Cisco Prime Access Registrar 6.1 User Guide 4.2

User Manual: Cisco Access Registrar 4.2

Open the PDF directly: View PDF PDF.
Page Count: 922 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Cisco Prime Access Registrar 6.1
User Guide
December 13, 2013
Text Part Number: OL-29756-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Prime Access Registrar 6.1 User Guide
© 2013 Cisco Systems, Inc. All rights reserved.
iii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
CONTENTS
Preface xxxiii
Document Organization xxxiii
Related Documentation xxxv
Obtaining Documentation and Submitting a Service Request xxxv
Notices xxxv
OpenSSL/Open SSL Project xxxv
License Issues xxxv
CHAPTER
1Overview 1-1
Prime Access Registrar Hierarchy 1-2
UserLists and Groups 1-3
Profiles 1-3
Scripts 1-3
Services 1-3
Session Management Using Resource Managers 1-4
Prime Access Registrar Directory Structure 1-5
Program Flow 1-6
Scripting Points 1-6
Client Scripting 1-7
Client or NAS Scripting Points 1-7
Authentication and/or Authorization Scripting Points 1-8
Session Management 1-8
Failover by the NAS and Session Management 1-9
Cross Server Session and Resource Management 1-9
Script Processing Hierarchy 1-11
RADIUS Protocol 1-12
Steps to Connection 1-13
Types of RADIUS Messages 1-14
Packet Contents 1-14
The Attribute Dictionary 1-15
Proxy Servers 1-15
Service and Ports Used in Prime Access Registrar 1-16
Secure Shell Service 1-16
Ports 1-16
Contents
iv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
CHAPTER
2Using the aregcmd Commands 2-1
General Command Syntax 2-1
View-Only Administrator Mode 2-2
ViewOnly Property 2-3
Configuration Objects 2-3
aregcmd Command Performance 2-3
RPC Bind Services 2-4
aregcmd Commands 2-4
add 2-5
cd 2-5
delete 2-6
exit 2-6
filter 2-6
find 2-6
help 2-7
insert 2-7
login 2-7
logout 2-7
ls 2-8
next 2-8
prev 2-8
pwd 2-9
query-sessions 2-9
quit 2-9
release-sessions 2-9
reload 2-10
reset-stats 2-10
save 2-10
set 2-11
start 2-12
stats 2-12
status 2-14
stop 2-14
tacacs-stats 2-14
tacacs-reset-stats 2-15
dia-stats 2-15
trace 2-16
trace-file-count 2-17
unset 2-18
Contents
v
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
validate 2-18
OpenSSL Commands 2-18
ecparam 2-18
req 2-19
ca 2-19
aregcmd Command Logging 2-19
aregcmd Command Line Editing 2-20
aregcmd Error Codes 2-20
CHAPTER
3Using the Graphical User Interface 3-1
Launching the GUI 3-1
Disabling HTTP 3-2
Disabling HTTPS 3-2
Login Page 3-3
Logging In 3-3
Logging Out 3-4
Common Methodologies 3-4
Filtering Records 3-4
Editing Records 3-5
Deleting Records 3-5
Setting Record Limits per Page 3-6
Performing Common Navigations 3-6
Relocating Records 3-7
Dashboard 3-8
Sessions 3-8
Configuring Cisco Prime Access Registrar 3-9
RADIUS 3-10
Setting Up or Changing the Radius Properties 3-11
Profiles 3-11
Adding Profile Details 3-12
UserGroups 3-12
Adding UserGroup Details 3-14
UserList 3-14
Adding UserList Details 3-15
Users 3-15
Adding User Details 3-17
Scripts 3-17
Adding Script Details 3-21
Policies 3-21
Contents
vi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Adding Policy Details 3-22
Services 3-22
Simple Services 3-23
ServiceWithRS 3-30
PEAP Service 3-34
EAP Service 3-37
Diameter Service 3-46
Adding Diameter Service Details 3-50
CommandSets 3-51
Adding a Command Set 3-51
DeviceAccessRules 3-52
Adding a Device Access Rule 3-52
FastRules 3-53
Adding a Fast Rule 3-53
Replication 3-54
Adding Replication Details 3-55
Adding the Replication Member Details 3-55
RADIUSDictionary 3-56
Adding RADIUS Dictionary Details 3-56
VendorDictionary 3-57
Adding Vendor Dictionary Details 3-58
Vendor Attributes 3-58
Adding Vendor Attributes 3-59
Vendors 3-59
Adding Vendor Details 3-60
Translations 3-61
Adding Translation Details 3-62
TranslationGroups 3-62
Adding Translation Group Details 3-63
Diameter 3-63
General 3-64
Session Management 3-65
Applications 3-67
Commands 3-68
DiameterAttributes 3-69
Advanced 3-70
Default 3-71
BackingStore/ServerParam 3-75
RemoteSessionServer 3-79
SNMP 3-81
Contents
vii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
DDNS 3-84
ODBC DataSources 3-85
Log 3-86
Ports 3-88
Interfaces 3-89
Attribute Groups 3-90
Rules 3-91
Setting Rules 3-92
SessionManagers 3-92
Adding Session Manager Details 3-95
ResourceManager 3-95
Adding Resource Manager Details 3-103
Network Resources 3-104
Clients 3-104
Adding Client Details 3-107
Remote Servers 3-107
LDAP 3-108
LDAP Accounting 3-112
Domain Authentication 3-115
ODBC/OCI 3-117
ODBC/OCI-Accounting 3-119
Diameter 3-121
Others 3-123
Administration 3-128
Administrators 3-128
Adding Administrator Details 3-129
Statistics 3-129
Resetting Server Statistics 3-132
DiameterStatistics 3-132
TACACSStatistics 3-136
Back Up and Restore 3-137
LicenseUpload 3-137
Read-Only GUI 3-138
CHAPTER
4Cisco Prime Access Registrar Server Objects 4-1
Radius 4-2
UserLists 4-3
Users 4-4
HiddenAttributes Property 4-4
Contents
viii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
UserGroups 4-5
Policies 4-5
Clients 4-6
Vendors 4-10
Scripts 4-11
Services 4-12
Types of Services 4-13
Domain Authentication 4-13
EAP Services 4-14
File 4-14
Group 4-15
Java 4-17
LDAP 4-17
Local 4-18
ODBC 4-19
ODBC-Accounting 4-20
Prepaid Services 4-20
RADIUS 4-20
Radius Query 4-21
RADIUS-Session 4-25
Rex 4-25
WiMAX 4-26
Diameter 4-26
M3UA 4-32
Session Managers 4-33
Session Creation 4-37
Session Notes 4-37
Soft Group Session Limit 4-38
Session Correlation Based on User-Defined Attributes 4-39
Resource Managers 4-39
Types of Resource Managers 4-40
Gateway Subobject 4-41
Group-Session-Limit 4-41
Home-Agent 4-41
Home-Agent-IPv6 4-41
IP-Dynamic 4-42
IP-Per-NAS-Port 4-42
IPX-Dynamic 4-42
Session-Cache 4-43
Contents
ix
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Subnet-Dynamic 4-43
User-Session-Limit 4-44
USR-VPN 4-44
Dynamic-DNS 4-44
Remote-IP-Dynamic 4-45
Remote-User-Session-Limit 4-45
Remote-Group-Session-Limit 4-45
Remote-Session-Cache 4-45
Profiles 4-45
Attributes 4-46
Translations 4-46
TranslationGroups 4-47
Remote Servers 4-47
Types of Protocols 4-48
Domain Authentication 4-49
Dynamic DNS 4-50
LDAP 4-51
Map-Gateway 4-54
Sigtran 4-55
ODBC 4-56
ODBC-Accounting 4-58
OCI 4-58
OCI-Accounting 4-59
Prepaid-CRB 4-59
Prepaid-IS835C 4-59
RADIUS 4-59
SIGTRAN-M3UA 4-60
Rules 4-60
Advanced 4-60
RemoteODBCSessionServer 4-72
Using the RequireNASsBehindProxyBeInClientList Property 4-73
Advance Duplicate Detection Feature 4-74
Invalid EAP Packet Processing 4-74
Ports 4-75
Interfaces 4-75
Reply Messages 4-75
Attribute Dictionary 4-77
Types 4-77
Vendor Attributes 4-78
Contents
x
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
SNMP 4-78
Diameter 4-79
Configuring Diameter Transport Management Properties 4-80
Configuring Diameter Session Management 4-82
Configuring Diameter Application 4-83
Configuring Diameter Commands 4-84
Configuring Diameter Dictionary 4-90
CHAPTER
5Using the radclient Command 5-1
radclient Command Syntax 5-1
Working with Packets 5-2
Creating Packets 5-2
Creating CHAP Access-Request Packets 5-3
Viewing Packets 5-3
Sending Packets 5-3
Creating Empty Packets 5-4
Setting Packet Fields 5-4
Reading Packet Fields 5-5
Deleting Packets 5-5
Attributes 5-5
Creating Attributes 5-5
Setting Multivalued Attributes 5-6
Viewing Attributes 5-6
Getting Attribute Information 5-7
Deleting Attributes 5-7
Using the radclient Command 5-7
Example 1 5-7
Example 2 5-8
Example 3 5-9
Using radclient Test Commands 5-10
radclient Variables 5-10
Using timetest 5-10
Using callsPerSecond 5-11
Additional radclient Variables 5-12
CHAPTER
6Configuring Local Authentication and Authorization 6-1
Configuring a Local Service and UserList 6-1
Configuring a Local Service 6-2
Configuring a Userlist 6-3
Contents
xi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Configuring Cisco Prime Access Registrar to Use the Local Service For AA 6-3
Activating the Configuration 6-4
Troubleshooting the Local Service and UserList Configuration 6-4
Verifying the Configuration 6-4
Configuring Return Attributes and Check-Items 6-6
Configuring Per User Return Attributes 6-6
Configuring Per User Check-Items 6-7
Verifying the Per User Return Attributes and Check-Items Configuration 6-7
Configuring Profiles to Group Attributes 6-8
Configuring Return Attributes and Check-Items Using UserGroup 6-9
Return Attribute Precedence 6-10
aregcmd Command Performance 6-10
UserDefined1 Property 6-11
Access-Request Logging 6-11
CHAPTER
7RADIUS Accounting 7-1
Understanding RADIUS Accounting 7-1
Setting Up Accounting 7-2
Accounting Log File Rollover 7-2
FilenamePrefix 7-3
MaxFileSize 7-3
MaxFileAge 7-4
RolloverSchedule 7-4
UseLocalTimeZone 7-5
Oracle Accounting 7-5
Configuring Oracle Accounting 7-6
ODBC-Accounting Service 7-6
ODBC RemoteServers 7-6
Configuration Examples 7-8
Packet Buffering 7-9
When Using Packet Buffering 7-10
With Packet Buffering Disabled 7-10
Dynamic SQL Feature 7-10
LDAP Accounting 7-11
Configuring LDAP Accounting 7-11
LDAP-Accounting Service 7-11
LDAP RemoteServers 7-12
Configuration Examples 7-14
Configuring the LDAP Service for Accounting 7-15
Contents
xii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Configuring an LDAP-Accounting RemoteServer 7-16
Setting LDAP-Accounting As Accounting Service 7-18
MySQL Support 7-19
Configuring MySQL 7-19
Example Configuration 7-20
Proxying Accounting Records 7-20
Configuring the Local Cisco Prime Access Registrar Server 7-21
Configuring the Local Accounting Service 7-21
Configuring the Remote Accounting Service 7-21
Configuring the Group Accounting Service 7-22
Configuring the RemoteServer Object 7-22
Accounting Log Examples 7-23
Accounting-Start Packet 7-23
Accounting Stop Packet 7-23
Trace of Successful Accounting 7-23
Sample Error Messages 7-24
CHAPTER
8Diameter 8-1
Diameter with EAP Support 8-2
Advertising Application Support 8-2
Diameter EAP Conversation Flow 8-2
Diameter Server Startup Log 8-3
Diameter Stack Level Messages 8-4
Capabilities Exchange Message 8-5
Watchdog Message 8-6
Terminating Diameter User Session 8-6
Configuring Authentication and Authorization for Diameter 8-6
Configuring Local Authentication and Authorization 8-6
Configuring a Local Service and UserList 8-7
Configuring External Authentication Service 8-9
Configuring Diameter Accounting 8-9
Understanding Diameter Accounting 8-9
Setting Up Local Accounting 8-9
Setting Up Oracle Accounting 8-9
Diameter Accounting Log Examples 8-9
Accounting Event Packet 8-10
Accounting Start Packet 8-10
Account Interim Packet 8-10
Accounting Stop Packet 8-10
Contents
xiii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Trace of Successful Accounting 8-11
Configuring the Diameter Application in Prime Access Registrar 8-11
Configuring the Transport Management Properties 8-12
Registering Applications IDs 8-13
Configuring the Diameter Peers 8-14
Configure the Diameter Service 8-15
