Cisco Prime Access Registrar 7.0 User Guide · Session Management Using Resource Managers 1-4 Prime...

Cisco Prime Access Registrar 7.0User GuideMay 15, 2015

Cisco Systems, Inc.www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

http://www.cisco.comhttp://www.cisco.com/go/offices

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Prime Access Registrar 7.0 User Guide 2014 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

C O N T E N T S

C H A P T E R 1 Overview 1-1

Prime Access Registrar Hierarchy 1-2UserLists and Groups 1-3Profiles 1-3Scripts 1-3Services 1-3Session Management Using Resource Managers 1-4

Prime Access Registrar Directory Structure 1-5

Program Flow 1-6Scripting Points 1-6

Client Scripting 1-7Client or NAS Scripting Points 1-7Authentication and/or Authorization Scripting Points 1-8

Session Management 1-8Failover by the NAS and Session Management 1-9Cross Server Session and Resource Management 1-9

Script Processing Hierarchy 1-11

RADIUS Protocol 1-12Steps to Connection 1-13Types of RADIUS Messages 1-14

Packet Contents 1-14The Attribute Dictionary 1-15

Proxy Servers 1-15

Service and Ports Used in Prime Access Registrar 1-16Secure Shell Service 1-16Ports 1-16

Related Documentation 21

Obtaining Documentation and Submitting a Service Request 1-21

1-21

C H A P T E R 2 Using the aregcmd Commands 2-1

General Command Syntax 2-1View-Only Administrator Mode 2-2

ViewOnly Property 2-3

iiiCisco Prime Access Registrar 7.0 User Guide

Contents

Configuration Objects 2-3aregcmd Command Performance 2-3

RPC Bind Services 2-4

aregcmd Commands 2-4add 2-5cd 2-5delete 2-6exit 2-6filter 2-6find 2-6help 2-7insert 2-7login 2-7logout 2-7ls 2-8next 2-8prev 2-8pwd 2-9query-sessions 2-9quit 2-9release-sessions 2-9reload 2-10reset-stats 2-10save 2-10set 2-11start 2-12stats 2-12status 2-15stop 2-15tacacs-stats 2-16tacacs-reset-stats 2-16dia-stats 2-16dia-stats-reset 2-18trace 2-18trace-file-count 2-19unset 2-19validate 2-20

OpenSSL Commands 2-20ecparam 2-20req 2-21

ivCisco Prime Access Registrar 7.0 User Guide

Contents

ca 2-21

aregcmd Command Logging 2-21

aregcmd Command Line Editing 2-22

aregcmd Error Codes 2-22

C H A P T E R 3 Using the Graphical User Interface 3-1

Launching the GUI 3-1Disabling HTTP 3-2Disabling HTTPS 3-2Login Page 3-3

Logging In 3-3Logging Out 3-4

Common Methodologies 3-4Filtering Records 3-4Editing Records 3-5Deleting Records 3-5Setting Record Limits per Page 3-6Performing Common Navigations 3-6Relocating Records 3-7

Dashboard 3-8Sessions 3-8

Configuring Cisco Prime Access Registrar 3-9RADIUS 3-10

Setting Up or Changing the Radius Properties 3-11Profiles 3-11

Adding Profile Details 3-12UserGroups 3-12

Adding UserGroup Details 3-14UserList 3-14

Adding UserList Details 3-15Users 3-16

Adding User Details 3-17Scripts 3-18

Adding Script Details 3-21Policies 3-22

Adding Policy Details 3-22Services 3-22

Simple Services 3-23ServiceWithRS 3-30

vCisco Prime Access Registrar 7.0 User Guide

Contents

PEAP Service 3-34EAP Service 3-38Diameter Service 3-47

CommandSets 3-52Adding a Command Set 3-52

DeviceAccessRules 3-53Adding a Device Access Rule 3-53

FastRules 3-54Adding a Fast Rule 3-54

Replication 3-55Adding Replication Details 3-56Adding the Replication Member Details 3-57

RADIUSDictionary 3-57Adding RADIUS Dictionary Details 3-58

VendorDictionary 3-58Adding Vendor Dictionary Details 3-59

Vendor Attributes 3-60Adding Vendor Attributes 3-60

Vendors 3-61Adding Vendor Details 3-61

Translations 3-62Adding Translation Details 3-63

TranslationGroups 3-64Adding Translation Group Details 3-64

Diameter 3-65General 3-65Session Management 3-67Applications 3-69Commands 3-70DiameterAttributes 3-71

Advanced 3-72Default 3-73BackingStore/ServerParam 3-78RemoteSessionServer 3-83SNMP 3-85DDNS 3-88ODBC DataSources 3-89Log 3-90Ports 3-92Interfaces 3-93

viCisco Prime Access Registrar 7.0 User Guide

Contents

Attribute Groups 3-94Rules 3-95

Setting Rules 3-96SessionManagers 3-96

Adding Session Manager Details 3-99ResourceManager 3-99

Adding Resource Manager Details 3-107

Network Resources 3-108Clients 3-108

Adding Client Details 3-113Remote Servers 3-113

LDAP 3-114LDAP Accounting 3-118ODBC/OCI 3-121ODBC/OCI-Accounting 3-123Diameter 3-125Others 3-128

Administration 3-134Administrators 3-134

Adding Administrator Details 3-135Statistics 3-135

Resetting Server Statistics 3-138DiameterStatistics 3-138TACACSStatistics 3-142Back Up and Restore 3-143LicenseUpload 3-143

Read-Only GUI 3-144

C H A P T E R 4 Cisco Prime Access Registrar Server Objects 4-1

Radius 4-2

UserLists 4-3Users 4-4

HiddenAttributes Property 4-5

UserGroups 4-5

Policies 4-6

Clients 4-6

Vendors 4-10

Scripts 4-11

viiCisco Prime Access Registrar 7.0 User Guide

Contents

Services 4-12Types of Services 4-13

EAP Services 4-13File 4-14Group 4-15Java 4-17LDAP 4-17Local 4-18ODBC 4-19ODBC-Accounting 4-19Prepaid Services 4-19RADIUS 4-20Radius Query 4-20RADIUS-Session 4-24Rex 4-24WiMAX 4-25Diameter 4-25M3UA 4-32

Session Managers 4-33Session Creation 4-36Session Notes 4-36Soft Group Session Limit 4-37Session Correlation Based on User-Defined Attributes 4-38

Resource Managers 4-38Types of Resource Managers 4-39

Group-Session-Limit 4-40Home-Agent 4-40Home-Agent-IPv6 4-40IP-Dynamic 4-40IP-Per-NAS-Port 4-41IPX-Dynamic 4-41Session-Cache 4-41Subnet-Dynamic 4-42User-Session-Limit 4-43USR-VPN 4-43Dynamic-DNS 4-44Remote-IP-Dynamic 4-44Remote-User-Session-Limit 4-44Remote-Group-Session-Limit 4-44Remote-Session-Cache 4-44

viiiCisco Prime Access Registrar 7.0 User Guide

Contents

3GPP 4-44

Profiles 4-45Attributes 4-45

Translations 4-46

TranslationGroups 4-47

Remote Servers 4-47Types of Protocols 4-48

Dynamic DNS 4-49LDAP 4-50Map-Gateway 4-52Sigtran 4-53ODBC 4-54ODBC-Accounting 4-56OCI 4-56OCI-Accounting 4-57Prepaid-CRB 4-57Prepaid-IS835C 4-57RADIUS 4-57SIGTRAN-M3UA 4-58

Rules 4-58

Advanced 4-58RemoteODBCSessionServer 4-73Using the RequireNASsBehindProxyBeInClientList Property 4-75Advance Duplicate Detection Feature 4-75Invalid EAP Packet Processing 4-75Ports 4-76Interfaces 4-76Reply Messages 4-76Attribute Dictionary 4-78

Types 4-79Vendor Attributes 4-79

SNMP 4-79Diameter 4-80

Configuring Diameter Transport Management Properties 4-81Configuring Diameter Session Management 4-83Configuring Diameter Application 4-84Configuring Diameter Commands 4-85Configuring Diameter Dictionary 4-91

ixCisco Prime Access Registrar 7.0 User Guide

Contents

C H A P T E R 5 Using the radclient Command 5-1

radclient Command Syntax 5-1

Working with Packets 5-2Creating Packets 5-2Creating CHAP Access-Request Packets 5-3Viewing Packets 5-3Sending Packets 5-3Creating Empty Packets 5-4Setting Packet Fields 5-4Reading Packet Fields 5-5Deleting Packets 5-5

Attributes 5-5Creating Attributes 5-5Setting Multivalued Attributes 5-6Viewing Attributes 5-6Getting Attribute Information 5-7Deleting Attributes 5-7Using the radclient Command 5-7

Example 1 5-7Example 2 5-8Example 3 5-9

Using radclient Test Commands 5-10radclient Variables 5-10Using timetest 5-10Using callsPerSecond 5-11Additional radclient Variables 5-12

C H A P T E R 6 Configuring Local Authentication and Authorization 6-1

Configuring a Local Service and UserList 6-1Configuring a Local Service 6-2Configuring a Userlist 6-3Configuring Cisco Prime Access Registrar to Use the Local Service For AA 6-3Activating the Configuration 6-4

Troubleshooting the Local Service and UserList Configuration 6-4Verifying the Configuration 6-4Configuring Return Attributes and Check-Items 6-6

Configuring Per User Return Attributes 6-6Configuring Per User Check-Items 6-7Verifying the Per User Return Attributes and Check-Items Configuration 6-7

xCisco Prime Access Registrar 7.0 User Guide

Contents

Configuring Profiles to Group Attributes 6-8Configuring Return Attributes and Check-Items Using UserGroup 6-9

