Network Access Servers configured to use the USR/3Com
RADIUS resource management feature.) This information is used to
keep track of user sessions, and the resources allocated to those
sessions.When another accounting RADIUS server needs this
accounting information, the Cisco AR server performing session
management might proxy it to this second server. In Cisco AR 5.0, a
major command is introducedcount-sessions. The count-session lr all
command helps to count the total sessions in Cisco AR. The options
are similar to the query-session command options. The query-session
command displays cached attributes in addition to session
details.Table 1-5 describes how Cisco AR handles session
management.
Failover by the NAS and Session Management
When a Network Access Servers primary RADIUS server is
performing session management, and the NAS determines the server is
not responding and begins sending requests to its secondary RADIUS
server, the following occurs:
The secondary server will not know about the current active
sessions that are maintained on the primary server. Any resources
managed by the secondary server must be distinct from those managed
by the primary server, otherwise it will be possible to have two
sessions with the same resources (for example, two sessions with
the same IP address).
*Executes the Services incoming script. A script referred to in
/Radius/Services//IncomingScript.
Performs authorization. Checks that the Service type is defined
in /Radius/Services//.
*Executes the Services outgoing script. A script referred to in
/Radius/Services//OutgoingScript.
Table 1-4 Authentication and Authorization Scripting Points
(continued)
Action Explanation
Table 1-5 Session Management Processing
Action Explanation
Determines whether to perform session management.
The session management defined in the Environment dictionary
variable Session-Manager.The session management name referred to in
/Radius/DefaultSessionManager.
Performs session management. Selects Session Manager as defined
in/Radius/SessionManagers/.1-8Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview Program Flow The primary server will miss
important information that allows it to maintain a correct model of
what sessions are currently active (because the authentication and
accounting requests are being sent to the secondary server). This
means when the primary server comes back online and the NAS begins
using it, its knowledge of what sessions are active will be
out-of-date and the resources for those sessions are allocated even
if they are free to allocate to someone else.For example, the
user-session-limit resource might reject new sessions because the
primary server does not know some of the users using the resource
logged out while the primary server was offline. It might be
necessary to release sessions manually using the aregcmd command
release-session.
Note It might be possible to avoid this situation by having a
disk drive shared between two systems with the second RADIUS server
started up once the primary server has been determined to be
offline. For more information on this setup, contact Technical
Support.
Cross Server Session and Resource Management
Prior to Cisco AR 1.6, sessions and resources were managed
locally, meaning that in a multi-Cisco AR server environment,
resources such as IP addresses, user-based session limits, and
group-based session limits were divided between all the Cisco AR
servers. It also meant that, to ensure accurate session tracking,
all packets relating to one user session were required to go to the
same Cisco AR server.Cisco AR 1.6 and above can manage sessions and
resources across AAA Server boundaries. A session can be created by
an Access-Request sent to AR1, and it can be removed by an
Accounting-Stop request sent to AR2, as shown in Figure 1-1. This
enables accurate tracking of User and Group session limits across
multiple AAA Servers, and IP addresses allocated to sessions are
managed in one place.
Figure 1-1 Multiple Cisco AR Servers
All resources that must be shared cross multiple front line
Cisco ARs are configured in the Central Resource Cisco AR.
Resources that are not shared can still be configured at each front
line Cisco AR as done prior to the Cisco AR 1.6 release. When the
front line Cisco AR receives the access-request, it does the
regular AA processing. If the packet is not rejected and a Central
Resource Cisco AR is also configured, the front line Cisco AR will
proxy the packet1 to the configured Central Resource Cisco AR. If
the Central Resource Cisco AR returns the requested resources, the
process continues to the local session management (if local session
manager is configured) for allocating any local resources. If the
Central Resource Cisco AR cannot allocate the requested resource,
the packet is rejected.When the Accounting-Stop packet arrives at
the frontline Cisco AR, Cisco AR does the regular accounting
processing. Then, if the front line Cisco AR is configured to use
Central Resource Cisco AR, a proxy packet will be sent to Central
Resource Cisco AR for it to release all the allocated resources for
this session. After that, any locally allocated resources are
released by the local session manager.
1. The proxy packet is actually a resource allocation request,
not an Access Request. 1-9Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview Program FlowSession-Service Service Step and
Radius-Session Service
A new Service step has been added in the processing of
Access-Request and Accounting packets. This is an additional step
after the AA processing for Access packet or Accounting processing
for Accounting packet, but before the local session management
processing. The Session-Service should have a service type of
radius-session.An environment variable Session-Service is
introduced to determine the Session-Service dynamically. You can
use a script or the rule engine to set the Session-Service
environment variable.