Writing Diameter Application in Prime Access Registrar 8-19
Configuring rex script/service for Diameter 8-19
Scripting in Diameter 8-20
Diameter Environment Variables 8-20
Sample rex script/service 8-21
Traces/Logs 8-22
Translation Framework for Diameter 8-23
Managing Diameter Sessions 8-24
Support for SCTP including Multihoming 8-25
CHAPTER
9Extensible Authentication Protocols 9-1
EAP-AKA 9-2
Configuring EAP-AKA 9-2
Testing EAP-AKA with radclient 9-5
EAP-AKA-Prime (EAP-AKA’) 9-6
Configuring EAP-AKA’ 9-6
Testing EAP-AKA’ with radclient 9-7
EAP-FAST 9-7
Configuring EAP-FAST 9-8
EAP-FAST Keystores 9-12
Testing EAP-FAST with radclient 9-12
PAC Provisioning 9-13
Authentication 9-14
Parameters Used for Certificate-Based Authentication 9-14
radclient Command Reference 9-15
PAC—Credential Export Utility 9-17
PAC Export 9-17
PAC Display 9-18
Syntax Summary 9-18
EAP-GTC 9-18
Configuring EAP-GTC 9-18
Testing EAP-GTC with radclient 9-19
Contents
xiv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
EAP-LEAP 9-20
Configuring EAP-LEAP 9-20
EAP-MD5 9-21
Configuring EAP-MD5 9-21
EAP-Negotiate 9-22
Configuring EAP-Negotiate 9-22
Negotiating PEAP Tunnel Services 9-23
Testing EAP-Negotiate with radclient 9-23
EAP-MSChapV2 9-23
Configuring EAP-MSChapV2 9-23
Testing EAP-MSChapV2 with radclient 9-24
EAP-SIM 9-25
Configuring EAP-SIM 9-25
Quintets to Triplets Conversion 9-29
EAP-Transport Level Security (TLS) 9-29
Configuring EAP-TLS 9-29
Testing EAP-TLS with RSA or ECC Certificate using radclient 9-32
Testing EAP-TLS with Client Certificates 9-32
EAP-TTLS 9-32
Configuring EAP-TTLS 9-33
Creating an EAP-TTLS Service 9-33
Configuring an EAP-TTLS Authentication Service 9-37
Testing EAP-TTLS with radclient 9-40
Testing EAP-TTLS Using Legacy Methods 9-41
Testing EAP-TTLS Using EAP Methods 9-41
rehash-ca-certs Utility 9-42
radclient Command Reference 9-42
eap-trace 9-43
tunnel 9-43
Protected EAP 9-44
PEAP Version 0 9-44
Configuring PEAP Version 0 9-44
Testing PEAP Version 0 with radclient 9-48
Testing PEAP Version 0 with Client Certificates 9-48
PEAP Version 1 9-49
Configuring PEAP Version 1 9-49
Testing PEAP Version 1 with radclient 9-51
Testing PEAP Version 1 with Client Certificates 9-52
How to Configure Oracle, Mysql Accounting with the Buffering Option Enabled 9-52
Contents
xv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
To Select the SQL Statement in Run Time Accounting 9-52
Query 9-52
Insert 9-53
Update 9-53
Delete 9-53
Configuring Oracle, Mysql Accounting 9-54
How Suffix and Prefix Rules Work with Prime Access Registrar 9-55
Configuring Prefix and Suffix Policies 9-55
CRL Support for Cisco Prime Access Registrar 9-56
Configuring Certificate Validation Using CRL 9-57
Using Intermediate Certificates in Prime Access Registrar 9-57
CHAPTER
10 Using WiMAX in Cisco Prime Access Registrar 10-1
WiMAX - An Overview 10-1
WiMAX in Cisco Prime Access Registrar 10-2
Direct Interaction Between the ASN GW and Cisco Prime Access Registrar 10-3
Interaction Between ASN GW and Cisco Prime Access Registrar Through HA 10-6
Prepaid and Hot-Lining 10-7
Configuring WiMAX in Cisco Prime Access Registrar 10-7
Configuring the Resource Manager for WiMAX 10-8
Configuring the Session Manager for WiMAX 10-9
Configuring the Query Service for WiMAX 10-9
Configuring WiMAX 10-10
WiMAX - OMA-DM Provisioning Support with BEK Key 10-11
WiMax Lawful Interception (LI) Support in Prime Access Registrar 10-13
Configuring WiMax-Lawful Intercept 10-16
CHAPTER
11 Using Extension Points 11-1
Determining the Goal of the Script 11-1
Writing the Script 11-2
Choosing the Type of Script 11-3
Request Dictionary Script 11-3
Response Dictionary Script 11-4
Environment Dictionary Script 11-4
Adding the Script Definition 11-4
Adding the Example Script Definition 11-5
Choosing the Scripting Point 11-6
Testing the Script 11-6
About the Tcl/Tk 8.3 Engine 11-6
Contents
xvi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Cisco Prime Access Registrar Scripts 11-6
ACMEOutgoingScript 11-8
AltigaIncomingScript 11-8
AltigaOutgoingScript 11-8
ANAAAOutgoing 11-8
AscendIncomingScript 11-8
AscendOutgoingScript 11-8
AuthorizePPP 11-8
AuthorizeService 11-9
AuthorizeSLIP 11-9
AuthorizeTelnet 11-9
CabletronIncoming 11-9
CabletronOutgoing 11-9
CiscoIncoming 11-9
CiscoOutgoing 11-9
CiscoWithODAPIncomingScript 11-9
ExecCLIDRule 11-10
ExecDNISRule 11-10
ExecFilterRule 11-10
ExecNASIPRule 11-10
ExecRealmRule 11-10
ExecTimeRule 11-10
LDAPOutage 11-11
MapSourceIPAddress 11-11
ParseAAARealm 11-11
ParseAAASRealm 11-11
ParseAARealm 11-11
ParseAASRealm 11-12
ParseProxyHints 11-12
ParseServiceAndAAARealmHints 11-12
ParseServiceAndAAASRealmHints 11-12
ParseServiceAndAARealmHints 11-12
ParseServiceAndAASRealmHints 11-12
ParseServiceAndProxyHints 11-13
ParseServiceHints 11-13
ParseTranslationGroupsByCLID 11-13
ParseTranslationGroupsByDNIS 11-13
ParseTranslationGroupsByRealm 11-13
UseCLIDAsSessionKey 11-13
USRIncomingScript 11-14
Contents
xvii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
USRIncomingScript-IgnoreAccountingSignature 11-14
USROutgoingScript 11-14
Internal Scripts 11-14
CHAPTER
12 Using Replication 12-1
Replication Overview 12-1
How Replication Works 12-2
Replication Data Flow 12-3
Master Server 12-3
Slave Server 12-3
Security 12-4
Replication Archive 12-4
Ensuring Data Integrity 12-4
Transaction Data Verification 12-4
Transaction Order 12-5
Automatic Resynchronization 12-5
Full Resynchronization 12-5
Understanding Hot-Configuration 12-6
Replication’s Impact on Request Processing 12-6
Replication Configuration Settings 12-6
RepType 12-7
RepTransactionSyncInterval 12-7
Master 12-7
Slave 12-7
RepTransactionArchiveLimit 12-8
RepIPAddress 12-8
RepPort 12-8
RepSecret 12-8
RepIsMaster 12-9
RepMasterIPAddress 12-9
RepMasterPort 12-9
Rep Members Subdirectory 12-9
Rep Members/Slave1 12-9
Name 12-9
IPAddress 12-9
Port 12-10
Setting Up Replication 12-10
Configuring The Master 12-10
Configuring The Member 12-11
Contents
xviii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Verifying the Configuration 12-12
Replication Example 12-13
Adding a User 12-13
Master Server’s Log 12-13
Member Server’s Log 12-13
Verifying Replication 12-14
Master Server’s Log 12-14
Member Server’s Log 12-14
Using aregcmd -pf Option 12-14
Master Server’s Log 12-15
Member Server’s Log 12-15
An Automatic Resynchronization Example 12-16
Master Server’s Log 12-16
Member Server’s Log 12-17
Full Resynchronization 12-17
Replication Setup with More Than One Slave 12-19
Frequently Asked Questions 12-19
Replication Log Messages 12-21
Information Log Messages 12-21
Warning Log Messages 12-22
Error Log Messages 12-23
Log Messages You Should Never See 12-25
CHAPTER
13 Using On-Demand Address Pools 13-1
Cisco-Incoming Script 13-3
How the Script Works 13-3
CiscoWithODAPIncomingScript 13-3
Vendor Type CiscoWithODAP 13-4
Configuring Cisco Prime Access Registrar to Work with ODAP 13-5
Configuring Prime Access Registrar to work with ODAP 13-5
Configuring the ODAP Detailed Instructions 13-5
Setting Up an ODAP UserList 13-5
Adding ODAP Users 13-6
Setting Up an ODAP-Users Service 13-7
Setting Up an ODAP Accounting Service 13-8
Adding Session Managers 13-8
Setting Up Resource Managers 13-9
Configuring Session Managers 13-14
Configure Clients 13-15
Contents
xix
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Save Your Configuration 13-16
CHAPTER
14 Using Identity Caching 14-1
Overview 14-1
Identity Caching Features 14-2
Configuring Cisco Prime Access Registrar for Identity Caching 14-3
Starting Identity Caching 14-6
XML Interface 14-8
CHAPTER
15 Using Trusted ID Authorization with SESM 15-1
Trusted ID Operational Overview 15-1
Configuration Overview 15-2
Request Processing 15-2
Session Cache Life Cycle 15-3
Configuration Restrictions 15-3
Software Requirements 15-4
Installing Cisco Prime Access Registrar 15-4
Running the TrustedIdInstall Program 15-4
Using the TrustedIdInstall.bin GUI 15-4
Using the TrustedIdInstall Command Line 15-8
Configuring Cisco Prime Access Registrar for Trusted Identity with SESM 15-12
Configuring the RADIUS Ports 15-12
Configuring NAS Clients 15-13
Configuring AAA and SPE Services 15-13
Configuration Imported by TrustedIdInstall Program 15-14
/Radius 15-14
/radius/services/spe 15-14
/radius/services/trusted-id 15-14
/Radius/SessionManagers/session-cache/ 15-14
/radius/ResourceManagers/session-cache 15-14
/radius/advanced/ 15-15
/Radius/Scripts/ChangeServiceType 15-15
Configuring EAP-MD5 Authentication 15-15
Creating the CheckEap.tcl Script 15-15
Adding the CheckEap.tcl Script 15-16
Using the CheckEap.tcl Script 15-16
Adding the EAP-MD5 Authentication Service 15-17
Adding an LDAP Remote Server 15-17
Contents
xx
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Adding an LDAP Service 15-18
Saving the Configuration and Reloading the Server 15-19
Cisco SSG VSAs in Cisco Prime Access Registrar Dictionary 15-20
CHAPTER
16 Using Prepaid Billing 16-1
Overview 16-2
IS835C Prepaid Billing 16-2
Configuring IS835C Prepaid Billing 16-3
Setting Up a Prepaid Billing RemoteServer 16-3
Setting Up an IS835C Prepaid Service 16-4
Setting Up Local Authentication 16-5
Setting Up an Authentication Group Service 16-5
CRB Prepaid Billing 16-7
Configuring CRB Prepaid Billing 16-8
Setting Up a Prepaid Billing RemoteServer 16-8
Setting Up a CRB Prepaid Service 16-9
Setting Up a Local Accounting Service 16-11
Setting Up a Local Authentication Service 16-12
Setting Up a Prepaid Accounting Group Service 16-13
Setting Up an Authentication Group Service 16-14
Configuring CRB Prepaid Billing for SSG 16-15
Generic Call Flow 16-18
Access-Request (Authentication) 16-19
Access-Accept (Authentication) 16-20
Access-Request (Authorization) 16-20
Access-Accept (Authorization) 16-21
Accounting-Start 16-22
Data Flow 16-22
Access-Request (Quota Depleted) 16-22
Accept-Accept (Quota Depleted) 16-23
Accounting Stop (Session End) 16-23
Accounting Response (Final Status) 16-23
Vendor-Specific Attributes 16-25
Implementing the Prepaid Billing API 16-27
CHAPTER
17 Using Cisco Prime Access Registrar Server Features 17-1
Incoming Traffic Throttling 17-2
MaximumIncomingRequestRate 17-2
MaximumOutstandingRequests 17-2
Contents
xxi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Backing Store Parsing Tool 17-3
Configurable Worker Threads Enhancement 17-4
Session-Key Lookup 17-5
Query-Notify 17-6
Call Flow 17-7
Configuration Examples 17-8
Memory and Performance Impact 17-9
Support for Windows Provisioning Service 17-9
Call Flow 17-10
Example Configuration 17-10
Environment Variables 17-11
Master URL Fragments 17-11
Unsupported Features 17-12
Account Expiration and Renewal 17-12
Password Changing and Force Update 17-13
Command Completion 17-13
Service Grouping Feature 17-14
Configuration Example - AccountingGroupService 17-14
Summary of Events 17-17
Configuration Example 2 - AuthenticationGroupService 17-17