Return Attribute Precedence 6-10

aregcmd Command Performance 6-10

UserDefined1 Property 6-11

Access-Request Logging 6-11

C H A P T E R 7 RADIUS Accounting 7-1

Understanding RADIUS Accounting 7-1

Setting Up Accounting 7-2Accounting Log File Rollover 7-2

FilenamePrefix 7-3MaxFileSize 7-3MaxFileAge 7-4RolloverSchedule 7-4UseLocalTimeZone 7-5

Oracle Accounting 7-5Configuring Oracle Accounting 7-6

ODBC-Accounting Service 7-6ODBC RemoteServers 7-6Configuration Examples 7-8

Packet Buffering 7-9When Using Packet Buffering 7-10With Packet Buffering Disabled 7-10

Dynamic SQL Feature 7-10

LDAP Accounting 7-11Configuring LDAP Accounting 7-11

LDAP-Accounting Service 7-11LDAP RemoteServers 7-12Configuration Examples 7-14Configuring the LDAP Service for Accounting 7-15Configuring an LDAP-Accounting RemoteServer 7-16Setting LDAP-Accounting As Accounting Service 7-18

MySQL Support 7-19Configuring MySQL 7-19Example Configuration 7-20

Proxying Accounting Records 7-20Configuring the Local Cisco Prime Access Registrar Server 7-21

Configuring the Local Accounting Service 7-21

xiCisco Prime Access Registrar 7.0 User Guide

Contents

Configuring the Remote Accounting Service 7-21Configuring the Group Accounting Service 7-22

Configuring the RemoteServer Object 7-22

Accounting Log Examples 7-23Accounting-Start Packet 7-23Accounting Stop Packet 7-23Trace of Successful Accounting 7-23

Sample Error Messages 7-24

C H A P T E R 8 Diameter 8-1

Diameter with EAP Support 8-2Advertising Application Support 8-2Diameter EAP Conversation Flow 8-2

Diameter Server Startup Log 8-3

Diameter Stack Level Messages 8-4Capabilities Exchange Message 8-5Watchdog Message 8-6Disconnect Message 8-6

Configuring Authentication and Authorization for Diameter 8-6Configuring Local Authentication and Authorization 8-6

Configuring a Local Service and UserList 8-7Configuring External Authentication Service 8-8

Configuring the Diameter Application in Prime Access Registrar 8-8Configuring the Transport Management Properties 8-9Registering Applications IDs 8-10Configuring the Diameter Peers 8-11Configure the Diameter Service 8-12

Writing Diameter Application in Prime Access Registrar 8-15Configuring rex script/service for Diameter 8-16Scripting in Diameter 8-16Diameter Environment Variables 8-17Sample rex script/service 8-17Traces/Logs 8-18

Translation Framework for Diameter 8-19

TLS Support for Diameter 8-20

Managing Diameter Sessions 8-22

xiiCisco Prime Access Registrar 7.0 User Guide

Contents

C H A P T E R 9 Extensible Authentication Protocols 9-1

EAP-AKA 9-2Configuring EAP-AKA 9-2Testing EAP-AKA with radclient 9-6

EAP-AKA-Prime (EAP-AKA) 9-6Configuring EAP-AKA 9-7Testing EAP-AKA with radclient 9-8

EAP-FAST 9-8Configuring EAP-FAST 9-9EAP-FAST Keystores 9-12Testing EAP-FAST with radclient 9-13

PAC Provisioning 9-14Authentication 9-14

Parameters Used for Certificate-Based Authentication 9-15radclient Command Reference 9-16

PACCredential Export Utility 9-18PAC Export 9-18PAC Display 9-19Syntax Summary 9-19

EAP-GTC 9-19Configuring EAP-GTC 9-19Testing EAP-GTC with radclient 9-20

EAP-LEAP 9-21Configuring EAP-LEAP 9-21

EAP-MD5 9-22Configuring EAP-MD5 9-22

EAP-Negotiate 9-23Configuring EAP-Negotiate 9-23Negotiating PEAP Tunnel Services 9-24Testing EAP-Negotiate with radclient 9-24

EAP-MSChapV2 9-24Configuring EAP-MSChapV2 9-24Testing EAP-MSChapV2 with radclient 9-25

EAP-SIM 9-26Configuring EAP-SIM 9-26Quintets to Triplets Conversion 9-30

EAP-Transport Level Security (TLS) 9-31Configuring EAP-TLS 9-31

xiiiCisco Prime Access Registrar 7.0 User Guide

Contents

Testing EAP-TLS with RSA or ECC Certificate using radclient 9-34Testing EAP-TLS with Client Certificates 9-34

EAP-TTLS 9-34Configuring EAP-TTLS 9-35

Creating an EAP-TTLS Service 9-35Configuring an EAP-TTLS Authentication Service 9-38

Testing EAP-TTLS with radclient 9-41Testing EAP-TTLS Using Legacy Methods 9-42Testing EAP-TTLS Using EAP Methods 9-42

rehash-ca-certs Utility 9-43

radclient Command Reference 9-43eap-trace 9-44tunnel 9-44

Protected EAP 9-45PEAP Version 0 9-45

Configuring PEAP Version 0 9-45Testing PEAP Version 0 with radclient 9-49Testing PEAP Version 0 with Client Certificates 9-49

PEAP Version 1 9-50Configuring PEAP Version 1 9-50Testing PEAP Version 1 with radclient 9-52Testing PEAP Version 1 with Client Certificates 9-53

How to Configure Oracle, Mysql Accounting with the Buffering Option Enabled 9-53To Select the SQL Statement in Run Time Accounting 9-53

Query 9-53Insert 9-54Update 9-54Delete 9-54Configuring Oracle, Mysql Accounting 9-55

How Suffix and Prefix Rules Work with Prime Access Registrar 9-56Configuring Prefix and Suffix Policies 9-56

CRL Support for Cisco Prime Access Registrar 9-57Configuring Certificate Validation Using CRL 9-58Using Intermediate Certificates in Prime Access Registrar 9-58

Rolling Encryption Support for Pseudonym Generation in EAP-SIM, EAP-AKA, and EAP-AKA Services 9-60

C H A P T E R 10 Using WiMAX in Cisco Prime Access Registrar 10-1

WiMAX - An Overview 10-1

xivCisco Prime Access Registrar 7.0 User Guide

Contents

WiMAX in Cisco Prime Access Registrar 10-2Direct Interaction Between the ASN GW and Cisco Prime Access Registrar 10-3Interaction Between ASN GW and Cisco Prime Access Registrar Through HA 10-6Prepaid and Hot-Lining 10-7

Configuring WiMAX in Cisco Prime Access Registrar 10-7Configuring the Resource Manager for WiMAX 10-8Configuring the Session Manager for WiMAX 10-9Configuring the Query Service for WiMAX 10-9Configuring WiMAX 10-10

WiMAX - OMA-DM Provisioning Support with BEK Key 10-11

C H A P T E R 11 Using Extension Points 11-1

Determining the Goal of the Script 11-1

Writing the Script 11-2Choosing the Type of Script 11-3

Request Dictionary Script 11-3Response Dictionary Script 11-4Environment Dictionary Script 11-4

Adding the Script Definition 11-5Adding the Example Script Definition 11-5Choosing the Scripting Point 11-6Testing the Script 11-6

About the Tcl/Tk 8.3 Engine 11-6

Cisco Prime Access Registrar Scripts 11-6ACMEOutgoingScript 11-8AltigaIncomingScript 11-8AltigaOutgoingScript 11-8ANAAAOutgoing 11-8AscendIncomingScript 11-8AscendOutgoingScript 11-9AuthorizePPP 11-9AuthorizeService 11-9AuthorizeSLIP 11-9AuthorizeTelnet 11-9CabletronIncoming 11-9CabletronOutgoing 11-9CiscoIncoming 11-9CiscoOutgoing 11-10CiscoWithODAPIncomingScript 11-10

xvCisco Prime Access Registrar 7.0 User Guide

Contents

ExecCLIDRule 11-10ExecDNISRule 11-10ExecFilterRule 11-10ExecNASIPRule 11-10ExecRealmRule 11-10ExecTimeRule 11-11LDAPOutage 11-11MapSourceIPAddress 11-11ParseAAARealm 11-11ParseAAASRealm 11-12ParseAARealm 11-12ParseAASRealm 11-12ParseProxyHints 11-12ParseServiceAndAAARealmHints 11-12ParseServiceAndAAASRealmHints 11-12ParseServiceAndAARealmHints 11-13ParseServiceAndAASRealmHints 11-13ParseServiceAndProxyHints 11-13ParseServiceHints 11-13ParseTranslationGroupsByCLID 11-13ParseTranslationGroupsByDNIS 11-13ParseTranslationGroupsByRealm 11-14UseCLIDAsSessionKey 11-14USRIncomingScript 11-14USRIncomingScript-IgnoreAccountingSignature 11-14USROutgoingScript 11-14Internal Scripts 11-14

Extension Points in Cisco Prime Access Registrar 11-16

C H A P T E R 12 Using Replication 12-1

Replication Overview 12-1

How Replication Works 12-2Replication Data Flow 12-3

Master Server 12-3Slave Server 12-3

Security 12-4Replication Archive 12-4Ensuring Data Integrity 12-4

Transaction Data Verification 12-4

xviCisco Prime Access Registrar 7.0 User Guide

Contents

Transaction Order 12-5Automatic Resynchronization 12-5

Full Resynchronization 12-5Understanding Hot-Configuration 12-6Replications Impact on Request Processing 12-6

Replication Configuration Settings 12-6RepType 12-7RepTransactionSyncInterval 12-7