Configure Front Line Access Registrar
To use a Central Resource server, the DefaultSessionService
property must be set or the Session-Service environment variable
must be set through a script or the rule engine. The value in the
Session-Service variable overrides the DefaultSessionService.The
configuration parameters for a Session-Service service type are the
same as those for configuring a radius service type for proxy,
except the service type is radius-session.The configuration for a
Session-Service Remote Server is the same as configuring a proxy
server.[ //localhost/Radius ]
Name = RadiusDescription = Version = 1.6R0IncomingScript =
OutgoingScript = DefaultAuthenticationService =
local-usersDefaultAuthorizationService =
local-usersDefaultAccountingService =
local-fileDefaultSessionService =
Remote-Session-ServiceDefaultSessionManager = session-mgr-1
[ //localhost/Radius/Services ]Remote-Session-Service/
Name = Remote-Session-ServiceDescription = Type =
radius-sessionIncomingScript = OutgoingScript = OutagePolicy =
RejectAllOutageScript = MultipleServersPolicy =
FailoverRemoteServers/1. central-server
[ //localhost/Radius/RemoteServers ]central-server/
Name = central-serverDescription = Protocol = RADIUSIPAddress =
209.165.200.224Port = 1645ReactivateTimerInterval =
300000SharedSecret = secretVendor = IncomingScript = OutgoingScript
= MaxTries = 3InitialTimeout = 2000AccountingPort = 16461-10Cisco
Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview Program FlowConfigure Central Cisco AR
Resources at the Central Resource server are configured the same
way as local resources are configured. These resources are local
resources from the Central Resource servers point of view.
Script Processing HierarchyFor request packets, the script
processing order is from the most general to the most specific. For
response packets, the processing order is from the most specific to
the most general.Table 1-6, Table 1-7, and Table 1-8 show the
overall processing order and flow:(1-6) Incoming Scripts, (7-11)
Authentication/Authorization Scripts, and (12-17) Outgoing
Scripts.
Note The client and the NAS can be the same entity, except when
the immediate client is acting as a proxy for the actual NAS.
Table 1-6 Cisco AR Processing Hierarchy for Incoming Scripts
Overall Flow Sequence Incoming Scripts
1) Radius.2) Vendor of the immediate client.3) Immediate
client.4) Vendor of the specific NAS.5) Specific NAS.6)
Service.
Table 1-7 Cisco AR Processing Hierarchy for
Authentication/Authorization Scripts
Overall Flow Sequence Authentication/Authorization Scripts
7) Group Authentication.8) User Authentication.9) Group
Authorization.10) User Authorization.11) Session Management.
Table 1-8 Cisco AR Processing Hierarchy for Outgoing Script
Overall Flow Sequence Outgoing Scripts
12) Service.13) Specific NAS.14) Vendor of the specific NAS.15)
Immediate client.1-11Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview RADIUS ProtocolRADIUS Protocol Cisco AR is
based on a client/server model, which supports AAA (authentication,
authorization, and accounting). The client is the Network Access
Server (NAS) and the server is Cisco AR. The client passes user
information on to the RADIUS server and acts on the response it
receives. The server, on the other hand, is responsible for
receiving user access requests, authenticating and authorizing
users, and returning all of the necessary configuration information
the client can then pass on to the user.The protocol is a simple
packet exchange in which the NAS sends a request packet to the
Cisco AR with a name and a password. Cisco AR looks up the name and
password to verify it is correct, determines for which dynamic
resources the user is authorized, then returns an accept packet
that contains configuration information for the user session
(Figure 1-2).
Figure 1-2 Packet Exchange Between User, NAS, and RADIUS
Cisco AR can also reject the packet if it needs to deny network
access to the user. Or, Cisco AR can issue a challenge that the NAS
sends to the user, who then creates the proper response and returns
it to the NAS, which forwards the challenge response to Cisco AR in
a second request packet.In order to ensure network security, the
client and server use a shared secret, which is a string they both
know, but which is never sent over the network. User passwords are
also encrypted between the client and the server to protect the
network from unauthorized access.
Steps to ConnectionThree participants exist in this interaction:
the user, the NAS, and the RADIUS server. The following steps
describe the receipt of an access request through the sending of an
access response.
Step 1 The user, at a remote location such as a branch office or
at home, dials into the NAS, and supplies a name and password.
Step 2 The NAS picks up the call and begins negotiating the
session.a. The NAS receives the name and password.
16) Vendor of the immediate client.17) Radius.
Table 1-8 Cisco AR Processing Hierarchy for Outgoing Script
(continued)
Overall Flow Sequence Outgoing Scripts
NAS
Radius22
036
Janexyz
request
response
Name=JanePassword=xyz1-12Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview RADIUS Protocolb. The NAS formats this
information into an Access-Request packet.c. The NAS sends the
packet on to the Cisco AR server.