Summary of Events 17-20
SHA-1 Support for LDAP-Based Authentication 17-21
Remote LDAP Server Password Encryption 17-21
Dynamic Password Encryption 17-22
Logs 17-23
Dynamic Attributes 17-23
Object Properties with Dynamic Support 17-23
Dynamic Attribute Format 17-25
Tunneling Support Feature 17-25
Configuration 17-26
Example 17-26
Notes 17-26
Validation 17-26
xDSL VPI/VCI Support for Cisco 6400 17-27
Using User-Name/User-Password for Each Cisco 6400 Device 17-27
Format of the New User-Name Attribute 17-27
Apply Profile in Cisco Prime Access Registrar Database to Directory Users 17-28
User-Profile 17-28
Contents
xxii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
User-Group 17-29
Example User-Profile and User-Group Attributes in Directory User Record 17-29
Directory Multi-Value Attributes Support 17-29
MultiLink-PPP (ML-PPP) 17-30
Dynamic Updates Feature 17-31
NAS Monitor 17-32
Automatic Information Collection (arbug) 17-33
Running arbug 17-33
Files Generated 17-33
Simultaneous Terminals for Remote Demonstration 17-34
Support for RADIUS Check Item Attributes 17-34
Configuring Check Items 17-34
User-Specific Attributes 17-35
Packet of Disconnect 17-36
Configuring Packet of Disconnect 17-36
Configuring the Client Object 17-36
Configuring a Resource Manager for POD 17-37
Proxying POD Requests from External Servers 17-38
CLI Options for POD 17-38
query-sessions 17-38
release-sessions 17-39
Configuring Change of Authorization Requests 17-39
Configuring the Client Object 17-40
Dynamic DNS 17-41
Configuring Dynamic DNS 17-42
Testing Dynamic DNS with radclient 17-43
Dynamic Service Authorization Feature 17-44
Configuring Dynamic Service Authorization Feature 17-44
Setting Up the Environment Variable 17-45
Remote Session Management 17-47
Wx Interface Support for SubscriberDB Lookup 17-48
Configuration Examples 17-48
Smart Grid Solution Management 17-50
TACACS+ Support for AAA 17-50
CHAPTER
18 Directing RADIUS Requests 18-1
Configuring Policies and Rules 18-1
Configuring Policies 18-1
Contents
xxiii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Configuring Rules 18-2
Wildcard Support 18-2
Script and Attribute Requirements 18-3
Validation 18-4
Known Anomalies 18-4
Routing Requests 18-4
Routing Requests Based on Realm 18-4
Routing Requests Based on DNIS 18-5
Routing Requests Based on CLID 18-6
Routing Requests Based on NASIP 18-7
Routing Requests Based on User-Name Prefix 18-8
Attribute Translation 18-9
Translations 18-9
TranslationGroups 18-9
Parsing Translation Groups 18-10
Time of Day Access Restrictions 18-11
Setting Time Ranges in ExecTimeRule 18-12
ExecTimeRule Example Configuration 18-12
Reducing Overhead Using Policies to Group Rules 18-13
Standard Scripts Used with Rules 18-15
ExecRealmRule 18-15
ExecDNISRule 18-16
ExecCLIDRule 18-16
ExecNASIPRule 18-17
ExecPrefixRule 18-17
ExecSuffixRule 18-18
Configuring Suffix and Prefix Policies 18-19
ExecTimeRule 18-20
ParseTranslationGroupsByRealm 18-20
ParseTranslationGroupsByDNIS 18-20
ParseTranslationGroupsByCLID 18-21
ParseTranslationGroupsByDNIS 18-21
CHAPTER
19 Using FastRules to Process Packet Flow 19-1
Configuring FastRules 19-2
CHAPTER
20 Wireless Support 20-1
Mobile Node-Home Agent Shared Key 20-1
Use Case Example 20-1
Contents
xxiv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Configuring User Attributes 20-2
3GPP2 Home Agent Support 20-3
Home-Agent Resource Manager 20-3
Load Balancing 20-3
Querying and Releasing Sessions 20-4
Access Request Requirements 20-5
New 3GPP2 VSAs in the Cisco Prime Access Registrar Dictionary 20-5
Session Correlation Based on User-Defined Attributes 20-5
Managing Multiple Accounting Start/Stop Messages 20-6
NULL Password Support 20-6
3GPP Compliance 20-7
SWa Access Authentication and Authorization 20-8
STa Access Authentication and Authorization 20-8
SWm Access Authentication and Authorization 20-9
SWd Access Authentication and Authorization 20-9
SWx Authentication Procedure 20-10
HSS Initiated Update of User Profile 20-10
S6b Authentication and Authorization Procedure 20-10
3GPP Call Flows 20-11
CLI for 3GPP Authorization 20-12
CLI for 3GPP Reverse Authorization 20-12
CHAPTER
21 Using LDAP 21-1
Configuring LDAP 21-1
Configuring the LDAP Service 21-2
MultipleServersPolicy 21-2
RemoteServers 21-3
Configuring an LDAP RemoteServer 21-3
DNS Look Up and LDAP Rebind Interval 21-6
LDAPToRadiusMappings 21-7
LDAPToEnvironmentMappings 21-7
LDAPToCheckItemMappings 21-7
Setting LDAP As Authentication and Authorization Service 21-7
Saving Your Configuration 21-7
CHAP Interoperability with LDAP 21-8
Allowing Special Characters in LDAP Usernames 21-8
Dynamic LDAP Search Base 21-8
Analyzing LDAP Trace Logs 21-9
Successful Bind Message 21-9
Contents
xxv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Bind Failure Messages 21-9
Login Failure Messages 21-10
Bind-Based Authentication for LDAP 21-11
CHAPTER
22 Using Open Database Connectivity 22-1
Oracle Software Requirements 22-2
Configuring ODBC/OCI 22-2
Configuring an ODBC/OCI Service 22-6
Configuring an ODBC/OCI RemoteServer 22-7
ODBC Data Source 22-9
SQL Definitions 22-9
SQL Syntax Restrictions 22-10
Specifying More Than One Search Key 22-10
ODBCToRadiusMappings/OCIToRadiusMappings 22-11
ODBCToEnvironmentMappings/OCIToEnvironmentMappings 22-11
ODBCToCheckItemMappings/OCIToCheckItemMappings 22-11
Configuring an ODBC DataSource 22-11
Setting ODBC/OCI As Authentication and Authorization Service 22-12
Setting ODBC/OCI As Accounting Service 22-13
Saving Your Configuration 22-13
Oracle Stored Procedures 22-13
MySQL Support 22-15
MySQL Driver 22-15
Configuring a MySQL Datasource 22-15
Example Configuration 22-17
CHAPTER
23 SIGTRAN-M3UA 23-1
Prerequisites to SIGTRAN-M3UA 23-2
Configuring EAP-AKA/EAP-SIM with SIGTRAN-M3UA 23-4
Blacklisting IMSI Values 23-11
Configuring M3UA Service 23-12
Configuring M3UA Service with Map Restore Data Authorization 23-13
Map Restore Data Authorization Flow 23-13
CS Insert Subscriber Data Structure 23-14
CLI Configuration for Map-Restore-Data 23-15
Support for SCTP Multihoming in SIGTRAN-M3UA 23-21
SIGTRAN-M3UA Logs 23-22
Contents
xxvi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
CHAPTER
24 Using SNMP 24-1
Overview 24-1
Supported MIBs 24-1
RADIUS-AUTH-CLIENT-MIB 24-2
RADIUS-AUTH-SERVER-MIB 24-2
RADIUS-ACC-CLIENT-MIB 24-2
RADIUS-ACC-SERVER-MIB 24-2
CISCO-DIAMETER-BASE-PROTOCOL-MIB 24-2
Diameter SNMP and Statistics Support 24-3
TACACS+ SNMP and Statistics Support 24-3
SNMP Traps 24-3
Supported Traps 24-4
carServerStart 24-4
carServerStop 24-4
carInputQueueFull 24-4
carInputQueueNotVeryFull 24-5
carOtherAuthServerNotResponding 24-5
carOtherAuthServerResponding 24-5
carOtherAccServerNotResponding 24-6
carOtherAccServerResponding 24-6
carAccountingLoggingFailure 24-6
carLicenseUsage 24-7
carDiameterPeerDown 24-7
carDiameterPeerUp 24-7
Configuring Traps 24-7
SNMP Configuration 24-7
Configuring Trap Recipient 24-7
Community String 24-8
CHAPTER
25 Enforcement of Licensing Models 25-1
TPS Licensing Features 25-1
Enforcement Rules 25-1
Notification Logs 25-2
Notification - SNMP Traps 25-2
TPS Logging Feature 25-3
Concurrent Session License Features 25-3
Sessions Enforcement Rules 25-4
Notification Logs 25-4
Notification - SNMP Traps 25-5
Contents
xxvii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Session Logging Feature 25-5
CHAPTER
26 Backing Up the Database 26-1
Configuration 26-1
Command Line Utility 26-1
Recovery 26-2
mcdshadow Command Files 26-2
CHAPTER
27 Using the REX Accounting Script 27-1
Building and Installing the REX Accounting Script 27-1
Configuring the Rex Accounting Script 27-2
Specifying REX Accounting Script Options 27-4
Example Script Object 27-5
CHAPTER
28 Logging Syslog Messages 28-1
Syslog Messages 28-1
Example 1 28-2
Example 2 28-2
Configuring Message Logging (Solaris) 28-3
Configuring Message Logging (Linux) 28-4
Changing Log Directory 28-4
Configuring Syslog Daemon (syslogd) 28-5
Managing the Syslog File 28-5
Using a cron Program to Manage the Syslog Files 28-6
Server Up/Down Status Change Logging 28-6
Header Formats 28-6
Example Log Messages 28-7
CHAPTER
29 Troubleshooting Cisco Prime Access Registrar 29-1
Gathering Basic Information 29-1
Troubleshooting Quick Checks 29-2
Disk Space 29-2
Resource Conflicts 29-2
No Co-Existence With Cisco Network Registrar 29-2
Port Conflicts 29-3
Server Running Sun SNMP Agent 29-3
Cisco Prime Access Registrar Log Files 29-3
Contents
xxviii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Modifying File Sizes for Agent Server and MCD Server Logs 29-4
Using xtail to Monitor Log File Activity 29-4
Modifying the Trace Level 29-4
Installation and Server Process Start-up 29-5
aregcmd and Cisco Prime Access Registrar Configuration 29-5
Running and Stopped States 29-5
RADIUS Request Processing 29-7
Other Troubleshooting Techniques and Resources 29-7
aregcmd Stats Command 29-7
Core Files 29-8
radclient 29-8
Cisco Prime Access Registrar Replication 29-8
Checking Prime Access Registrar Server Health Status 29-8
APPENDIX
ACisco Prime Access Registrar Tcl, REX and Java Dictionaries A-1
Tcl Attribute Dictionaries A-1
Attribute Dictionary Methods A-1
Tcl Environment Dictionary A-4
REX Attribute Dictionary A-5
Attribute Dictionary Methods A-5
REX Environment Dictionary A-11
REX Environment Dictionary Methods A-11
Java Attribute Dictionary A-13
Java Attribute Dictionary Methods A-13
Java Environment Dictionary A-16
Java Environment Dictionary Methods A-16
Interface Extension A-17
Interface Extension Methods A-18
Interface ExtensionforSession A-18
Interface Extensionforsession Methods A-19
Interface Extensionwithinitialization A-19
Interface Extensionwithinitialization Methods A-20
Interface ExtensionforSessionwithinitialization A-20
Interface Extensionforsessionwithinitialization Methods A-20
Interface MarkerExtension A-20
Variables in the Marker Extension Interface A-21
Class Sessionrecord A-24
Session Record Methods A-24
Contents
xxix
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
APPENDIX
BEnvironment Dictionary B-1
Cisco Prime Access Registrar Environment Dictionary Variables B-1
Accepted-Profiles B-1
Accounting-Service B-2
Acquire-Dynamic-DNS B-2
Acquire-Group-Session-Limit B-2
Acquire-Home-Agent B-2
Acquire-IP-Dynamic B-2
Acquire-IPX-Dynamic B-2
Acquire-IP-Per-NAS-Port B-2
Acquire-Subnet-Dynamic B-3
Acquire-User-Session-Limit B-3
Acquire-USR-VPN B-3
Allow-Null-Password B-3
Authentication-Service B-3
Authorization-Service B-3
AuthorizationInfo B-3
BackingStore-Env-Vars B-4
Blacklisted-IMSI B-4
Broadcast-Accounting-Packet B-4
Cache-Attributes-In-Session B-4
Current-Group-Count B-4
Cache-Outer-Identity B-4
Destination-IP-Address B-4
Destination-Port B-4
Dest-Translation-Type B-5
Dest-Numbering-Plan B-5
Dest-Encoding-Scheme B-5
Dest-Nature-Of-Address B-6
Dest-GT-Format B-6
Diameter-Application-Id B-6
Diameter-Command-Code B-6