Master 12-7Slave 12-7

RepTransactionArchiveLimit 12-8RepIPAddress 12-8RepPort 12-8RepSecret 12-8RepIsMaster 12-9RepMasterIPAddress 12-9RepMasterPort 12-9Rep Members Subdirectory 12-9Rep Members/Slave1 12-9Name 12-9IPAddress 12-9Port 12-10

Setting Up Replication 12-10Configuring The Master 12-10Configuring The Member 12-11Verifying the Configuration 12-12

Replication Example 12-13Adding a User 12-13

Master Servers Log 12-13Member Servers Log 12-13

Verifying Replication 12-14Master Servers Log 12-14Member Servers Log 12-14

Using aregcmd -pf Option 12-14Master Servers Log 12-15Member Servers Log 12-15

An Automatic Resynchronization Example 12-16Master Servers Log 12-16Member Servers Log 12-17

xviiCisco Prime Access Registrar 7.0 User Guide

Contents

Full Resynchronization 12-17

Replication Setup with More Than One Slave 12-19

Frequently Asked Questions 12-19

Replication Log Messages 12-21Information Log Messages 12-21Warning Log Messages 12-22Error Log Messages 12-23Log Messages You Should Never See 12-25

C H A P T E R 13 Using On-Demand Address Pools 13-1

Cisco-Incoming Script 13-3How the Script Works 13-3CiscoWithODAPIncomingScript 13-3

Vendor Type CiscoWithODAP 13-4

Configuring Cisco Prime Access Registrar to Work with ODAP 13-5Configuring Prime Access Registrar to work with ODAP 13-5Configuring the ODAP Detailed Instructions 13-5

Setting Up an ODAP UserList 13-5Adding ODAP Users 13-6Setting Up an ODAP-Users Service 13-7Setting Up an ODAP Accounting Service 13-8Adding Session Managers 13-8Setting Up Resource Managers 13-9Configuring Session Managers 13-14Configure Clients 13-15Save Your Configuration 13-16

C H A P T E R 14 Using Identity Caching 14-1

Overview 14-1

Identity Caching Features 14-2

Configuring Cisco Prime Access Registrar for Identity Caching 14-3

Starting Identity Caching 14-6

XML Interface 14-8

C H A P T E R 15 Using Trusted ID Authorization with SESM 15-1

Trusted ID Operational Overview 15-1Configuration Overview 15-2Request Processing 15-2

xviiiCisco Prime Access Registrar 7.0 User Guide

Contents

Session Cache Life Cycle 15-3Configuration Restrictions 15-3

Software Requirements 15-4Installing Cisco Prime Access Registrar 15-4Running the TrustedIdInstall Program 15-4

Using the TrustedIdInstall.bin GUI 15-4Using the TrustedIdInstall Command Line 15-8

Configuring Cisco Prime Access Registrar for Trusted Identity with SESM 15-12Configuring the RADIUS Ports 15-12Configuring NAS Clients 15-13Configuring AAA and SPE Services 15-13

Configuration Imported by TrustedIdInstall Program 15-13/Radius 15-14/radius/services/spe 15-14/radius/services/trusted-id 15-14/Radius/SessionManagers/session-cache/ 15-14/radius/ResourceManagers/session-cache 15-14/radius/advanced/ 15-14/Radius/Scripts/ChangeServiceType 15-15

Configuring EAP-MD5 Authentication 15-15Creating the CheckEap.tcl Script 15-15Adding the CheckEap.tcl Script 15-16Using the CheckEap.tcl Script 15-16Adding the EAP-MD5 Authentication Service 15-17Adding an LDAP Remote Server 15-17Adding an LDAP Service 15-18Saving the Configuration and Reloading the Server 15-19Cisco SSG VSAs in Cisco Prime Access Registrar Dictionary 15-20

C H A P T E R 16 Using Prepaid Billing 16-1

Overview 16-2

IS835C Prepaid Billing 16-2Configuring IS835C Prepaid Billing 16-3

Setting Up a Prepaid Billing RemoteServer 16-3Setting Up an IS835C Prepaid Service 16-4Setting Up Local Authentication 16-5Setting Up an Authentication Group Service 16-5

CRB Prepaid Billing 16-7Configuring CRB Prepaid Billing 16-8

xixCisco Prime Access Registrar 7.0 User Guide

Contents

Setting Up a Prepaid Billing RemoteServer 16-8Setting Up a CRB Prepaid Service 16-9Setting Up a Local Accounting Service 16-11Setting Up a Local Authentication Service 16-12Setting Up a Prepaid Accounting Group Service 16-13Setting Up an Authentication Group Service 16-14

Configuring CRB Prepaid Billing for SSG 16-15Generic Call Flow 16-18

Access-Request (Authentication) 16-19Access-Accept (Authentication) 16-20Access-Request (Authorization) 16-20Access-Accept (Authorization) 16-21Accounting-Start 16-22Data Flow 16-22Access-Request (Quota Depleted) 16-22Accept-Accept (Quota Depleted) 16-23Accounting Stop (Session End) 16-23Accounting Response (Final Status) 16-23

Vendor-Specific Attributes 16-25

Implementing the Prepaid Billing API 16-27

C H A P T E R 17 Using Cisco Prime Access Registrar Server Features 17-1

Incoming Traffic Throttling 17-2MaximumIncomingRequestRate 17-2MaximumOutstandingRequests 17-2

Backing Store Parsing Tool 17-3

Configurable Worker Threads Enhancement 17-4

Session-Key Lookup 17-5

Query-Notify 17-6Call Flow 17-7Configuration Examples 17-8Memory and Performance Impact 17-9

Support for Windows Provisioning Service 17-9Call Flow 17-10Example Configuration 17-10

Environment Variables 17-11Master URL Fragments 17-11

Unsupported Features 17-12Account Expiration and Renewal 17-12

xxCisco Prime Access Registrar 7.0 User Guide

Contents

Password Changing and Force Update 17-13

Command Completion 17-13

Service Grouping Feature 17-14Configuration Example - AccountingGroupService 17-14

Summary of Events 17-17Configuration Example 2 - AuthenticationGroupService 17-17

Summary of Events 17-20

SHA-1 Support for LDAP-Based Authentication 17-21Remote LDAP Server Password Encryption 17-21Dynamic Password Encryption 17-22Logs 17-23

Dynamic Attributes 17-23Object Properties with Dynamic Support 17-23Dynamic Attribute Format 17-25

Tunneling Support Feature 17-25Configuration 17-26Example 17-26Notes 17-26Validation 17-26

xDSL VPI/VCI Support for Cisco 6400 17-27Using User-Name/User-Password for Each Cisco 6400 Device 17-27Format of the New User-Name Attribute 17-27

Apply Profile in Cisco Prime Access Registrar Database to Directory Users 17-28User-Profile 17-28User-Group 17-29Example User-Profile and User-Group Attributes in Directory User Record 17-29

Directory Multi-Value Attributes Support 17-29

MultiLink-PPP (ML-PPP) 17-30

Dynamic Updates Feature 17-31

NAS Monitor 17-32

Automatic Information Collection (arbug) 17-33Running arbug 17-33Files Generated 17-33

Simultaneous Terminals for Remote Demonstration 17-34

Support for RADIUS Check Item Attributes 17-34Configuring Check Items 17-34

User-Specific Attributes 17-35

Packet of Disconnect 17-36

xxiCisco Prime Access Registrar 7.0 User Guide

Contents

Configuring Packet of Disconnect 17-36Configuring the Client Object 17-36Configuring a Resource Manager for POD 17-37

Proxying POD Requests from External Servers 17-38CLI Options for POD 17-38

query-sessions 17-38release-sessions 17-39

Configuring Change of Authorization Requests 17-39Configuring the Client Object 17-40

Dynamic DNS 17-41Configuring Dynamic DNS 17-42Testing Dynamic DNS with radclient 17-43

Dynamic Service Authorization Feature 17-44Configuring Dynamic Service Authorization Feature 17-44

Setting Up the Environment Variable 17-45

Remote Session Management 17-47

Wx Interface Support for SubscriberDB Lookup 17-48Configuration Examples 17-48

Smart Grid Solution Management 17-50

Lawful Interception (LI) Support in Prime Access Registrar 17-50Configuring Lawful Intercept 17-56

TACACS+ Support for AAA 17-57

C H A P T E R 18 Directing RADIUS Requests 18-1

Configuring Policies and Rules 18-1Configuring Policies 18-1Configuring Rules 18-2Wildcard Support 18-2Script and Attribute Requirements 18-3Validation 18-4Known Anomalies 18-4

Routing Requests 18-4Routing Requests Based on Realm 18-4Routing Requests Based on DNIS 18-5Routing Requests Based on CLID 18-6Routing Requests Based on NASIP 18-7Routing Requests Based on User-Name Prefix 18-8Attribute Translation 18-9

xxiiCisco Prime Access Registrar 7.0 User Guide

Contents

Translations 18-9TranslationGroups 18-9Parsing Translation Groups 18-10

Time of Day Access Restrictions 18-11Setting Time Ranges in ExecTimeRule 18-12ExecTimeRule Example Configuration 18-12Reducing Overhead Using Policies to Group Rules 18-13

Standard Scripts Used with Rules 18-15ExecRealmRule 18-15ExecDNISRule 18-16ExecCLIDRule 18-16ExecNASIPRule 18-17ExecPrefixRule 18-17ExecSuffixRule 18-18

Configuring Suffix and Prefix Policies 18-19ExecTimeRule 18-20ParseTranslationGroupsByRealm 18-20ParseTranslationGroupsByDNIS 18-20ParseTranslationGroupsByCLID 18-21