Step 3 The Cisco AR server determines what hardware sent the
request (NAS) and parses the packet.a. It sets up the Request
dictionary based on the packet information.b. It runs any incoming
scripts, which are user-written extensions to Cisco AR. An incoming
script can
examine and change the attributes of the request packet or the
environment variables, which can affect subsequent processing.
c. Based on the scripts or the defaults, it chooses a service to
authenticate and/or authorize the user.Step 4 Cisco ARs
authentication service verifies the username and password is in its
database. Or, Cisco AR
delegates the authentication (as a proxy) to another RADIUS
server, an LDAP, or TACACS server.Step 5 Cisco ARs authorization
service creates the response with the appropriate attributes for
the users
session and puts it in the Response dictionary.Step 6 If you are
using Cisco AR session management at your site, the Session Manager
calls the appropriate
Resource Managers that allocate dynamic resources for this
session.Step 7 Cisco AR runs any outgoing scripts to change the
attributes of the response packet.Step 8 Cisco AR formats the
response based on the Response dictionary and sends it back to the
client (NAS).Step 9 The NAS receives the response and communicates
with the user, which might include sending the user
an IP address to indicate the connection has been successfully
established.
Types of RADIUS MessagesThe client/server packet exchange
consists primarily of the following types of RADIUS messages:
Access-Requestsent by the client (NAS) requesting access
Access-Rejectsent by the RADIUS server rejecting access
Access-Acceptsent by the RADIUS server allowing access
Access-Challengesent by the RADIUS server requesting more
information in order to allow
access. The NAS, after communicating with the user, responds
with another Access-Request.When you use RADIUS accounting, the
client and server can also exchange the following two types of
messages:
Accounting-Requestsent by the client (NAS) requesting accounting
Accounting-Responsesent by the RADIUS server acknowledging
accounting
Packet Contents
The information in each RADIUS message is encapsulated in a UDP
(User Datagram Protocol) data packet. A packet is a block of data
in a standard format for transmission. It is accompanied by other
information, such as the origin and destination of the data. Table
1-9 lists a description of the five fields in each message packet.
1-13Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview RADIUS ProtocolThe Attribute Dictionary
The Attribute dictionary contains a list of preconfigured
authentication, authorization, and accounting attributes that can
be part of a clients or users configuration. The dictionary entries
translate an attribute into a value Cisco AR uses to parse incoming
requests and generate responses. Attributes have a human-readable
name and an enumerated equivalent from 1-255.Sixty three standard
attributes exist, which are defined in RFC 2138 and 2139. There
also are additional vendor-specific attributes that depend on the
particular NAS you are using. Some sample attributes include:
User-Namethe name of the user User-Passwordthe users password
NAS-IP-Addressthe IP address of the NAS NAS-Portthe NAS port the
user is dialed in to Framed Protocolsuch as SLIP or PPP
Framed-IP-Addressthe IP address the client uses for the session
Filter-IDvendor-specific; identifies a set of filters configured in
the NAS
Table 1-9 RADIUS Packet Fields
Fields Description
Code Indicates message type: Access-Request, Access-Accept,
Access-Reject, Access-Challenge, Accounting-Request, or
Accounting-Response.
Identifier Contains a value that is copied into the servers
response so the client can correctly associate its requests and the
servers responses when multiple users are being authenticated
simultaneously.
Length Provides a simple error-checking device. The server
silently drops a packet if it is shorter than the value specified
in the length field, and ignores the octets beyond the value of the
length field.
Authenticator Contains a value for a Request Authenticator or a
Response Authenticator. The Request Authenticator is included in a
clients Access-Request. The value is unpredictable and unique, and
is added to the client/server shared secret so the combination can
be run through a one-way algorithm. The NAS then uses the result in
conjunction with the shared secret to encrypt the users
password.
Attribute(s) Depends on the type of message being sent. The
number of attribute/value pairs included in the packets attribute
field is variable, including those required or optional for the
type of service requested.1-14Cisco Access Registrar User Guide,
5.1
OL-25652-01
-
Chapter 1 Overview RADIUS Protocol Callback-Numberthe actual
callback number.
Proxy ServersAny one or all of the RADIUS servers three
functions: authentication, authorization, or accounting can be
subcontracted to another RADIUS server. Cisco AR then becomes a
proxy server. Proxying to other servers enables you to delegate
some of the RADIUS servers functions to other servers.You could use
Cisco AR to proxy to an LDAP server for access to directory
information about users in order to authenticate them. Figure 1-3
shows user joe initiating a request, the Cisco AR server proxying
the authentication to the LDAP server, and then performing the
authorization and accounting processing in order to enable joe to
log in.