Disable-Accounting-On-Off-Broadcast B-7
DSA-Response-Cache B-7
Dynamic-DNS-HostName B-7
Dynamic-Search-Filter B-7
Dynamic-Search-Path B-7
Dynamic-Search-Scope B-7
Dynamic-Service-Loop-Limit B-7
Contents
xxx
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Dynamic-User-Password-Attribute B-7
EAP-Actual-Identity B-8
EAP-Authentication-Mode B-8
Enforce-Traffic-Throttling B-8
FetchAuthorizationInfo B-8
Generate-BEK B-8
Group-Session-Limit B-8
HLR-GlobalTitle-Address B-8
HLR-GlobalTitle-Cached B-8
HLR-Translated-IMSI B-9
Ignore-Accounting-Signature B-9
IMSI B-9
Incoming-Translation-Groups B-9
Master-URL-Fragment B-9
Misc-Log-Message-Info B-10
MSISDN B-10
Outgoing-Translation-Groups B-10
Pager B-10
Query-Service B-10
Re-Accounting-Service B-10
Re-Authentication-Service B-10
Re-Authorization-Service B-11
Realm B-11
Reject-Reason B-11
Remote-Server B-11
Remove-Session-On-Acct-Stop B-11
Remote-Servers-Tried B-11
Request-Authenticator B-11
Request-Type B-12
Require-User-To-Be-In-Authorization-List B-12
Response-Type B-13
Retrace-Packet B-13
Send-PEAP-URI-TLV B-13
Session-Key B-13
Session-Manager B-13
Session-Notes B-13
Session-Service B-14
Set-Session-Mgr-And-Key-Upon-Lookup B-14
Skip-Session-Management B-14
Skip-Overriding-Username-With-LDAP-UID B-14
Contents
xxxi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Skip-Overriding-UserName-With-PEAPIdentity B-14
Source-IP-Address B-14
Source-Port B-15
SQL-Sequence B-15
Subnet-Size-If-No-Match B-15
Trace-Level B-15
Unavailable-Resource B-15
Unavailable-Resource-Type B-15
UserDefined1 B-15
User-Authorization-Script B-16
User-Group B-16
User-Group-Session-Limit B-16
User-Name B-16
User-Profile B-16
User-Session-Limit B-16
Virtual-Server-Outgoing-Script B-16
Windows-Domain-Groups B-16
X509- Subject-Name B-17
Internal Variables B-17
APPENDIX
CRADIUS Attributes C-1
RADIUS Attributes C-1
Cisco Prime Access Registrar Attributes C-1
RADIUS Attributes Numeric List C-4
Vendor-Specific Attributes C-13
3GPP VSAs C-13
3GPP2 VSAs C-15
ACC VSAs C-22
Altiga VSAs C-27
Ascend VSAs C-30
Bay Networks VSAs C-45
Cabletron VSAs C-46
Cisco Prime Access Registrar Internal VSAs C-46
Cisco VSAs C-48
Compatible VSAs C-51
Microsoft VSAs C-51
Nomadix VSAs C-53
RedBack VSAs C-53
RedCreek VSAs C-56
Contents
xxxii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
TACACS+ VSAs C-56
Telebit VSAs C-59
Unisphere VSAs C-59
USR VSAs C-60
WiMax C-85
WISPr C-85
XML C-86
I
NDEX
xxxiii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Preface
The Cisco Prime Access Registrar 6.1 User Guide provides information about how to use
Cisco Prime Access Registrar (known as Prime Access Registrar hereafter) 6.1. This preface contains
the following sections:
Document Organization, page xxxiii
Related Documentation, page xxxv
Obtaining Documentation and Submitting a Service Request, page xxxv
Notices, page xxxv
Document Organization
The Prime Access Registrar User Guide is organized as follows:
Chapter 1, “Overview, provides an overview of Prime Access Registrar.
Chapter 2, “Using the aregcmd Commands, provides information about using aregcmd commands.
Chapter 3, “Using the Graphical User Interface, provides information about using the
Prime Access Registrar GUI.
Chapter 4, “Cisco Prime Access Registrar Server Objects, provides information about
Prime Access Registrar server objects.
Chapter 5, “Using the radclient Command, provides information about using radclient commands to
test Prime Access Registrar.
Chapter 6, “Configuring Local Authentication and Authorization, provides information about how to
configure local authentication and authorization and helpful examples.
Chapter 7, “RADIUS Accounting, provides information about RADIUS accounting and how to
configure Prime Access Registrar to perform accounting.
Chapter 8, “Diameter” provides information about how to configure Prime Access Registrar to perform
diameter authentication and authorization, and also provides information about Diameter Accounting.
Chapter 9, “Extensible Authentication Protocols, provides information about Prime Access Registrar
support of EAP authentication methods.
Chapter 10, “Using WiMAX in Cisco Prime Access Registrar, provides information about
Prime Access Registrar support for the WiMAX feature.
Chapter 11, “Using Extension Points, provides information about how to use Prime Access Registrar
scripting to customize your RADIUS server.
xxxiv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 12, “Using Replication, provides information about how to use the replication feature.
Chapter 13, “Using On-Demand Address Pools, provides information about using On-Demand Address
Pools.
Chapter 14, “Using Identity Caching, provides information about using the Identity Caching feature.
Chapter 15, “Using Trusted ID Authorization with SESM, describes how to use Prime Access Registrar
with SESM, and how to configure Prime Access Registrar to use the Trusted ID feature.
Chapter 16, “Using Prepaid Billing, provides information about how to use the Prime Access Registrar
prepaid billing feature.
Chapter 17, “Using Cisco Prime Access Registrar Server Features, provides information about using
Prime Access Registrar features.
Chapter 18, “Directing RADIUS Requests, provides information about using the
Prime Access Registrar Policy Engine.
Chapter 19, “Using FastRules to Process Packet Flow, provides information about using FastRules for
processing packet flow.
Chapter 20, “Wireless Support, provides information about Prime Access Registrar support for
wireless features.
Chapter 21, “Using LDAP, provides information about using an LDAP remote server with
Prime Access Registrar.
Chapter 22, “Using Open Database Connectivity, provides information about a new type of
RemoteServer object and a new service to support ODBC.
Chapter 23, “SIGTRAN-M3UA, provides information about SIGTRAN-M3UA remote server and a
service to support EAP-AKA/EAP-SIM authentication.
Chapter 24, “Using SNMP, provides information about the SNMP MIB and Trap support offered by
Prime Access Registrar.
Chapter 25, “Enforcement of Licensing Models, provides information on the enforcement of
Prime Access Registrar’s new license model—transactions per second (TPS) Licensing.
Chapter 26, “Backing Up the Database, describes the Prime Access Registrar shadow backup facility,
which ensures a consistent snapshot of Prime Access Registrar’s database for backup purposes.
Chapter 27, “Using the REX Accounting Script, describes how to use the REX Accounting scripts.
Chapter 28, “Logging Syslog Messages, provides information about logging messages via syslog and
centralized error reporting for Prime Access Registrar.
Chapter 29, “Troubleshooting Cisco Prime Access Registrar, provides information about techniques
used when troubleshooting Prime Access Registrar and highlights common problems.
Appendix A, “Cisco Prime Access Registrar Tcl, REX and Java Dictionaries, describes the Tcl and
REX dictionaries that are used when writing Incoming or Outgoing scripts for use with
Prime Access Registrar.
Appendix B, “Environment Dictionary, describes the environment variables the scripts use to
communicate with Prime Access Registrar or to communicate with other scripts.
Appendix C, “RADIUS Attributes, lists the RFC 2865 RADIUS attributes with their names and values.
Glossary and index are also provided.
xxxv
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Obtaining Documentation and Submitting a Service Request
Related Documentation
For a complete list of Prime Access Registrar 6.1 documentation, see the Cisco Prime Access Registrar
6.1 Documentation Overview.
Note We sometimes update the documentation after original publication. Therefore, you should also review
the documentation on Cisco.com for any updates.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see Whats New in Cisco Product Documentation
at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised
Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a
reader application. The RSS feeds are a free service.
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
xxxvi
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Obtaining Documentation and Submitting a Service Request
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
xxxvii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Obtaining Documentation and Submitting a Service Request
The word ‘cryptographic’ can be left out if the routines from the library being used are not
cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].
xxxviii
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Obtaining Documentation and Submitting a Service Request
CHAPTER
1-1
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
1
Overview
The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message
types, and using Cisco Prime Access Registrar (Prime Access Registrar) as a proxy server.
Prime Access Registrar is a 3GPP-compliant RADIUS (Remote Authentication Dial-In User
Service)/Diameter server that enables multiple dial-in Network Access Server (NAS) devices to share a
common authentication, authorization, and accounting database.
Prime Access Registrar handles the following tasks:
Authentication—determines the identity of users and whether they can be allowed to access the
network
Authorization—determines the level of network services available to authenticated users after they
are connected
Accounting—keeps track of each user’s network activity
Session and resource management—tracks user sessions and allocates dynamic resources
Using a RADIUS server allows you to better manage the access to your network, as it allows you to store
all security information in a single, centralized database instead of distributing the information around
the network in many different devices. You can make changes to that single database instead of making
changes to every network access server in your network.
Prime Access Registrar also allows you to manage the complex interconnections of the new network
elements in order to:
adequately manage the traffic
perform appropriate load balancing for desired load distribution
allow binding of different protocol interfaces corresponding to a subscriber/network element
Service providers transform their 3G and 4G wireless networks with complex services, tiered charging,
converged billing, and more by introducing increasing numbers and types of Diameter-based network
elements. LTE and IMS networks are the most likely to implement these new network
elements—including Policy and Charging Rules Functions (PCRF), Home Subscriber Servers (HSS),
Mobility Management Entities (MME), Online Charging Systems (OCS), and others. As a result, as the
traffic levels grow, these wireless networks are becoming more difficult to manage and scale without the
Prime Access Registrar infrastructure.