ParseTranslationGroupsByDNIS 18-21

C H A P T E R 19 Using FastRules to Process Packet Flow 19-1

Configuring FastRules 19-2

C H A P T E R 20 Wireless Support 20-1

Mobile Node-Home Agent Shared Key 20-1Use Case Example 20-1Configuring User Attributes 20-2

3GPP2 Home Agent Support 20-3Home-Agent Resource Manager 20-3

Load Balancing 20-3Querying and Releasing Sessions 20-4Access Request Requirements 20-5New 3GPP2 VSAs in the Cisco Prime Access Registrar Dictionary 20-5

Session Correlation Based on User-Defined Attributes 20-5

Managing Multiple Accounting Start/Stop Messages 20-6

NULL Password Support 20-6

3GPP Compliance 20-7SWa Access Authentication and Authorization 20-8

xxiiiCisco Prime Access Registrar 7.0 User Guide

Contents

STa Access Authentication and Authorization 20-8SWm Access Authentication and Authorization 20-9SWd Access Authentication and Authorization 20-9SWx Authentication Procedure 20-10

HSS Initiated Update of User Profile 20-10S6b Authentication and Authorization Procedure 20-103GPP Call Flows 20-11

CLI for 3GPP Authorization 20-12CLI for 3GPP Reverse Authorization 20-12

C H A P T E R 21 Using LDAP 21-1

Configuring LDAP 21-1Configuring the LDAP Service 21-2

MultipleServersPolicy 21-2RemoteServers 21-3

Configuring an LDAP RemoteServer 21-3DNS Look Up and LDAP Rebind Interval 21-6LDAPToRadiusMappings 21-7LDAPToEnvironmentMappings 21-7LDAPToCheckItemMappings 21-7

Setting LDAP As Authentication and Authorization Service 21-7Saving Your Configuration 21-7

CHAP Interoperability with LDAP 21-8Allowing Special Characters in LDAP Usernames 21-8Dynamic LDAP Search Base 21-8

Analyzing LDAP Trace Logs 21-9Successful Bind Message 21-9Bind Failure Messages 21-9Login Failure Messages 21-10

Bind-Based Authentication for LDAP 21-11

C H A P T E R 22 Using Open Database Connectivity 22-1

Oracle Software Requirements 22-2

Configuring ODBC/OCI 22-2Configuring an ODBC/OCI Service 22-6Configuring an ODBC/OCI RemoteServer 22-7

ODBC Data Source 22-9SQL Definitions 22-9SQL Syntax Restrictions 22-10

xxivCisco Prime Access Registrar 7.0 User Guide

Contents

Specifying More Than One Search Key 22-10ODBCToRadiusMappings/OCIToRadiusMappings 22-11ODBCToEnvironmentMappings/OCIToEnvironmentMappings 22-11ODBCToCheckItemMappings/OCIToCheckItemMappings 22-11

Configuring an ODBC DataSource 22-11Setting ODBC/OCI As Authentication and Authorization Service 22-12Setting ODBC/OCI As Accounting Service 22-13Saving Your Configuration 22-13Oracle Stored Procedures 22-13

MySQL Support 22-15MySQL Driver 22-15Configuring a MySQL Datasource 22-15Example Configuration 22-17

C H A P T E R 23 SIGTRAN-M3UA 23-1

Prerequisites to SIGTRAN-M3UA 23-2

Configuring EAP-AKA/EAP-SIM with SIGTRAN-M3UA 23-4ANSI Support for SIGTRAN 23-7

Blacklisting IMSI Values 23-13

Configuring M3UA Service 23-14Configuring M3UA Service with Map Restore Data Authorization 23-15

Map Restore Data Authorization Flow 23-15CS Insert Subscriber Data Structure 23-16CLI Configuration for Map-Restore-Data 23-17

Support for SCTP Multihoming in SIGTRAN-M3UA 23-22

Tuning Global SIGTRAN Parameters 23-23

SIGTRAN-M3UA Logs 23-25

C H A P T E R 24 Using SNMP 24-1

Overview 24-1

Supported MIBs 24-1RADIUS-AUTH-CLIENT-MIB 24-2RADIUS-AUTH-SERVER-MIB 24-2RADIUS-ACC-CLIENT-MIB 24-2RADIUS-ACC-SERVER-MIB 24-2CISCO-DIAMETER-BASE-PROTOCOL-MIB 24-2Diameter SNMP and Statistics Support 24-3TACACS+ SNMP and Statistics Support 24-3

xxvCisco Prime Access Registrar 7.0 User Guide

Contents

SNMP Traps 24-3Supported Traps 24-4

carServerStart 24-4carServerStop 24-4carInputQueueFull 24-4carInputQueueNotVeryFull 24-5carOtherAuthServerNotResponding 24-5carOtherAuthServerResponding 24-5carOtherAccServerNotResponding 24-6carOtherAccServerResponding 24-6carAccountingLoggingFailure 24-6carLicenseUsage 24-7carSigtranLicenseUsage 24-7carDiameterPeerDown 24-7carDiameterPeerUp 24-7

Configuring Traps 24-7SNMP Configuration 24-8Configuring Trap Recipient 24-8

Community String 24-8

C H A P T E R 25 Enforcement of Licensing Models 25-1

TPS Licensing Features 25-1Enforcement Rules 25-1Notification Logs 25-2Notification - SNMP Traps 25-2TPS Logging Feature 25-3

Concurrent Session License Features 25-3Sessions Enforcement Rules 25-4Notification Logs 25-4Notification - SNMP Traps 25-5Session Logging Feature 25-5

C H A P T E R 26 Backing Up the Database 26-1

Configuration 26-1Command Line Utility 26-1

Recovery 26-2

mcdshadow Command Files 26-2

xxviCisco Prime Access Registrar 7.0 User Guide

Contents

C H A P T E R 27 Using the REX Accounting Script 27-1

Building and Installing the REX Accounting Script 27-1

Configuring the Rex Accounting Script 27-2

Specifying REX Accounting Script Options 27-4Example Script Object 27-5

C H A P T E R 28 Logging Syslog Messages 28-1

Syslog Messages 28-1Example 1 28-2Example 2 28-2

Configuring Message Logging 28-3

Changing Log Directory 28-3

Configuring Syslog Daemon (syslogd) 28-4

Managing the Syslog File 28-4Using a cron Program to Manage the Syslog Files 28-5

Server Up/Down Status Change Logging 28-5Header Formats 28-5Example Log Messages 28-6

C H A P T E R 29 Troubleshooting Cisco Prime Access Registrar 29-1

Gathering Basic Information 29-1

Troubleshooting Quick Checks 29-2Disk Space 29-2Resource Conflicts 29-2

No Co-Existence With Cisco Network Registrar 29-2Port Conflicts 29-3

Cisco Prime Access Registrar Log Files 29-3Modifying File Sizes for Agent Server and MCD Server Logs 29-3Using xtail to Monitor Log File Activity 29-4

Modifying the Trace Level 29-4Installation and Server Process Start-up 29-5

aregcmd and Cisco Prime Access Registrar Configuration 29-5Running and Stopped States 29-5

RADIUS Request Processing 29-7

Other Troubleshooting Techniques and Resources 29-7aregcmd Stats Command 29-7Core Files 29-8radclient 29-8

xxviiCisco Prime Access Registrar 7.0 User Guide

Contents

Cisco Prime Access Registrar Replication 29-8

Checking Prime Access Registrar Server Health Status 29-8

A P P E N D I X A Cisco Prime Access Registrar Tcl, REX, and Java Dictionaries A-1

Tcl Attribute Dictionaries A-1Attribute Dictionary Methods A-1Tcl Environment Dictionary A-4

REX Attribute Dictionary A-5Attribute Dictionary Methods A-5REX Environment Dictionary A-11

REX Environment Dictionary Methods A-11

Java Attribute Dictionary A-13Java Attribute Dictionary Methods A-13Java Environment Dictionary A-16

Java Environment Dictionary Methods A-16Interface Extension A-17

Interface Extension Methods A-18Interface ExtensionforSession A-18

Interface Extensionforsession Methods A-19Interface Extensionwithinitialization A-19

Interface Extensionwithinitialization Methods A-20Interface ExtensionforSessionwithinitialization A-20

Interface Extensionforsessionwithinitialization Methods A-20Interface MarkerExtension A-20

Variables in the Marker Extension Interface A-21Class Sessionrecord A-24

Session Record Methods A-24

A P P E N D I X B Environment Dictionary B-1

Cisco Prime Access Registrar Environment Dictionary Variables B-1Accepted-Profiles B-1Accounting-Service B-2Acquire-Dynamic-DNS B-2Acquire-Group-Session-Limit B-2Acquire-Home-Agent B-2Acquire-IP-Dynamic B-2Acquire-IPX-Dynamic B-2Acquire-IP-Per-NAS-Port B-2Acquire-Subnet-Dynamic B-3

xxviiiCisco Prime Access Registrar 7.0 User Guide

Contents

Acquire-User-Session-Limit B-3Acquire-USR-VPN B-3Allow-Null-Password B-3Authentication-Service B-3Authorization-Service B-3AuthorizationInfo B-3BackingStore-Env-Vars B-4Blacklisted-IMSI B-4Broadcast-Accounting-Packet B-4Cache-Attributes-In-Session B-4Current-Group-Count B-4Cache-Outer-Identity B-4Destination-IP-Address B-4Destination-Port B-4Dest-Translation-Type B-5Dest-Numbering-Plan B-5Dest-Encoding-Scheme B-5Dest-Nature-Of-Address B-6Dest-GT-Format B-6Diameter-Application-Id B-6Diameter-Command-Code B-6Disable-Accounting-On-Off-Broadcast B-7DSA-Response-Cache B-7Dynamic-DNS-HostName B-7Dynamic-Search-Filter B-7Dynamic-Search-Path B-7Dynamic-Search-Scope B-7Dynamic-Service-Loop-Limit B-7Dynamic-User-Password-Attribute B-7EAP-Actual-Identity B-8EAP-Authentication-Mode B-8Enforce-Traffic-Throttling B-8FetchAuthorizationInfo B-8Generate-BEK B-8Group-Session-Limit B-8HLR-GlobalTitle-Address B-8HLR-GlobalTitle-Cached B-8HLR-Translated-IMSI B-9Ignore-Accounting-Signature B-9IMSI B-9