Figure 1-3 Proxying to an LDAP Server for Authentication
NASAccessregistrar
LDAP
2203
5
user=joepassword=xyz request
response
1
6
2
5
3 4
Authorizationaccounting
Authentication1-15Cisco Access Registrar User Guide, 5.1
OL-25652-01
-
Chapter 1 Overview RADIUS Protocol1-16Cisco Access Registrar
User Guide, 5.1
OL-25652-01
-
OL-25652-01
contain spaces, you must quote the arguments. For example, when
you use the argument, Local Users, you must enclose the phrase in
quotes. The aregcmd command can contain a maximum ocharacters for
the entire command.f 255 characters when specifying a parameter and
511 C H A P T E R 2Using the aregcmd Commands
Revised: September 17, 2011, OL-25652-01
This chapter describes how to use each of the aregcmd commands.
The Cisco AR 4.2 aregcmd command is a command-line based
configuration tool. It allows you to set any Cisco Access Registrar
(Cisco AR) configurable option, as well as, start and stop the
server and check statistics. This chapter contains the following
sections:
General Command Syntax, page 2-1 aregcmd Commands, page 2-4
aregcmd Command Logging, page 2-16 aregcmd Command Line Editing,
page 2-17 aregcmd Error Codes, page 2-17
General Command SyntaxCisco AR stores its configuration
information in a hierarchy. Using the aregcmd command cd (change
directory) you can move through this information in the same manner
as you would through any hierarchical file system. Or you can
supply full pathnames to these commands to affect another part of
the hierarchy, and thus avoid explicitly using the cd command to
change to that part of the tree.aregcmd command parsing is case
insensitive, which means you can use upper or lowercase letters to
designate elements. In addition, when you reference existing
elements in the configuration, you need only specify enough of the
elements name to distinguish it from the other elements at that
level. For example, instead of entering cd Administrators, you can
enter cd ad when no other element at the current level begins with
ad. aregcmd command parsing is command-line order dependent; that
is, the arguments are interpreted based on their position on the
command line. To indicate an empty string as a place holder on the
command line, use either single (') or double quotes (""). In
addition, when you use any arguments that 2-1Cisco Access Registrar
User Guide, 5.1
-
Chapter 2 Using the aregcmd Commands General Command SyntaxThe
aregcmd command syntax is:aregcmd [-C ] [-N ] [-P ] [-V][-f ] [-l ]
[-n] [ []] [-p] [-q] [-v]
-CSpecifies the name of the cluster to log into by default
-NSpecifies the name of the administrator -PSpecifies the password
-VSpecifies view-only mode -fSpecifies a file that can contain a
series of commands -lSpecifies a directory where the Cisco AR
license file is stored and returns information about
licensed components -nTurns off prefix mode -pSpecifies prefix
mode -qTurns off verbose mode -vSpecifies verbose mode
Note The verbose (-v) and prefix (-p) modes are on by default
when you run aregcmd interactively (for example, not entered on the
command line or not running commands from a script file).
Otherwise, verbose and prefix modes are off.
When you include a command (with the appropriate arguments) on
the command line, aregcmd runs only that one command and saves any
changes.
View-Only Administrator ModePrevious releases of Cisco AR
provided only super-user administrative access. If you were able to
log in to aregcmd, you could do anything to the system, including
starting and stopping the system and changing the configuration.
Cisco AR provides view-only administrative access. View-only access
restricts an administrator to only being able to observe the system
and prevents that user from making changes.
View-only access can be encountered in three ways: Specific
administrators can be restricted to view-only access whenever they
log in. Administrators not restricted to view-only access can
choose to start aregcmd in a view-only mode.
This might be used when an administrator wants to ensure that he
or she does not make any changes. When an administrator who is not
view-only logs in to a slave server, they will be unable to
make
changes to any parts of the configuration other than
/Radius/Replication, /Radius/Advanced/Ports,
/Radius/Advanced/Interfaces or the properties in /Radius/Advanced.
This is because the rest of the configuration is replicated from
the master server and changes directly to the slave will cause
problems.
Note When a user logs in, the system determines whether a users
session is view-only or not. If the configuration is changed after
a user has logged in, that change does not take effect until the
affected user logs out and logs back in. 2-2Cisco Access Registrar
User Guide, 5.1
OL-25652-01
-
Chapter 2 Using the aregcmd Commands General Command
SyntaxViewOnly Property
The ViewOnly property has been added to the Administrators
configuration. The default setting for the ViewOnly property is
FALSE. The following shows the default setting for the admin
user:
cd /Administrators/admin
[ //localhost/Administrators/admin ]Name = adminDescription =
Password = ViewOnly = FALSE
You can designate specific administrators to be view-only
administrators by setting the new ViewOnly property to TRUE. If
that property is set to TRUE, any time the administrator logs in to
aregcmd the session will be in view-only mode. If set to FALSE,
when the administrator logs in to a master server, the session will
be full super-user capability. If the administrator logs in to a
slave, they only part of the configuration they will be able to
modify is that part under /Radius/Replication,
/Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the
properties in /Radius/Advanced. When in a view-only session, the
following commands will cause an error: add, delete, set,
unset,