Note Solaris support is available for Prime Access Registrar Version 6.0. Solaris support for Version 6.1 will
be provided in a future maintenance release.
1-2
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Prime Access Registrar Hierarchy
This chapter contains the following sections:
Prime Access Registrar Hierarchy
Prime Access Registrar Directory Structure
Program Flow
RADIUS Protocol
Service and Ports Used in Prime Access Registrar
Prime Access Registrar Hierarchy
Prime Access Registrar’s operation and configuration is based on a set of objects. These objects are
arranged in a hierarchical structure much like the Windows 95 Registry or the UNIX directory structure.
Prime Access Registrar’s objects can themselves contain subobjects, just as directories can contain
subdirectories. These objects include the following:
Radius— the root of the configuration hierarchy
UserLists—contains individual UserLists which in turn contain users
UserGroups—contains individual UserGroups
Users—contains individual authentication or authorization details of a user
Clients—contains individual Clients
Vendors—contains individual Vendors
Scripts—contains individual Scripts
Policies—contains a set of rules applied to an Access-Request
Services—contains individual Services
CommandSets—contains commands and the action to perform during Terminal Access Controller
Access-Control System Plus (TACACS+) command authorization
DeviceAccessRules—contains conditions or expressions and the applicable command sets for
TACACS+ command authorization
FastRules—provides a mechanism to easily choose the right authentication, authorization,
accounting, and query service(s), drop, reject, or break flows, choose session manager or other rules
required for processing a packet
SessionManagers—contains individual Session Managers
ResourceManagers—contains individual Resource Managers
Profiles—contains individual Profiles
RemoteServers—contains individual RemoteServers
Advanced—contains Ports, Interfaces, Reply Messages, and the Attribute dictionary
This section contains the following topics:
UserLists and Groups
Profiles
Scripts
Services
Session Management Using Resource Managers
1-3
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Prime Access Registrar Hierarchy
UserLists and Groups
Prime Access Registrar lets you organize your user community through the configuration objects
UserLists, users, and UserGroups.
Use UserLists to group users by organization, such as Company A and Company B. Each list
contains the actual names of the users.
Use Users to store information about particular users, such as name, password, group membership,
base profile, and so on.
Use UserGroups to group users by function, such as PPP, Telnet, or multiprotocol users. Groups
allow you to maintain common authentication and authorization requirements in one place, and have
them referenced by many users.
For more information about UserLists and UserGroups, see UserLists and Groups in Chapter 4, “Cisco
Prime Access Registrar Server Objects.
Profiles
Prime Access Registrar uses Profiles that allow you to group RADIUS attributes to be included in an
Access-Accept packet. These attributes include values that are appropriate for a particular user class,
such as PPP or Telnet user. The user’s base profile defines the user’s attributes, which are then added to
the response as part of the authorization process.
Although you can use Group or Profile objects in a similar manner, choosing whether to use one rather
than the other depends on your site. If you require some choice in determining how to authorize or
authenticate a user session, then creating specific profiles, and specifying a group that uses a script to
choose among the profiles is more flexible. In such a situation, you might create a default group and then
write a script that selects the appropriate profile based on the specific request. The benefit to this
technique is each user can have a single entry, and use the appropriate profile depending on the way they
log in.
For more information about Profiles, see Profiles in Chapter 4, “Cisco Prime Access Registrar Server
Objects.
Scripts
Prime Access Registrar allows you to create scripts you can execute at various points within the
processing hierarchy.
Incoming scripts—enable you to read and set the attributes of the request packet, and set or change
the Environment dictionary variables. You can use the environment variables to control subsequent
processing, such as specifying the use of a particular authentication service.
Outgoing scripts—enable you to modify attributes returned in the response packet.
For more information about Scripts, see Scripts in the Chapter 4, “Cisco Prime Access Registrar Server
Objects.
Services
Prime Access Registrar uses Services to let you determine how authentication, authorization, and/or
accounting are performed.
1-4
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Prime Access Registrar Hierarchy
For example, to use Services for authentication:
When you want the authentication to be performed by the Prime Access Registrar RADIUS server,
you can specify the local service. In this, case you must specify a specific UserList.
When you want the authentication performed by another server, which might run an independent
application on the same or different host than your RADIUS server, you can specify either a radius,
ldap, or tacacs-udp service. In this case, you must list these servers by name.
When you have specified more than one authentication service, Prime Access Registrar determines
which one to use for a particular Access-Request by checking the following:
When an incoming script has set the Environment dictionary variable Authentication-Service with
the name of a Service, Prime Access Registrar uses that service.
Otherwise, Prime Access Registrar uses the default authentication service. The default
authentication service is a property of the Radius object.
Prime Access Registrar chooses the authentication service based on the variable
Authentication-Service, or the default. The properties of that Service, specify many of the details of
that authentication service, such as, the specific user list to use or the specific application (possibly
remote) to use in the authentication process.
For more information about Services, see Services in the Chapter 4, “Cisco Prime Access Registrar
Server Objects.
Session Management Using Resource Managers
Prime Access Registrar lets you track user sessions, and/or allocate dynamic resources to users for the
lifetime of their session. You can define one or more Session Managers, and have each one manage the
sessions for a particular group or company.
Session Managers use Resource Managers, which in turn manage resources of a particular type as
described below.
IP-Dynamic—manages a pool of IP addresses and allows you to dynamically allocate IP addresses
from that pool
IP-Per-NAS-Port—allows you to associate ports to specific IP addresses, and thus ensure each NAS
port always gets the same IP address
IPX-Dynamic—manages a pool of IPX network addresses
Subnet-Dynamic—manages a pool of subnet addresses
Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps track of
how many sessions are active and denies new sessions after the configured limit has been reached
User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how many
sessions each user has and denies the user a new session after the configured limit has been reached
Home-Agent—manages a pool of on-demand IP addresses
USR-VPN—manages Virtual Private Networks (VPNs) that use USR NAS Clients
Home-Agent-IPv6—manages a pool of on-demand IPv6 addresses
Remote-IP-Dynamic—manages a pool of IP addresses that allows you to dynamically allocate IP
addresses from a pool of addresses. It internally works with a remote ODBC database.
Remote-User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how
many sessions each user has and denies the user a new session after the configured limit has been
reached. It internally works with a remote ODBC database.
1-5
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Prime Access Registrar Directory Structure
Remote-Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps
track of how many sessions are active and denies new sessions after the configured limit has been
reached. It internally works with a remote ODBC database.
Session Cache—allows you to define the RADIUS attributes to store in cache.
Dynamic-DNS—manages the DNS server.
Remote-Session-Cache—allows you to define the RADIUS attributes to store in cache. It should be
used with session manager of type 'remote'.
3GPP—allows you to define the attribute for 3GPP authorization.
For more information about Session Managers, see Session Managers in Chapter 4, “Cisco Prime Access
Registrar Server Objects.
If necessary, you can create a complex relationship between the Session Managers and the Resource
Managers.
When you need to share a resource among Session Managers, you can create multiple Session Managers
that refer to the same Resource Manager. For example, if one pool of IP addresses is shared by two
departments, but each department has a separate policy about how many users can be logged in
concurrently, you might create two Session Managers and three Resource Managers. One dynamic IP
Resource Manager that is referenced by both Session Managers, and two concurrent session Resource
Managers, one for each Session Manager.
In addition, Prime Access Registrar lets you pose queries about sessions. For example, you can query
Prime Access Registrar about which session (and thus which NAS-Identifier, NAS-Port and/or
User-Name) owns a particular resource, as well as query Prime Access Registrar about how many
resources are allocated or how many sessions are active.
Prime Access Registrar Directory Structure
The installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 1-1.
Table 1-1 /opt/CSCOar Subdirectories
Subdirectory Description
.system Contains ELFs, or binary SPARC executables that should not be run directly.
bin Contains shell scripts and programs frequently used by a network
administrator; programs that can be run directly.
conf Contains configuration files.
data Contains the radius directory, which contains session backing files; and the
db directory, which contains configuration database files.
examples Contains documentation, sample configuration scripts, and shared library
scripts.
lib Contains Prime Access Registrar software library files.
logs Contains system logs and is the default directory for RADIUS accounting.
odbc Contains Prime Access Registrar ODBC files.
scripts Contains sample scripts that you can modify to automate configuration, and
to customize your RADIUS server.
temp Used for temporary storage.
1-6
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
Program Flow
When a NAS sends a request packet to Prime Access Registrar with a name and password,
Prime Access Registrar performs the following actions. Table 1-2 describes the flow without regard to
scripting points.
Prime Access Registrar supports Diameter with Extensible Authentication Protocol (EAP) functionality
to enable authentication between NAS and a backend NAS Diameter authentication server. For more
information, see Diameter with EAP Support, page 8-2.
Prime Access Registrar also support 3GPP compliance by implementing a set of protocols. To
understand more about the 3GPP AAA server support and the call flow, see 3GPP Compliance,
page 20-7.
Scripting Points
Prime Access Registrar lets you invoke scripts you can use to affect the Request, Response, or
Environment dictionaries. This section contains the following topics:
ucd-snmp Contains the UCD-SNMP software Prime Access Registrar uses.
usrbin Contains a symbolic link that points to bin.
Table 1-1 /opt/CSCOar Subdirectories (continued)
Subdirectory Description
Table 1-2 From Access-Request to Access-Accept
Prime Access Registrar Server
Action Explanation
Receives an Access-Request The Prime Access Registrar server receives an Access-Request
packet from a NAS.
Determines whether to accept
the request
The Prime Access Registrar server checks to see if the client’s IP
address is listed in /Radius/Clients/<Name>/<IPAddress>.
Invokes the policy SelectPolicy
if it exists
The Prime Access Registrar Policy Engine provides an interface to
define and configure a policy and to apply the policy to the
corresponding access-request packets.
Performs authentication and/or
authorization
Directs the request to the appropriate service, which then performs
authentication and/or authorization according to the type specified
in /Radius/Services/<Name>/<Type>.
Performs session management Directs the request to the appropriate Session Manager.
Performs resource management
for each Resource Manager in
the SessionManager
Directs the request to the appropriate resource manager listed in
/Radius/SessionManagers/<Name>/<ResourceManagers>/<Na
me>, which then allocates or checks the resource according to the
type listed in /Radius/<ResourceManagers>/<Name>/<Type>.
Sends an Access-Accept Creates and formats the response, and sends it back to the client
(NAS).
1-7
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
Client Scripting
Client or NAS Scripting Points
Authentication and/or Authorization Scripting Points
Client Scripting
Though Prime Access Registrar allows external code (Tcl/C/C++/Java) to be used by means of a script,
custom service, policy engine, and so forth, while processing request, response, or while working with
the environment dictionaries, it shall not be responsible for the scripts used and will not be liable for any
direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to,
procurement of substitute goods or services; loss of use, data, or profits; or business interruption)
however caused and on any theory of liability, whether in contract, strict liability, or tort (including
negligence or otherwise) arising in any way out of the use of the script.
Prime Access Registrar also allows you to define internal scripts, by which you can add, modify, or
delete attributes in the request, response, and environment dictionaries for RADIUS, Diameter, and
TACACS+.
Client or NAS Scripting Points
Table 1-3 shows the location of the scripting points within the section that determines whether to accept
the request from the client or NAS. Note, the scripting points are indicated with the asterisk (*) symbol.
Table 1-3 Client or NAS Scripting Points
Action Explanation
Receives an Access-Request. The Prime Access Registrar RADIUS server receives an
Access-Request packet from a NAS.
Determines whether to accept the
request.
The client’s IP address listed in
/Radius/Clients/<Name>/IPAddress.
*Executes the server’s incoming
script.
A script referred to in /Radius/IncomingScript.
*Executes the vendor’s incoming
script.
The vendor listed in /Radius/Clients/Name/Vendor, and is a script
referred to in /Radius/Vendors/<Name>/IncomingScript.
*Executes the client’s incoming
script.