xxixCisco Prime Access Registrar 7.0 User Guide

Contents

Incoming-Translation-Groups B-9Master-URL-Fragment B-9Misc-Log-Message-Info B-10MSISDN B-10Notification-Code B-10Notification-Service B-10Outgoing-Translation-Groups B-10Pager B-10PoD/CoA B-11Query-Service B-11Re-Accounting-Service B-11Re-Authentication-Service B-11Re-Authorization-Service B-11Reject-Reason B-12Remote-Server B-12Remove-Session-On-Acct-Stop B-12Remote-Servers-Tried B-12Request-Authenticator B-12Request-Type B-12Require-User-To-Be-In-Authorization-List B-13Response-Type B-13Retrace-Packet B-14Send-PEAP-URI-TLV B-14Session-Key B-14Session-Manager B-14Session-Notes B-14Session-Service B-14Set-Session-Mgr-And-Key-Upon-Lookup B-15Skip-Session-Management B-15Skip-Overriding-Username-With-LDAP-UID B-15Skip-Overriding-UserName-With-PEAPIdentity B-15Source-IP-Address B-15Source-Port B-15SQL-Sequence B-16Subnet-Size-If-No-Match B-16Trace-Level B-16Unavailable-Resource B-16Unavailable-Resource-Type B-16UserDefined1 B-16User-Authorization-Script B-16

xxxCisco Prime Access Registrar 7.0 User Guide

Contents

User-Group B-16User-Group-Session-Limit B-17User-Name B-17User-Profile B-17User-Session-Limit B-17Virtual-Server-Outgoing-Script B-17X509- Subject-Name B-17

Internal Variables B-17

A P P E N D I X C RADIUS Attributes C-1

RADIUS Attributes C-1Cisco Prime Access Registrar Attributes C-1RADIUS Attributes Numeric List C-4

Vendor-Specific Attributes C-133GPP VSAs C-133GPP2 VSAs C-15ACC VSAs C-22Altiga VSAs C-27Ascend VSAs C-30Bay Networks VSAs C-45Cabletron VSAs C-46Cisco Prime Access Registrar Internal VSAs C-46Cisco VSAs C-48Compatible VSAs C-51Microsoft VSAs C-51Nomadix VSAs C-53RedBack VSAs C-53RedCreek VSAs C-56TACACS+ VSAs C-56Telebit VSAs C-59Unisphere VSAs C-59USR VSAs C-60WiMax C-85WISPr C-85XML C-86

A P P E N D I X D Support for REST API in Cisco Prime Access Registrar D-1

REST API Framework D-1REST API Services D-1

xxxiCisco Prime Access Registrar 7.0 User Guide

Contents

CoA and PoD REST APIs D-5

I N D E X

xxxiiCisco Prime Access Registrar 7.0 User Guide

C H A P T E R 1

Overview

The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Prime Access Registrar (Prime Access Registrar) as a proxy server.

Prime Access Registrar is a 3GPP-compliant, 64 bit carrier-class RADIUS (Remote Authentication Dial-In User Service)/Diameter server that enables multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database.

Prime Access Registrar handles the following tasks:

Authenticationdetermines the identity of users and whether they can be allowed to access the network

Authorizationdetermines the level of network services available to authenticated users after they are connected

Accountingkeeps track of each users network activity

Session and resource managementtracks user sessions and allocates dynamic resources

Using a RADIUS server allows you to better manage the access to your network, as it allows you to store all security information in a single, centralized database instead of distributing the information around the network in many different devices. You can make changes to that single database instead of making changes to every network access server in your network.

Prime Access Registrar also allows you to manage the complex interconnections of the new network elements in order to:

adequately manage the traffic

perform appropriate load balancing for desired load distribution

allow binding of different protocol interfaces corresponding to a subscriber/network element

Service providers transform their 3G and 4G wireless networks with complex services, tiered charging, converged billing, and more by introducing increasing numbers and types of Diameter-based network elements. LTE and IMS networks are the most likely to implement these new network elementsincluding Policy and Charging Rules Functions (PCRF), Home Subscriber Servers (HSS), Mobility Management Entities (MME), Online Charging Systems (OCS), and others. As a result, as the traffic levels grow, these wireless networks are becoming more difficult to manage and scale without the Prime Access Registrar infrastructure.

1-1Cisco Prime Access Registrar 7.0 User Guide

Chapter 1 Overview Prime Access Registrar Hierarchy

This chapter contains the following sections:

Prime Access Registrar Hierarchy

Prime Access Registrar Directory Structure

Program Flow

RADIUS Protocol

Service and Ports Used in Prime Access Registrar

Prime Access Registrar HierarchyPrime Access Registrars operation and configuration is based on a set of objects. These objects are arranged in a hierarchical structure much like the Windows 95 Registry or the UNIX directory structure. Prime Access Registrars objects can themselves contain subobjects, just as directories can contain subdirectories. These objects include the following:

Radius the root of the configuration hierarchy

UserListscontains individual UserLists which in turn contain users

UserGroupscontains individual UserGroups

Userscontains individual authentication or authorization details of a user

Clientscontains individual Clients

Vendorscontains individual Vendors

Scriptscontains individual Scripts

Policiescontains a set of rules applied to an Access-Request

Servicescontains individual Services

CommandSetscontains commands and the action to perform during Terminal Access Controller Access-Control System Plus (TACACS+) command authorization

DeviceAccessRulescontains conditions or expressions and the applicable command sets for TACACS+ command authorization

FastRulesprovides a mechanism to easily choose the right authentication, authorization, accounting, and query service(s), drop, reject, or break flows, choose session manager or other rules required for processing a packet

SessionManagerscontains individual Session Managers

ResourceManagerscontains individual Resource Managers

Profilescontains individual Profiles

RemoteServerscontains individual RemoteServers

Advancedcontains Ports, Interfaces, Reply Messages, and the Attribute dictionary

This section contains the following topics:

UserLists and Groups

Profiles

Scripts

Services

Session Management Using Resource Managers



UserLists and GroupsPrime Access Registrar lets you organize your user community through the configuration objects UserLists, users, and UserGroups.

Use UserLists to group users by organization, such as Company A and Company B. Each list contains the actual names of the users.

Use Users to store information about particular users, such as name, password, group membership, base profile, and so on.

Use UserGroups to group users by function, such as PPP, Telnet, or multiprotocol users. Groups allow you to maintain common authentication and authorization requirements in one place, and have them referenced by many users.

For more information about UserLists and UserGroups, see UserLists and Groups in Chapter 4, Cisco Prime Access Registrar Server Objects.

ProfilesPrime Access Registrar uses Profiles that allow you to group RADIUS attributes to be included in an Access-Accept packet. These attributes include values that are appropriate for a particular user class, such as PPP or Telnet user. The users base profile defines the users attributes, which are then added to the response as part of the authorization process.

Although you can use Group or Profile objects in a similar manner, choosing whether to use one rather than the other depends on your site. If you require some choice in determining how to authorize or authenticate a user session, then creating specific profiles, and specifying a group that uses a script to choose among the profiles is more flexible. In such a situation, you might create a default group and then write a script that selects the appropriate profile based on the specific request. The benefit to this technique is each user can have a single entry, and use the appropriate profile depending on the way they log in.

For more information about Profiles, see Profiles in Chapter 4, Cisco Prime Access Registrar Server Objects.

ScriptsPrime Access Registrar allows you to create scripts you can execute at various points within the processing hierarchy.

Incoming scriptsenable you to read and set the attributes of the request packet, and set or change the Environment dictionary variables. You can use the environment variables to control subsequent processing, such as specifying the use of a particular authentication service.

Outgoing scriptsenable you to modify attributes returned in the response packet.

For more information about Scripts, see Scripts in the Chapter 4, Cisco Prime Access Registrar Server Objects.

ServicesPrime Access Registrar uses Services to let you determine how authentication, authorization, and/or accounting are performed.



For example, to use Services for authentication:

When you want the authentication to be performed by the Prime Access Registrar RADIUS server, you can specify the local service. In this, case you must specify a specific UserList.

When you want the authentication performed by another server, which might run an independent application on the same or different host than your RADIUS server, you can specify either a radius, ldap, or tacacs-udp service. In this case, you must list these servers by name.

When you have specified more than one authentication service, Prime Access Registrar determines which one to use for a particular Access-Request by checking the following:

When an incoming script has set the Environment dictionary variable Authentication-Service with the name of a Service, Prime Access Registrar uses that service.

Otherwise, Prime Access Registrar uses the default authentication service. The default authentication service is a property of the Radius object.

Prime Access Registrar chooses the authentication service based on the variable Authentication-Service, or the default. The properties of that Service, specify many of the details of that authentication service, such as, the specific user list to use or the specific application (possibly remote) to use in the authentication process.

For more information about Services, see Services in the Chapter 4, Cisco Prime Access Registrar Server Objects.

Session Management Using Resource ManagersPrime Access Registrar lets you track user sessions, and/or allocate dynamic resources to users for the lifetime of their session. You can define one or more Session Managers, and have each one manage the sessions for a particular group or company.

Session Managers use Resource Managers, which in turn manage resources of a particular type as described below.

IP-Dynamicmanages a pool of IP addresses and allows you to dynamically allocate IP addresses from that pool

IP-Per-NAS-Portallows you to associate ports to specific IP addresses, and thus ensure each NAS port always gets the same IP address

IPX-Dynamicmanages a pool of IPX network addresses

Subnet-Dynamicmanages a pool of subnet addresses

Group-Session-Limitmanages concurrent sessions for a group of users; that is, it keeps track of how many sessions are active and denies new sessions after the configured limit has been reached

User-Session-Limitmanages per-user concurrent sessions; that is, it keeps track of how many sessions each user has and denies the user a new session after the configured limit has been reached

Home-Agentmanages a pool of on-demand IP addresses

USR-VPNmanages Virtual Private Networks (VPNs) that use USR NAS Clients

Home-Agent-IPv6manages a pool of on-demand IPv6 addresses

Remote-IP-Dynamicmanages a pool of IP addresses that allows you to dynamically allocate IP addresses from a pool of addresses. It internally works with a remote ODBC database.

Remote-User-Session-Limitmanages per-user concurrent sessions; that is, it keeps track of how many sessions each user has and denies the user a new session after the configured limit has been reached. It internally works with a remote ODBC database.


Chapter 1 Overview Prime Access Registrar Directory Structure

Remote-Group-Session-Limitmanages concurrent sessions for a group of users; that is, it keeps track of how many sessions are active and denies new sessions after the configured limit has been reached. It internally works with a remote ODBC database.

Session Cacheallows you to define the RADIUS attributes to store in cache.

Dynamic-DNSmanages the DNS server.

Remote-Session-Cacheallows you to define the RADIUS attributes to store in cache. It should be used with session manager of type 'remote'.

3GPPallows you to define the attribute for 3GPP authorization.

For more information about Session Managers, see Session Managers in Chapter 4, Cisco Prime Access Registrar Server Objects.

If necessary, you can create a complex relationship between the Session Managers and the Resource Managers.

When you need to share a resource among Session Managers, you can create multiple Session Managers that refer to the same Resource Manager. For example, if one pool of IP addresses is shared by two departments, but each department has a separate policy about how many users can be logged in concurrently, you might create two Session Managers and three Resource Managers. One dynamic IP Resource Manager that is referenced by both Session Managers, and two concurrent session Resource Managers, one for each Session Manager.

In addition, Prime Access Registrar lets you pose queries about sessions. For example, you can query Prime Access Registrar about which session (and thus which NAS-Identifier, NAS-Port and/or User-Name) owns a particular resource, as well as query Prime Access Registrar about how many resources are allocated or how many sessions are active.

Prime Access Registrar Directory StructureThe installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 1-1.

Table 1-1 /opt/CSCOar Subdirectories

Subdirectory Description

.system Contains ELFs, or binary SPARC executables that should not be run directly.

bin Contains shell scripts and programs frequently used by a network administrator; programs that can be run directly.

conf Contains configuration files.

data Contains the radius directory, which contains session backing files; and the db directory, which contains configuration database files.

examples Contains documentation, sample configuration scripts, and shared library scripts.

lib Contains Prime Access Registrar software library files.

logs Contains system logs and is the default directory for RADIUS accounting.

odbc Contains Prime Access Registrar ODBC files.

scripts Contains sample scripts that you can modify to automate configuration, and to customize your RADIUS server.

temp Used for temporary storage.


Chapter 1 Overview Program Flow

Program FlowWhen a NAS sends a request packet to Prime Access Registrar with a name and password, Prime Access Registrar performs the following actions. Table 1-2 describes the flow without regard to scripting points.

Prime Access Registrar supports Diameter with Extensible Authentication Protocol (EAP) functionality to enable authentication between NAS and a backend NAS Diameter authentication server. For more information, see Diameter with EAP Support, page 8-2.

Prime Access Registrar also support 3GPP compliance by implementing a set of protocols. To understand more about the 3GPP AAA server support and the call flow, see 3GPP Compliance, page 20-7.

Scripting PointsPrime Access Registrar lets you invoke scripts you can use to affect the Request, Response, or Environment dictionaries. This section contains the following topics:

ucd-snmp Contains the UCD-SNMP software Prime Access Registrar uses.

usrbin Contains a symbolic link that points to bin.

Table 1-1 /opt/CSCOar Subdirectories (continued)

Subdirectory Description

Table 1-2 From Access-Request to Access-Accept

Prime Access Registrar Server Action Explanation

Receives an Access-Request The Prime Access Registrar server receives an Access-Request packet from a NAS.

Determines whether to accept the request

The Prime Access Registrar server checks to see if the clients IP address is listed in /Radius/Clients//.

Invokes the policy SelectPolicy if it exists

The Prime Access Registrar Policy Engine provides an interface to define and configure a policy and to apply the policy to the corresponding access-request packets.

Performs authentication and/or authorization

Directs the request to the appropriate service, which then performs authentication and/or authorization according to the type specified in /Radius/Services//.

Performs session management Directs the request to the appropriate Session Manager.

Performs resource management for each Resource Manager in the SessionManager

Directs the request to the appropriate resource manager listed in /Radius/SessionManagers///, which then allocates or checks the resource according to the type listed in /Radius///.

Sends an Access-Accept Creates and formats the response, and sends it back to the client (NAS).



Client Scripting

Client or NAS Scripting Points

Authentication and/or Authorization Scripting Points

Client Scripting

Though Prime Access Registrar allows external code (Tcl/C/C++/Java) to be used by means of a script, custom service, policy engine, and so forth, while processing request, response, or while working with the environment dictionaries, it shall not be responsible for the scripts used and will not be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of the script.

Prime Access Registrar also allows you to define internal scripts, by which you can add, modify, or delete attributes in the request, response, and environment dictionaries for RADIUS, Diameter, and TACACS+.

Client or NAS Scripting Points

Table 1-3 shows the location of the scripting points within the section that determines whether to accept the request from the client or NAS. Note, the scripting points are indicated with the asterisk (*) symbol.

Table 1-3 Client or NAS Scripting Points

Action Explanation

Receives an Access-Request. The Prime Access Registrar RADIUS server receives an Access-Request packet from a NAS.

Determines whether to accept the request.

The clients IP address listed in /Radius/Clients//IPAddress.

*Executes the servers incoming script.

A script referred to in /Radius/IncomingScript.

*Executes the vendors incoming script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a script referred to in /Radius/Vendors//IncomingScript.

*Executes the clients incoming script.

A script referred to in /Radius/Clients//IncomingScript.

Determines whether to accept requests from this specific NAS.

/Radius/Advanced/RequireNASsBehindProxyBeInClientList set to TRUE.

The NASs Identifier listed in /Radius/Clients/, or its NAS-IP-Address listed in /Radius/Clients//IPAddress.

If the clients IP address listed in /Radius/Clients//IPAddress is different:

*Executes the vendors incoming script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a script referred to in /Radius/Vendors//IncomingScript.

*Executes the clients incoming script.

The client listed in the previous /Radius/Clients/Name, and is a script referred to in /Radius/Clients/Name/IncomingScript.



Authentication and/or Authorization Scripting Points

Table 1-4 shows the location of the scripting points within the section that determines whether to perform authentication and/or authorization.

Session ManagementThe Session Management feature requires the client (NAS or proxy) to send all RADIUS accounting requests to the Prime Access Registrar server performing session management. (The only exception is if the clients are USR/3Com Network Access Servers configured to use the USR/3Com RADIUS resource management feature.) This information is used to keep track of user sessions, and the resources allocated to those sessions.

When another accounting RADIUS server needs this accounting information, the Prime Access Registrar server performing session management might proxy it to this second server.

The count-sessions /radius all command helps to count the total sessions in Prime Access Registrar. The options are similar to the query-session command options. The query-session command displays cached attributes in addition to session details.

Table 1-5 describes how Prime Access Registrar handles session management.

Table 1-4 Authentication and Authorization Scripting Points

Action Explanation

Determines Service to use for authentication and/or authorization.

The Service name defined in the Environment dictionary variable Authentication-Service, and is the same as the Service defined in the Environment dictionary variable Authorization-Service.

The Service name referred to by /Radius/DefaultAuthenticationService, and is the same as the Service defined in /Radius/DefaultAuthorizationService.

Performs authentication and/or authorization.

If the Services are the same, perform authentication and authorization.

If the Services are different, just perform authentication.

*Executes the Services incoming script.

A script referred to in /Radius/Services//IncomingScript.

Performs authentication and/or authorization.

Based on the Service type defined in /Radius/Services//.

*Executes the Services outgoing script.

A script referred to in /Radius/Services//OutgoingScript.

Determines whether to perform authorization.

The Service name defined in /Radius/DefaultAuthorizationService, if different than the Authentication Service.

*Executes the Services incoming script.

A script referred to in /Radius/Services//IncomingScript.

Performs authorization. Checks that the Service type is defined in /Radius/Services//.

*Executes the Services outgoing script.

A script referred to in /Radius/Services//OutgoingScript.




Failover by the NAS and Session Management

Cross Server Session and Resource Management

Failover by the NAS and Session Management

When a Network Access Servers primary RADIUS server is performing session management, and the NAS determines the server is not responding and begins sending requests to its secondary RADIUS server, the following occurs:

The secondary server will not know about the current active sessions that are maintained on the primary server. Any resources managed by the secondary server must be distinct from those managed by the primary server, otherwise it will be possible to have two sessions with the same resources (for example, two sessions with the same IP address).

The primary server will miss important information that allows it to maintain a correct model of what sessions are currently active (because the authentication and accounting requests are being sent to the secondary server). This means when the primary server comes back online and the NAS begins using it, its knowledge of what sessions are active will be out-of-date and the resources for those sessions are allocated even if they are free to allocate to someone else.