A script referred to in
/Radius/Clients/<Name>/IncomingScript.
Determines whether to accept requests from this specific NAS.
/Radius/Advanced/RequireNASsBehindProxyBeInClientList
set to TRUE.
The NAS’s Identifier listed in /Radius/Clients/<Name>, or its
NAS-IP-Address listed in /Radius/Clients/<Name>/IPAddress.
If the client’s IP address listed in /Radius/Clients/<Name>/IPAddress is different:
*Executes the vendor’s incoming
script.
The vendor listed in /Radius/Clients/Name/Vendor, and is a
script referred to in /Radius/Vendors/<Name>/IncomingScript.
*Executes the client’s incoming
script.
The client listed in the previous /Radius/Clients/Name, and is a
script referred to in /Radius/Clients/Name/IncomingScript.
1-8
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
Authentication and/or Authorization Scripting Points
Table 1-4 shows the location of the scripting points within the section that determines whether to
perform authentication and/or authorization.
Session Management
The Session Management feature requires the client (NAS or proxy) to send all RADIUS accounting
requests to the Prime Access Registrar server performing session management. (The only exception is if
the clients are USR/3Com Network Access Servers configured to use the USR/3Com RADIUS resource
management feature.) This information is used to keep track of user sessions, and the resources allocated
to those sessions.
When another accounting RADIUS server needs this accounting information, the
Prime Access Registrar server performing session management might proxy it to this second server.
The count-sessions /radius all command helps to count the total sessions in Prime Access Registrar.
The options are similar to the query-session command options. The query-session command displays
cached attributes in addition to session details.
Table 1-5 describes how Prime Access Registrar handles session management.
Table 1-4 Authentication and Authorization Scripting Points
Action Explanation
Determines Service to use for
authentication and/or
authorization.
The Service name defined in the Environment dictionary variable
Authentication-Service, and is the same as the Service defined
in the Environment dictionary variable Authorization-Service.
The Service name referred to by
/Radius/DefaultAuthenticationService, and is the same as the
Service defined in /Radius/DefaultAuthorizationService.
Performs authentication and/or
authorization.
If the Services are the same, perform authentication and
authorization.
If the Services are different, just perform authentication.
*Executes the Service’s incoming
script.
A script referred to in
/Radius/Services/<Name>/IncomingScript.
Performs authentication and/or
authorization.
Based on the Service type defined in
/Radius/Services/<Name>/<Type>.
*Executes the Service’s outgoing
script.
A script referred to in
/Radius/Services/<Name>/OutgoingScript.
Determines whether to perform
authorization.
The Service name defined in
/Radius/DefaultAuthorizationService, if different than the
Authentication Service.
*Executes the Service’s incoming
script.
A script referred to in
/Radius/Services/<Name>/IncomingScript.
Performs authorization. Checks that the Service type is defined in
/Radius/Services/<Name>/<Type>.
*Executes the Service’s outgoing
script.
A script referred to in
/Radius/Services/<Name>/OutgoingScript.
1-9
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
This section contains the following topics:
Failover by the NAS and Session Management
Cross Server Session and Resource Management
Failover by the NAS and Session Management
When a Network Access Server’s primary RADIUS server is performing session management, and the
NAS determines the server is not responding and begins sending requests to its secondary RADIUS
server, the following occurs:
The secondary server will not know about the current active sessions that are maintained on the
primary server. Any resources managed by the secondary server must be distinct from those
managed by the primary server, otherwise it will be possible to have two sessions with the same
resources (for example, two sessions with the same IP address).
The primary server will miss important information that allows it to maintain a correct model of
what sessions are currently active (because the authentication and accounting requests are being sent
to the secondary server). This means when the primary server comes back online and the NAS begins
using it, its knowledge of what sessions are active will be out-of-date and the resources for those
sessions are allocated even if they are free to allocate to someone else.
For example, the user-session-limit resource might reject new sessions because the primary server
does not know some of the users using the resource logged out while the primary server was offline.
It might be necessary to release sessions manually using the aregcmd command release-session.
Note It might be possible to avoid this situation by having a disk drive shared between two
systems with the second RADIUS server started up once the primary server has been
determined to be offline. For more information on this setup, contact Technical Support.
Cross Server Session and Resource Management
Prime Access Registrar can manage sessions and resources across AAA Server boundaries. A session
can be created by an Access-Request sent to Prime AR1, and it can be removed by an Accounting-Stop
request sent to Prime AR2, as shown in Figure 1-1. This enables accurate tracking of User and Group
session limits across multiple AAA Servers, and IP addresses allocated to sessions are managed in one
place.
Table 1-5 Session Management Processing
Action Explanation
Determines whether to perform
session management.
The session management defined in the Environment dictionary
variable Session-Manager.
The session management name referred to in
/Radius/DefaultSessionManager.
Performs session management. Selects Session Manager as defined in
/Radius/SessionManagers/<Name>.
1-10
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
Figure 1-1 Multiple Prime Access Registrar Servers
All resources that must be shared cross multiple front line Prime Access Registrars are configured in the
Central Resource Prime Access Registrar. Resources that are not shared can still be configured at each
front line Prime Access Registrar.
When the front line Prime Access Registrar receives the access-request, it does the regular AA
processing. If the packet is not rejected and a Central Resource Prime Access Registrar is also
configured, the front line Prime Access Registrar will proxy the packet1 to the configured Central
Resource Prime Access Registrar. If the Central Resource Prime Access Registrar returns the requested
resources, the process continues to the local session management (if local session manager is configured)
for allocating any local resources. If the Central Resource Prime Access Registrar cannot allocate the
requested resource, the packet is rejected.
When the Accounting-Stop packet arrives at the frontline Prime Access Registrar,
Prime Access Registrar does the regular accounting processing. Then, if the front line
Prime Access Registrar is configured to use Central Resource Prime Access Registrar, a proxy packet
will be sent to Central Resource Prime Access Registrar for it to release all the allocated resources for
this session. After that, any locally allocated resources are released by the local session manager.
Session-Service Service Step and Radius-Session Service
A new Service step has been added in the processing of Access-Request and Accounting packets. This
is an additional step after the AA processing for Access packet or Accounting processing for Accounting
packet, but before the local session management processing. The Session-Service should have a service
type of radius-session.
An environment variable Session-Service is introduced to determine the Session-Service dynamically.
You can use a script or the rule engine to set the Session-Service environment variable.
Configure Front Line Cisco Prime Access Registrar
To use a Central Resource server, the DefaultSessionService property must be set or the Session-Service
environment variable must be set through a script or the rule engine. The value in the Session-Service
variable overrides the DefaultSessionService.
The configuration parameters for a Session-Service service type are the same as those for configuring a
radius service type for proxy, except the service type is radius-session.
The configuration for a Session-Service Remote Server is the same as configuring a proxy server.
[ //localhost/Radius ]
Name = Radius
Description =
Version = 6.1
IncomingScript =
OutgoingScript =
DefaultAuthenticationService = local-users
1. The proxy packet is actually a resource allocation request, not an Access Request.
Cisco Prime AR1
Cisco Prime AR2
Cisco Prime AR3
Central Resource
Cisco Prime AR
320370
1-11
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Program Flow
DefaultAuthorizationService = local-users
DefaultAccountingService = local-file
DefaultSessionService = Remote-Session-Service
DefaultSessionManager = session-mgr-1
[ //localhost/Radius/Services ]
Remote-Session-Service/
Name = Remote-Session-Service
Description =
Type = radius-session
IncomingScript =
OutgoingScript =
OutagePolicy = RejectAll
OutageScript =
MultipleServersPolicy = Failover
RemoteServers/
1. central-server
[ //localhost/Radius/RemoteServers ]
central-server/
Name = central-server
Description =
Protocol = RADIUS
IPAddress = 209.165.200.224
Port = 1645
ReactivateTimerInterval = 300000
SharedSecret = secret
Vendor =
IncomingScript =
OutgoingScript =
MaxTries = 3
InitialTimeout = 2000
AccountingPort = 1646
Configure Central Prime Access Registrar
Resources at the Central Resource server are configured the same way as local resources are configured.
These resources are local resources from the Central Resource server’s point of view.
Script Processing Hierarchy
For request packets, the script processing order is from the most general to the most specific. For
response packets, the processing order is from the most specific to the most general.
Table 1-6, Table 1-7, and Table 1-8 show the overall processing order and flow:
(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.
Note The client and the NAS can be the same entity, except when the immediate client is acting
as a proxy for the actual NAS.
1-12
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
RADIUS Protocol
RADIUS Protocol
Prime Access Registrar is based on a client/server model, which supports AAA (authentication,
authorization, and accounting). The client is the Network Access Server (NAS) and the server is
Prime Access Registrar. The client passes user information on to the RADIUS server and acts on the
response it receives. The server, on the other hand, is responsible for receiving user access requests,
authenticating and authorizing users, and returning all of the necessary configuration information the
client can then pass on to the user.
The protocol is a simple packet exchange in which the NAS sends a request packet to the
Prime Access Registrar with a name and a password. Prime Access Registrar looks up the name and
password to verify it is correct, determines for which dynamic resources the user is authorized, then
returns an accept packet that contains configuration information for the user session (Figure 1-2).
Table 1-6 Prime Access Registrar Processing Hierarchy for Incoming Scripts
Overall Flow Sequence Incoming Scripts
1) Radius.
2) Vendor of the immediate client.
3) Immediate client.
4) Vendor of the specific NAS.
5) Specific NAS.
6) Service.
Table 1-7 Prime Access Registrar Processing Hierarchy for Authentication/Authorization
Scripts
Overall Flow Sequence Authentication/Authorization Scripts
7) Group Authentication.
8) User Authentication.
9) Group Authorization.
10) User Authorization.
11) Session Management.
Table 1-8 Prime Access Registrar Processing Hierarchy for Outgoing Script
Overall Flow Sequence Outgoing Scripts
12) Service.
13) Specific NAS.
14) Vendor of the specific NAS.
15) Immediate client.
16) Vendor of the immediate client.
17) Radius.
1-13
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
RADIUS Protocol
Figure 1-2 Packet Exchange Between User, NAS, and RADIUS
Prime Access Registrar can also reject the packet if it needs to deny network access to the user. Or,
Prime Access Registrar can issue a challenge that the NAS sends to the user, who then creates the proper
response and returns it to the NAS, which forwards the challenge response to Prime Access Registrar in
a second request packet.
In order to ensure network security, the client and server use a shared secret, which is a string they both
know, but which is never sent over the network. User passwords are also encrypted between the client
and the server to protect the network from unauthorized access.
This section contains the following topics:
Steps to Connection
Types of RADIUS Messages
Proxy Servers
Steps to Connection
Three participants exist in this interaction: the user, the NAS, and the RADIUS server.
Setting Up the Connection
To describe the receipt of an access request through the sending of an access response:
Step 1 The user, at a remote location such as a branch office or at home, dials into the NAS, and supplies a name
and password.
Step 2 The NAS picks up the call and begins negotiating the session.
a. The NAS receives the name and password.
b. The NAS formats this information into an Access-Request packet.
c. The NAS sends the packet on to the Prime Access Registrar server.
Step 3 The Prime Access Registrar server determines what hardware sent the request (NAS) and parses the
packet.
a. It sets up the Request dictionary based on the packet information.
b. It runs any incoming scripts, which are user-written extensions to Prime Access Registrar. An
incoming script can examine and change the attributes of the request packet or the environment
variables, which can affect subsequent processing.
N
A
S
Radius
22036
Jane
xyz
request
response
Name=Jane
Password=xyz
1-14
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
RADIUS Protocol
c. Based on the scripts or the defaults, it chooses a service to authenticate and/or authorize the user.
Step 4 Prime Access Registrar’s authentication service verifies the username and password is in its database.
Or, Prime Access Registrar delegates the authentication (as a proxy) to another RADIUS server, an
LDAP, or TACACS server.
Step 5 Prime Access Registrar’s authorization service creates the response with the appropriate attributes for
the user’s session and puts it in the Response dictionary.
Step 6 If you are using Prime Access Registrar session management at your site, the Session Manager calls the
appropriate Resource Managers that allocate dynamic resources for this session.
Step 7 Prime Access Registrar runs any outgoing scripts to change the attributes of the response packet.
Step 8 Prime Access Registrar formats the response based on the Response dictionary and sends it back to the
client (NAS).
Step 9 The NAS receives the response and communicates with the user, which might include sending the user
an IP address to indicate the connection has been successfully established.
Types of RADIUS Messages
The client/server packet exchange consists primarily of the following types of RADIUS messages:
Access-Request—sent by the client (NAS) requesting access
Access-Reject—sent by the RADIUS server rejecting access
Access-Accept—sent by the RADIUS server allowing access
Access-Challenge—sent by the RADIUS server requesting more information in order to allow
access. The NAS, after communicating with the user, responds with another Access-Request.
When you use RADIUS accounting, the client and server can also exchange the following two types of
messages:
Accounting-Request—sent by the client (NAS) requesting accounting
Accounting-Response—sent by the RADIUS server acknowledging accounting
This section contains the following topics:
Packet Contents
The Attribute Dictionary
Packet Contents
The information in each RADIUS message is encapsulated in a UDP (User Datagram Protocol) data
packet. A packet is a block of data in a standard format for transmission. It is accompanied by other
information, such as the origin and destination of the data.
Table 1-9 lists a description of the five fields in each message packet.
1-15
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
RADIUS Protocol
The Attribute Dictionary
The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting
attributes that can be part of a client’s or user’s configuration. The dictionary entries translate an attribute
into a value Prime Access Registrar uses to parse incoming requests and generate responses. Attributes
have a human-readable name and an enumerated equivalent from 1-255.
Sixty three standard attributes exist, which are defined in RFC 2138 and 2139. There also are additional
vendor-specific attributes that depend on the particular NAS you are using.
Some sample attributes include:
User-Name—the name of the user
User-Password—the user’s password
NAS-IP-Address—the IP address of the NAS
NAS-Port—the NAS port the user is dialed in to
Framed Protocol—such as SLIP or PPP
Framed-IP-Address—the IP address the client uses for the session
Filter-ID—vendor-specific; identifies a set of filters configured in the NAS
Callback-Number—the actual callback number.
Proxy Servers
Any one or all of the RADIUS server’s three functions: authentication, authorization, or accounting can
be subcontracted to another RADIUS server. Prime Access Registrar then becomes a proxy server.
Proxying to other servers enables you to delegate some of the RADIUS server’s functions to other
servers.
Table 1-9 RADIUS Packet Fields
Fields Description
Code Indicates message type: Access-Request, Access-Accept, Access-Reject,
Access-Challenge, Accounting-Request, or Accounting-Response.
Identifier Contains a value that is copied into the server’s response so the client can
correctly associate its requests and the server’s responses when multiple
users are being authenticated simultaneously.
Length Provides a simple error-checking device. The server silently drops a packet
if it is shorter than the value specified in the length field, and ignores the
octets beyond the value of the length field.
Authenticator Contains a value for a Request Authenticator or a Response Authenticator.
The Request Authenticator is included in a client’s Access-Request. The
value is unpredictable and unique, and is added to the client/server shared
secret so the combination can be run through a one-way algorithm. The NAS
then uses the result in conjunction with the shared secret to encrypt the
user’s password.
Attribute(s) Depends on the type of message being sent. The number of attribute/value
pairs included in the packet’s attribute field is variable, including those
required or optional for the type of service requested.
1-16
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Service and Ports Used in Prime Access Registrar
You could use Prime Access Registrar to “proxy” to an LDAP server for access to directory information
about users in order to authenticate them. Figure 1-3 shows user joe initiating a request, the
Prime Access Registrar server proxying the authentication to the LDAP server, and then performing the
authorization and accounting processing in order to enable joe to log in.
Figure 1-3 Proxying to an LDAP Server for Authentication
Service and Ports Used in Prime Access Registrar
Secure Shell Service
SSH Daemon(SSHD) is the daemon program which is used for ssh(1). It provides secure shell encrypted
communications between two hosts over network.
In case of Prime Access Registrar, SSH is used to connect to Prime Access Registrar server and
configure Prime Access Registrar using CLI.
Ports
The following table lists the port numbers that are used for various services in Prime Access Registrar
for AAA.
NAS
Access
registrar
LDAP
22035
user=joe
password=xyz request
response
1
6
2
5
34
Authorization
accounting
Authentication
1-17
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Service and Ports Used in Prime Access Registrar
Table 1-10 Ports Used in Prime Access Registrar
Names Description
Port
Numbers
Service of the
Ports
Access from
Network Node
Configuration
Setting
Protocol
Name and
Reference
AR AAA Service The RADIUS
packet listener uses
these ports by
default.
Solaris:
1645-udp
Linux:
1812-udp
RADIUS AA Network Access
Server
You can change the
default or define
new RADIUS port
numbers under
/Radius/Advanced/
Ports in the CLI
and Configuration
> Advanced >
Ports in the GUI.
RADIUS AA
(Authenticati
on, and
Authorizatio
n) service.
Solaris:
1646-udp
radacct
Linux:
1813-udp
radacct
RADIUS
Accounting
Network Access
Server
You can change the
default or define
new RADIUS port
numbers under
/Radius/Advanced/
Ports in the CLI
and Configuration
> Advanced >
Ports in the GUI.
RADIUS
Accounting
service.
Refer to RFC
6733 for
more
information.
3799/udp RADIUS
Dynamic
Authorizatio
n (CoA/PoD)
Network Access
Server
N/A RADIUS
Dynamic
authorization
which is used
with
(CoA/PoD)
packet types.
AR AAA Service The TACACS+
packet listener uses
this port by default.
49/tcp TACACS+ Network Access
Server
You can change the
default or define
new RADIUS port
numbers under
/Radius/Advanced/
Ports in the CLI
and Configuration
> Advanced >
Ports in the GUI.
TACACS+
based on
AAA service
(Authenticati
on,
Authorizatio
n, and
Accounting).
Refer to RFC
1491 for
more
information.
1-18
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Service and Ports Used in Prime Access Registrar
AR AAA Service The DIAMETER
packet listener uses
these ports by
default.
3868/tcp DIAMETER Network Access
Server
You can enable or
disable this service
in
Radius/Advanced/
Diameter/IsDiamet
erEnabled.
DIAMETER
AA Service
(Authenticati
on, and
Authorizatio
n) by tcp
protocol.
Refer to RFC
4005 for
more
information.
3868/sctp DIAMETER Network Access
Server
You can enable or
disable this service
in
Radius/Advanced/
Diameter/IsDiamet
erEnabled.1
DIAMETER
AA Service
(Authenticati
on, and
Authorizatio
n) by SCTP
protocol.
AR MCD Server MCD is used to
store Prime Access
Registrar
configuration.
2786/tcp MCD
database
Server
This service can
be accessed
from local host
by Prime Access
Registrar radius
and server agent
process.
N/A Proprietary
IPC
mechanism.
AR Server Agent AR Server Agent is
used to log all the
activities of
Prime Access Regi
strar processes.
2785/tcp Internal IPC
mechanism
This service can
be accessed
from local host
by Prime Access
Registrar radius
and server agent
process.
N/A Proprietary
IPC
mechanism.
Table 1-10 Ports Used in Prime Access Registrar (continued)
Names Description
Port
Numbers
Service of the
Ports
Access from
Network Node
Configuration
Setting
Protocol
Name and
Reference
1-19
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Service and Ports Used in Prime Access Registrar
AR GUI Service Prime Access
Registrar GUI
processes use these
ports by default.
8080/tcp AR HTTP
service
This service is
accessible from
any end user
desktop browser
using http
protocol.
You can change the
default port
numbers in editing
the server.xml file.
Standard
HTTP
protocol
8443/tcp AR HTTPS
service
This service is
accessible from
any end user
desktop browser
using https
protocol.
You can change the
default port
numbers in editing
the server.xml file.
Standard
HTTPS
protocol
8005/tcp Internally
used by
Apache
Tomcat
container
Local host You can change the
default port
numbers in editing
the server.xml file..
To shutdown
Tomcat JVM
service
instance.
8009/tcp Apache
Tomcat
container
AJP 1.3
Connector
Local host You can change the
default port
numbers in editing
the server.xml file.
Apache JServ
protocol.
AJP 1.3
Connector.
SNMP Master
Agent
SNMP Packet
listener supports
these ports by
default.
161/udp Simple Net
Management
Protocol
This service is
accessible from
any network
management
host.
Refer to net-snmp
documentation for
more information.
SNMP MIBs
server
162/udp Traps for
SNMP
This service is
accessible to
any SNMP trap
client when you
want to use
net-snmp
snmptrap
daemon as a
SNMP trap
server.
Refer to
Configuring Traps
for more
information.
SNMP trap
server
Table 1-10 Ports Used in Prime Access Registrar (continued)
Names Description
Port
Numbers
Service of the
Ports
Access from
Network Node
Configuration
Setting
Protocol
Name and
Reference
1-20
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 1 Overview
Service and Ports Used in Prime Access Registrar
CPAR SIGTRAN
Stack (radius)
Listen on these
ports for internal
configuration from
stack manager
events
9041/TCP Stack
Manager
Configuratio
n/Event
Listener
This service can
be accessed
from local host
by Prime Access
Registrar –
Radius Process.
N/A CPAR
Specific IPC
Protocol
implementati
on
9041/UDP Stack
Manager
Configuratio
n/Event
Listener
This service can
be accessed
from local host
by Prime Access
Registrar –
Radius Process.
N/A CPAR
Specific IPC
Protocol
implementati
on
CPAR SIGTRAN
stack
manager(m3ua-sta
ckmgr)
Configure stack
and receive
configuration from
m3ua-cliclient
9100/TCP SIGTRAN
Stack
Manager
This service can
be accessed
from local host
by Prime Access
Registrar –
Radius Process
and
m3ua-cliclient
Process.
N/A CPAR
Specific IPC
Protocol
implementati
on
9100/UDP SIGTRAN
Stack
Manager
This service can
be accessed
from local host
by Prime Access
Registrar –
Radius Process
and
m3ua-cliclient
Process.
N/A CPAR
Specific IPC
Protocol
implementati
on
1. If an error occurs while starting the Diameter SCTP interface, add install sctp /bin/true to /etc/modprobe.conf. Then, configure port 3868 with Type
Diameter-TCP using aregcmd in /Radius/Advanced/Ports.
Table 1-10 Ports Used in Prime Access Registrar (continued)
Names Description
Port
Numbers
Service of the
Ports
Access from
Network Node
Configuration
Setting
Protocol
Name and
Reference
CHAPTER
2-1
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
2
Using the aregcmd Commands
This chapter describes how to use each of the aregcmd commands. The Cisco Prime Access Registrar
aregcmd command is a command-line based configuration tool. It allows you to set any Cisco Prime
Access Registrar (Prime Access Registrar) configurable option, as well as, start and stop the server and
check statistics.
This chapter contains the following sections:
General Command Syntax
aregcmd Commands
aregcmd Command Logging
aregcmd Command Line Editing
aregcmd Error Codes
General Command Syntax
Prime Access Registrar stores its configuration information in a hierarchy. Using the aregcmd command
cd (change directory), you can move through this information in the same manner as you would through
any hierarchical file system. Or you can supply full pathnames to these commands to affect another part
of the hierarchy, and thus avoid explicitly using the cd command to change to that part of the tree.
aregcmd command parsing is case insensitive, which means you can use upper or lowercase letters
to designate elements. In addition, when you reference existing elements in the configuration, you
need only specify enough of the element’s name to distinguish it from the other elements at that
level. For example, instead of entering cd Administrators, you can enter cd ad when no other
element at the current level begins with ad.
aregcmd command parsing is command-line order dependent; that is, the arguments are interpreted
based on their position on the command line. To indicate an empty string as a place holder on the
command line, use either single (') or double quotes (""). In addition, when you use any arguments
that contain spaces, you must quote the arguments. For example, when you use the argument, “Local
Users,” you must enclose the phrase in quotes.
The aregcmd command can contain a maximum of 255 characters when specifying a parameter and 511
characters for the entire command.