For example, the user-session-limit resource might reject new sessions because the primary server does not know some of the users using the resource logged out while the primary server was offline. It might be necessary to release sessions manually using the aregcmd command release-session.

Note It might be possible to avoid this situation by having a disk drive shared between two systems with the second RADIUS server started up once the primary server has been determined to be offline. For more information on this setup, contact Technical Support.

Cross Server Session and Resource Management

Prime Access Registrar can manage sessions and resources across AAA Server boundaries. A session can be created by an Access-Request sent to Prime AR1, and it can be removed by an Accounting-Stop request sent to Prime AR2, as shown in Figure 1-1. This enables accurate tracking of User and Group session limits across multiple AAA Servers, and IP addresses allocated to sessions are managed in one place.

Table 1-5 Session Management Processing

Action Explanation

Determines whether to perform session management.

The session management defined in the Environment dictionary variable Session-Manager.

The session management name referred to in /Radius/DefaultSessionManager.

Performs session management. Selects Session Manager as defined in/Radius/SessionManagers/.



Figure 1-1 Multiple Prime Access Registrar Servers

All resources that must be shared cross multiple front line Prime Access Registrars are configured in the Central Resource Prime Access Registrar. Resources that are not shared can still be configured at each front line Prime Access Registrar.

When the front line Prime Access Registrar receives the access-request, it does the regular AA processing. If the packet is not rejected and a Central Resource Prime Access Registrar is also configured, the front line Prime Access Registrar will proxy the packet1 to the configured Central Resource Prime Access Registrar. If the Central Resource Prime Access Registrar returns the requested resources, the process continues to the local session management (if local session manager is configured) for allocating any local resources. If the Central Resource Prime Access Registrar cannot allocate the requested resource, the packet is rejected.

When the Accounting-Stop packet arrives at the frontline Prime Access Registrar, Prime Access Registrar does the regular accounting processing. Then, if the front line Prime Access Registrar is configured to use Central Resource Prime Access Registrar, a proxy packet will be sent to Central Resource Prime Access Registrar for it to release all the allocated resources for this session. After that, any locally allocated resources are released by the local session manager.

Session-Service Service Step and Radius-Session Service

A new Service step has been added in the processing of Access-Request and Accounting packets. This is an additional step after the AA processing for Access packet or Accounting processing for Accounting packet, but before the local session management processing. The Session-Service should have a service type of radius-session.

An environment variable Session-Service is introduced to determine the Session-Service dynamically. You can use a script or the rule engine to set the Session-Service environment variable.

Configure Front Line Cisco Prime Access Registrar

To use a Central Resource server, the DefaultSessionService property must be set or the Session-Service environment variable must be set through a script or the rule engine. The value in the Session-Service variable overrides the DefaultSessionService.

The configuration parameters for a Session-Service service type are the same as those for configuring a radius service type for proxy, except the service type is radius-session.

The configuration for a Session-Service Remote Server is the same as configuring a proxy server.

[ //localhost/Radius ]Name = RadiusDescription = Version = 7.0IncomingScript = OutgoingScript = DefaultAuthenticationService = local-users

1. The proxy packet is actually a resource allocation request, not an Access Request.

Cisco Prime AR1

Cisco Prime AR2

Cisco Prime AR3

Central Resource Cisco Prime AR

3203

70



DefaultAuthorizationService = local-usersDefaultAccountingService = local-fileDefaultSessionService = Remote-Session-ServiceDefaultSessionManager = session-mgr-1

[ //localhost/Radius/Services ]Remote-Session-Service/

Name = Remote-Session-ServiceDescription = Type = radius-sessionIncomingScript = OutgoingScript = OutagePolicy = RejectAllOutageScript = MultipleServersPolicy = FailoverRemoteServers/1. central-server

[ //localhost/Radius/RemoteServers ]central-server/

Name = central-serverDescription = Protocol = RADIUSIPAddress = 209.165.200.224Port = 1812ReactivateTimerInterval = 300000SharedSecret = secretVendor = IncomingScript = OutgoingScript = MaxTries = 3InitialTimeout = 2000AccountingPort = 1813

Configure Central Prime Access Registrar

Resources at the Central Resource server are configured the same way as local resources are configured. These resources are local resources from the Central Resource servers point of view.

Script Processing HierarchyFor request packets, the script processing order is from the most general to the most specific. For response packets, the processing order is from the most specific to the most general.

Table 1-6, Table 1-7, and Table 1-8 show the overall processing order and flow:(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.

Note The client and the NAS can be the same entity, except when the immediate client is acting as a proxy for the actual NAS.


Chapter 1 Overview RADIUS Protocol

RADIUS Protocol Prime Access Registrar is based on a client/server model, which supports AAA (authentication, authorization, and accounting). The client is the Network Access Server (NAS) and the server is Prime Access Registrar. The client passes user information on to the RADIUS server and acts on the response it receives. The server, on the other hand, is responsible for receiving user access requests, authenticating and authorizing users, and returning all of the necessary configuration information the client can then pass on to the user.

The protocol is a simple packet exchange in which the NAS sends a request packet to the Prime Access Registrar with a name and a password. Prime Access Registrar looks up the name and password to verify it is correct, determines for which dynamic resources the user is authorized, then returns an accept packet that contains configuration information for the user session (Figure 1-2).

Table 1-6 Prime Access Registrar Processing Hierarchy for Incoming Scripts

Overall Flow Sequence Incoming Scripts

1) Radius.

2) Vendor of the immediate client.

3) Immediate client.

4) Vendor of the specific NAS.

5) Specific NAS.

6) Service.

Table 1-7 Prime Access Registrar Processing Hierarchy for Authentication/Authorization Scripts

Overall Flow Sequence Authentication/Authorization Scripts

7) Group Authentication.

8) User Authentication.

9) Group Authorization.

10) User Authorization.

11) Session Management.

Table 1-8 Prime Access Registrar Processing Hierarchy for Outgoing Script

Overall Flow Sequence Outgoing Scripts

12) Service.

13) Specific NAS.

14) Vendor of the specific NAS.

15) Immediate client.

16) Vendor of the immediate client.

17) Radius.



Figure 1-2 Packet Exchange Between User, NAS, and RADIUS

Prime Access Registrar can also reject the packet if it needs to deny network access to the user. Or, Prime Access Registrar can issue a challenge that the NAS sends to the user, who then creates the proper response and returns it to the NAS, which forwards the challenge response to Prime Access Registrar in a second request packet.

In order to ensure network security, the client and server use a shared secret, which is a string they both know, but which is never sent over the network. User passwords are also encrypted between the client and the server to protect the network from unauthorized access.


Steps to Connection

Types of RADIUS Messages

Proxy Servers

Steps to ConnectionThree participants exist in this interaction: the user, the NAS, and the RADIUS server.

Setting Up the Connection

To describe the receipt of an access request through the sending of an access response:

Step 1 The user, at a remote location such as a branch office or at home, dials into the NAS, and supplies a name and password.

Step 2 The NAS picks up the call and begins negotiating the session.

a. The NAS receives the name and password.

b. The NAS formats this information into an Access-Request packet.

c. The NAS sends the packet on to the Prime Access Registrar server.

Step 3 The Prime Access Registrar server determines what hardware sent the request (NAS) and parses the packet.

a. It sets up the Request dictionary based on the packet information.

b. It runs any incoming scripts, which are user-written extensions to Prime Access Registrar. An incoming script can examine and change the attributes of the request packet or the environment variables, which can affect subsequent processing.

NAS

Radius

2203

6

Janexyz

request

response

Name=JanePassword=xyz



c. Based on the scripts or the defaults, it chooses a service to authenticate and/or authorize the user.

Step 4 Prime Access Registrars authentication service verifies the username and password is in its database. Or, Prime Access Registrar delegates the authentication (as a proxy) to another RADIUS server, an LDAP, or TACACS server.

Step 5 Prime Access Registrars authorization service creates the response with the appropriate attributes for the users session and puts it in the Response dictionary.

Step 6 If you are using Prime Access Registrar session management at your site, the Session Manager calls the appropriate Resource Managers that allocate dynamic resources for this session.

Step 7 Prime Access Registrar runs any outgoing scripts to change the attributes of the response packet.

Step 8 Prime Access Registrar formats the response based on the Response dictionary and sends it back to the client (NAS).

Step 9 The NAS receives the response and communicates with the user, which might include sending the user an IP address to indicate the connection has been successfully established.

Types of RADIUS MessagesThe client/server packet exchange consists primarily of the following types of RADIUS messages:

Access-Requestsent by the client (NAS) requesting access

Access-Rejectsent by the RADIUS server rejecting access

Access-Acceptsent by the RADIUS server allowing access

Access-Challengesent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another Access-Request.

When you use RADIUS accounting, the client and server can also exchange the following two types of messages:

Accounting-Requestsent by the client (NAS) requesting accounting

Accounting-Responsesent by the RADIUS server acknowledging accounting


Packet Contents

The Attribute Dictionary

Packet Contents

The information in each RADIUS message is encapsulated in a UDP (User Datagram Protocol) data packet. A packet is a block of data in a standard format for transmission. It is accompanied by other information, such as the origin and destination of the data.

Table 1-9 lists a description of the five fields in each message packet.



The Attribute Dictionary

The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting attributes that can be part of a clients or users configuration. The dictionary entries translate an attribute into a value Prime Access Registrar uses to parse incoming requests and generate responses. Attributes have a human-readable name and an enumerated equivalent from 1-255.

Sixty three standard attributes exist, which are defined in RFC 2138 and 2139. There also are additional vendor-specific attributes that depend on the particular NAS you are using.

Some sample attributes include:

User-Namethe name of the user

User-Passwordthe users password

NAS-IP-Addressthe IP address of the NAS

NAS-Portthe NAS port the user is dialed in to

Framed Protocolsuch as SLIP or PPP

Framed-IP-Addressthe IP address the client uses for the session

Filter-IDvendor-specific; identifies a set of filters configured in the NAS

Callback-Numberthe actual callback number.

Proxy ServersAny one or all of the RADIUS servers three functions: authentication, authorization, or accounting can be subcontracted to another RADIUS server. Prime Access Registrar then becomes a proxy server. Proxying to other servers enables you to delegate some of the RADIUS servers functions to other servers.

Table 1-9 RADIUS Packet Fields

Fields Description

Code Indicates message type: Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, or Accounting-Response.

Identifier Contains a value that is copied into the servers response so the client can correctly associate its requests and the servers responses when multiple users are being authenticated simultaneously.

Length Provides a simple error-checking device. The server silently drops a packet if it is shorter than the value specified in the length field, and ignores the octets beyond the value of the length field.

Authenticator Contains a value for a Request Authenticator or a Response Authenticator. The Request Authenticator is included in a clients Access-Request. The value is unpredictable and unique, and is added to the client/server shared secret so the combination can be run through a one-way algorithm. The NAS then uses the result in conjunction with the shared secret to encrypt the users password.

Attribute(s) Depends on the type of message being sent. The number of attribute/value pairs included in the packets attribute field is variable, including those required or optional for the type of service requested.


Chapter 1 Overview Service and Ports Used in Prime Access Registrar

You could use Prime Access Registrar to proxy to an LDAP server for access to directory information about users in order to authenticate them. Figure 1-3 shows user joe initiating a request, the Prime Access Registrar server proxying the authentication to the LDAP server, and then performing the authorization and accounting processing in order to enable joe to log in.

Figure 1-3 Proxying to an LDAP Server for Authentication

Service and Ports Used in Prime Access Registrar

Secure Shell Service SSH Daemon(SSHD) is the daemon program which is used for ssh(1). It provides secure shell encrypted communications between two hosts over network.

In case of Prime Access Registrar, SSH is used to connect to Prime Access Registrar server and configure Prime Access Registrar using CLI.

PortsThe following table lists the port numbers that are used for various services in Prime Access Registrar for AAA.

NASAccessregistrar

LDAP

2203

5

user=joepassword=xyz

request

response

1

6

2

5

3 4

Authorizationaccounting

Authentication



Table 1-10 Ports Used in Prime Access Registrar

Names DescriptionPort Numbers

Service of the Ports

Access from Network Node

Configuration Setting

Protocol Name and Reference

AR AAA Service The RADIUS packet listener uses these ports by default.

1812-udp RADIUS AA Network Access Server

You can change the default or define new RADIUS port numbers under /Radius/Advanced/Ports in the CLI and Configuration > Advanced > Ports in the GUI.

RADIUS AA (Authentication, and Authorization) service.

1813-udp radacct

RADIUS Accounting

Network Access Server


RADIUS Accounting service.

Refer to RFC 6733 for more information.

3799/udp RADIUS Dynamic Authorization (CoA/PoD)

Network Access Server

N/A RADIUS Dynamic authorization which is used with (CoA/PoD) packet types.

AR AAA Service The TACACS+ packet listener uses this port by default.

49/tcp TACACS+ Network Access Server


TACACS+ based on AAA service (Authentication, Authorization, and Accounting).




AR AAA Service The DIAMETER packet listener uses these ports by default.

3868/tcp DIAMETER Network Access Server

You can enable or disable this service in Radius/Advanced/Diameter/IsDiameterEnabled.

DIAMETER AA Service (Authentication, and Authorization) by tcp protocol.


3868/sctp DIAMETER Network Access Server

You can enable or disable this service in Radius/Advanced/Diameter/IsDiameterEnabled1.

DIAMETER AA Service (Authentication, and Authorization) by SCTP protocol.

AR MCD Server MCD is used to store Prime Access Registrar configuration.

2786/tcp MCD database Server

This service can be accessed from local host by Prime Access Registrar radius and server agent process.

N/A Proprietary IPC mechanism.

AR Server Agent AR Server Agent is used to log all the activities of Prime Access Registrar processes.

2785/tcp Internal IPC mechanism

This service can be accessed from local host by Prime Access Registrar radius and server agent process.

N/A Proprietary IPC mechanism.

Table 1-10 Ports Used in Prime Access Registrar (continued)








AR GUI Service Prime Access Registrar GUI processes use these ports by default.

8080/tcp AR HTTP service

This service is accessible from any end user desktop browser using http protocol.

You can change the default port numbers in editing the server.xml file.

Standard HTTP protocol

8443/tcp AR HTTPS service

This service is accessible from any end user desktop browser using https protocol.

You can change the default port numbers in editing the server.xml file.

Standard HTTPS protocol

8005/tcp Internally used by Apache Tomcat container

Local host You can change the default port numbers in editing the server.xml file..

To shutdown Tomcat JVM service instance.

8009/tcp Apache Tomcat container

AJP 1.3 Connector

Local host You can change the default port numbers in editing the server.xml file.

Apache JServ protocol.

AJP 1.3 Connector.

SNMP Master Agent

SNMP Packet listener supports these ports by default.

161/udp Simple Net Management Protocol

This service is accessible from any network management host.

Refer to net-snmp documentation for more information.

SNMP MIBs server

162/udp Traps for SNMP

This service is accessible to any SNMP trap client when you want to use net-snmp snmptrap daemon as a SNMP trap server.

Refer to Configuring Traps for more information.

SNMP trap server








http://www.net-snmp.org/docs/man/snmpd.html


CPAR SIGTRAN Stack (radius)

Listen on these ports for internal configuration from stack manager events

9041/TCP Stack Manager Configuration/Event Listener

This service can be accessed from local host by Prime Access Registrar Radius Process.

N/A CPAR Specific IPC Protocol implementation

9041/UDP Stack Manager Configuration/Event Listener

This service can be accessed from local host by Prime Access Registrar Radius Process.


CPAR SIGTRAN stack manager(m3ua-stackmgr)

Configure stack and receive configuration from m3ua-cliclient

9100/TCP SIGTRAN Stack Manager

This service can be accessed from local host by Prime Access Registrar Radius Process and m3ua-cliclient Process.


9100/UDP SIGTRAN Stack Manager

This service can be accessed from local host by Prime Access Registrar Radius Process and m3ua-cliclient Process.


1. If an error occurs while starting the Diameter SCTP interface, add install sctp /bin/true to /etc/modprobe.conf. Then, configure port 3868 with Type Diameter-TCP using aregcmd in /Radius/Advanced/Ports.








Chapter 1 Overview Obtaining Documentation and Submitting a Service Request

Related DocumentationThe following documentation is available for Prime Access Registrar 7.0:

Cisco Prime Access Registrar 7.0 User Guide (this guide)

Cisco Prime Access Registrar 7.0 Release Notes

Cisco Prime Access Registrar 7.0 Installation and Configuration Guide

Open Source Used in Cisco Prime Access Registrar 7.0

Note We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see Whats New in Cisco Product Documentation.

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the Whats New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.


http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-access-registrar/products-installation-guides-list.htmlhttp://www.cisco.com/c/en/us/support/cloud-systems-management/prime-access-registrar/products-licensing-information-listing.htmlhttp://www.cisco.com/c/en/us/support/cloud-systems-management/prime-access-registrar/products-release-notes-list.htmlhttp://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/assets/cdc_content_elements/rss/whats_new/whatsnew_rss_feed.xml

Chapter 1 Overview


C H A P T E R 2

Using the aregcmd Commands

This chapter describes how to use each of the aregcmd commands. The Cisco Prime Access Registrar aregcmd command is a command-line based configuration tool. It allows you to set any Cisco Prime Access Registrar (Prime Access Registrar) configurable option, as well as, start and stop the server and check statistics.

This chapter contains the following sections:

General Command Syntax

aregcmd Commands

aregcmd Command Logging

aregcmd Command Line Editing

aregcmd Error Codes

General Command SyntaxPrime Access Registrar stores its configuration information in a hierarchy. Using the aregcmd command cd (change directory), you can move through this information in the same manner as you would through any hierarchical file system. Or you can supply full pathnames to these commands to affect another part of the hierarchy, and thus avoid explicitly using the cd command to change to that part of the tree.

aregcmd command parsing is case insensitive, which means you can use upper or lowercase letters to designate elements. In addition, when you reference existing elements in the configuration, you need only specify enough of the elements name to distinguish it from the other elements at that level. For example, instead of entering cd Administrators, you can enter cd ad when no other element at the current level begins with ad.

aregcmd command parsing is command-line order dependent; that is, the arguments are interpreted based on their position on the command line. To indicate an empty string as a place holder on the command line, use either single (') or double quotes (""). In addition, when you use any arguments that contain spaces, you must quote the arguments. For example, when you use the argument, Local Users, you must enclose the phrase in quotes.

The aregcmd command can contain a maximum of 255 characters when specifying a parameter and 511 characters for the entire command.

The aregcmd command syntax is:

aregcmd [-C ] [-N ] [-P ] [-V][-f ] [-l ] [-n] [ []] [-p] [-q] [-v]

-CSpecifies the name of the cluster to log into by default


Chapter 2 Using the aregcmd Commands General Command Syntax

-NSpecifies the name of the administrator

-PSpecifies the password

-VSpecifies view-only mode

Cisco Prime Access Registrar 7.0 User Guide · Session Management Using Resource Managers 1-4 Prime...

Documents

Transcript of Cisco Prime Access Registrar 7.0 User Guide · Session Management Using Resource Managers 1-4 Prime...