The aregcmd command syntax is:
aregcmd [-C <clustername>] [-N <adminname>] [-P <adminpassword>] [-V]
[-f <scriptfile>] [-l <directoryname> ] [-n] [<command> [<args>]] [-p] [-q] [-v]
-C—Specifies the name of the cluster to log into by default
2-2
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
General Command Syntax
-N—Specifies the name of the administrator
-P—Specifies the password
-V—Specifies view-only mode
-f—Specifies a file that can contain a series of commands
-l—Specifies a directory where the Prime Access Registrar license file is stored and returns
information about licensed components
-n—Turns off prefix mode
-p—Specifies prefix mode
-q—Turns off verbose mode
-v—Specifies verbose mode
Note The verbose (-v) and prefix (-p) modes are on by default when you run aregcmd interactively (for
example, not entered on the command line or not running commands from a script file). Otherwise,
verbose and prefix modes are off.
When you include a command (with the appropriate arguments) on the command line, aregcmd runs
only that one command and saves any changes.
This section contains the following topics:
View-Only Administrator Mode
Configuration Objects
aregcmd Command Performance
View-Only Administrator Mode
Previous releases of Prime Access Registrar provided only super-user administrative access. If you were
able to log into aregcmd, you could do anything to the system, including starting and stopping the
system and changing the configuration. Prime Access Registrar provides view-only administrative
access. View-only access restricts an administrator to only being able to observe the system and prevents
that user from making changes.
View-only access can be encountered in three ways:
Specific administrators can be restricted to view-only access whenever they log in.
Administrators not restricted to view-only access can choose to start aregcmd in a view-only mode.
This might be used when an administrator wants to ensure that he or she does not make any changes.
When an administrator who is not view-only logs in to a slave server, they will be unable to make
changes to any parts of the configuration other than /Radius/Replication,
/Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the properties in /Radius/Advanced.
This is because the rest of the configuration is replicated from the master server and changes directly
to the slave will cause problems.
Note When a user logs in, the system determines whether a user’s session is view-only or not. If the
configuration is changed after a user has logged in, that change does not take effect until the affected
user logs out and logs back in.
2-3
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
General Command Syntax
ViewOnly Property
The ViewOnly property has been added to the Administrators configuration. The default setting for the
ViewOnly property is FALSE. The following shows the default setting for the admin user:
cd /Administrators/admin
[ //localhost/Administrators/admin ]
Name = admin
Description =
Password = <encrypted>
ViewOnly = FALSE
You can designate specific administrators to be view-only administrators by setting the new ViewOnly
property to TRUE.
If that property is set to TRUE, any time the administrator logs in to aregcmd the session will be in
view-only mode.
If set to FALSE, when the administrator logs in to a master server, the session will be full super-user
capability.
If the administrator logs in to a slave, they only part of the configuration they will be able to modify is
that part under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the
properties in /Radius/Advanced.
When in a view-only session, the following commands will cause an error: add, delete, set, unset,
insert, validate, save, start, stop, reload, reset-stats, release-sessions, and trace. The following error
message will be displayed:
316 Command failed: session is ViewOnly
When in a slave server session, the following commands will cause an error when the object or property
being operated on is not under /Radius/Replication, /Radius/Advanced/Ports,
/Radius/Advanced/Interfaces or the properties in /Radius/Advanced: add, delete, set, unset, and
insert. The following error message will be displayed:
317 Command failed: session is ViewOnly
Configuration Objects
The Prime Access Registrar aregcmd command lets you manipulate configuration objects, that define
properties or the behavior of the RADIUS server, such as valid administrators and types of services. For
descriptions of those objects, see Chapter 4, “Cisco Prime Access Registrar Server Objects.
aregcmd Command Performance
You can impact aregcmd command performance and server response time by having
Prime Access Registrar userlists that contain more than 10,000 users. Prime Access Registrar userlists
were not designed to contain 10,000 users in any one list.
If you must provide service for groups greater than 10000 users, we recommend that you use an external
data store such as an LDAP directory or an Oracle database. If you are unable to use an external data
store, create multiple userlists instead, keeping each userlist under 10,000 users.
2-4
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
Multiple userlists require multiple services (one for each userlist), because a service cannot reference
more than one userlist. The multiple services can then be combined using the Service Grouping feature
with ResultRule, OR, as follows:
[ //localhost/Radius/Services/GroupService ]
Name = GroupService
Description =
Type = group
IncomingScript~ =
OutgoingScript~ =
ResultRule = OR
GroupServices/
1. UserService1
2. UserService2
3. UserService3
RPC Bind Services
The Prime Access Registrar server and the aregcmd CLI requires RPC services to be running before the
server is started. If the RPC services are stopped, you must restart RPC services, then restart the
Prime Access Registrar server.
Use the following commands to restart RPC services:
arserver stop
/etc/init.d/rpc start
arserver start
If RPC services are not running, the following message is displayed when you attempt to start aregcmd:
Login to aregcmd fails with the message:
400 Login failed
aregcmd Commands
This section contains the complete list of aregcmd commands. You can use them on the command line
or insert them into scripts. The commands are listed alphabetically.
This section contains the following topics:
add
cd
delete
exit
filter
find
help
insert
login
logout
2-5
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
ls
next
prev
pwd
query-sessions
quit
release-sessions
reload
reset-stats
save
set
start
stats
status
stop
tacacs-stats
tacacs-reset-stats
dia-stats
trace
trace-file-count
unset
validate
add
Use the aregcmd command add to create new elements in the configuration. The add command is
context sensitive, which means the type of element added is determined by the current context, or the
path specified as the first parameter. The add command has one required argument; the name of the
element you wish to add. You can also provide other parameters, or you can supply this information after
aregcmd has added the new element. The optional second argument is a description of the element.
The syntax is:
add [<path>/]<name> [...]
cd
Use the aregcmd command cd to change the working context, or level in the configuration hierarchy.
When you use the cd command without any parameters, it returns you to the root of the tree. When you
use the optional path argument, you can specify a new context. To change to a higher level in the tree
hierarchy, use the “..” syntax (as you would in a UNIX file system). When you change to a new context,
aregcmd displays the contents of the new location, when you are using the command in interactive
mode, or if verbose mode is on.
2-6
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
The syntax is:
cd [<path>]
delete
Use the aregcmd command delete to remove an element from the configuration hierarchy. You cannot
remove properties on an element; you can only remove entire elements. The delete command is
recursive; that is, it will remove any subelements contained within an element being removed. When the
element is in the current context, you need only provide the name of the element to be deleted. You can
optionally provide a complete path to an element elsewhere in the configuration hierarchy.
The syntax is:
delete [<path>/]<name>
exit
Use the aregcmd command exit to terminate your aregcmd session. If you have any unsaved
modifications, Prime Access Registrar asks if you want to save them before exiting. Any modifications
you don’t choose to save are lost.
The syntax is:
exit
filter
Use the aregcmd command filter to display a selected view of a list. You can use the filter command to
present only the elements of a list that have properties equal to the value you specify. You can also use
the filter command to restore the view of the list after it has been filtered.
When using the filter command, you must provide a property name and a value, and you can optionally
provide the path to the list. Prime Access Registrar displays a list with only those elements that have a
value equal to the specified value. When you want to filter the current context, you can omit the path
argument.
The filter command is sticky, in that, after you have filtered a list, you must explicitly unfilter it before
you can view the complete list again. To restore the unrestricted view of the list, use the filter command
and specify the string all. To restore the list in current context, you can omit the pathname.
The syntax is:
filter [<path>] <property> <value>
or
filter [<path>] all
find
Use the aregcmd command find to locate a specific item in a list. The find command takes one required
argument, which is a full or partial pathname. After you use the command, Prime Access Registrar
displays a page beginning with the entry that most closely matches the pathname you provided.
2-7
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
The syntax is:
find <path>
help
Use the aregcmd command help (with no argument specified) to display a brief overview of the
command syntax. When you specify the name of a command, Prime Access Registrar displays help for
only that command.
The syntax is:
help [<command>]
insert
Use the aregcmd command insert to add an item anywhere in ordered list. The required parameters are
the numeric index of the position in the list in which you want to insert the new item, and the item value.
When the list to which you are adding is not the current context, you can specify the complete path to
the position in the list by prepending the path for the list to the numeric index. After the new value has
been inserted into the list, Prime Access Registrar appropriately renumbers the list.
The syntax is:
insert [<path>/]<index> <value>
This command applies to lists of servers by index and the Resource Managers list in Session Managers.
login
Use the aregcmd command login to connect to a cluster, which contains the RADIUS server and
definition of the authorized administrators. When you do not specify the cluster, admin name, and
password, aregcmd prompts you for them.
When you are currently logged in to a cluster, the login command allows you to connect to another
cluster. When you have changes in the current cluster that you have not saved, aregcmd asks if you want
to save them before logging into another cluster. Any changes you do not save are lost.
After you successfully log in, and if the server is running, Prime Access Registrar displays the cluster
server’s health. Note, to log into a cluster, the Prime Access Registrar Server Agent for that cluster must
be running.
The syntax is:
login [<cluster> [<name> [<password>]]]
logout
Use the aregcmd command logout to log out of the current cluster. After you log out, you have to log
into make any modifications to the configuration hierarchy, or to manage the server(s). When you have
any unsaved modifications, Prime Access Registrar asks if you want to save them before logging out.
Any modifications you do not choose to save are lost.
2-8
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
The syntax is:
logout
ls
Use the aregcmd command ls to list the contents of a level in the configuration hierarchy. This command
works much like the UNIX ls command. When you use it without any parameters, it lists the items in the
current context. When you specify a path, it lists the elements found in that context. When you use the
-R argument, it recursively lists all of the elements in and below the specified (or current) context.
For similar commands, refer to the next and prev commands.
The syntax is:
ls [-R] [<path>]
next
Use the aregcmd next command to review the remaining pages produced from the ls command. Every
time you use the cd command, it automatically invokes the ls command to display the contents of the
location. When the output from the ls command is more than one page (a page is about 24 lines) in
length, Prime Access Registrar displays only the first page.
Note ls command retrieves only user-added objects such as Users, UserLists, and attributes.
The next command takes an optional path and count. The path specifies the context in which you wish
to see the next page and the count specifies the number of lines you wish to see. When you use the next
command without the path, Prime Access Registrar uses the current context. When you do not specify a
count, Prime Access Registrar uses the last count value you used with the next or prev command. If you
never specify a count, Prime Access Registrar uses the default value, which is 20.
Note, the current page for a context is sticky. This means, for example, when you use the next command
to view entries 20 through 30, until you use the next or prev command on the same context, you will
continue to see these entries even if you use the cd command to change to a different context, then return
to the original.
The syntax is:
next [<path>] [<count>]
prev
Use the aregcmd command prev to page backwards through the output of the ls command. It behaves
much like the next command, in that it takes an optional path identifying a context to display and a count
parameter indicating how many lines to display.
The syntax is:
prev [<path>] [<count>]
2-9
Cisco Prime Access Registrar 6.1 User Guide
OL-29756-01
Chapter 2 Using the aregcmd Commands
aregcmd Commands
pwd
Use the aregcmd command pwd to display the absolute pathname of the current context (level in the
configuration hierarchy).
The syntax is:
pwd
query-sessions
Use the aregcmd command query-sessions to query the server about the currently active user sessions.
You can request information about all of the active sessions or just those sessions that match the type
you specify.
The syntax is:
query-sessions <path> [all]
or
query-sessions <path> with-<type> <value> [send-CoA [with-profile <profile name>] ]
or
query-sessions <path> with-Attribute <name> <value> [send-CoA [with-profile <profile
name>] ]
Where <path> is the path to the server, Session Manager, or Resource Manager to query and
with-<type> is one of the following: with-NAS, with-User, with-IP-Address, with-IPX-Network,
with-USR-VPN, with-Key, with-ID or with-Age. The optional [with-profile <profile name>]
parameter indicates a profile name as configured in /Radius/Profiles.
The query-sessions command with an optional [send-CoA] at the end causes the
Prime Access Registrar server to send a Change of Authorization (CoA) request to the client. The CoA
request includes the CoA attributes configured for the client. When the optional profile name is also
included in the command, the Prime Access Registrar server includes the attribute-value (AV) pairs from
the corresponding profile in /Radius/Profiles in the CoA request.
quit
Use the aregcmd command quit