Cisco Prime Access Registrar 6.1 User Guide 4.2

User Manual: Cisco Access Registrar 4.2

Open the PDF directly: View PDF .
Page Count: 922 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Cisco Prime Access Registrar 6.1 User Guide

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers

are listed on the Cisco website at

www.cisco.com/go/offices.

Cisco Prime Access Registrar 6.1

User Guide

December 13, 2013

Text Part Number: OL-29756-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the

document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Prime Access Registrar 6.1 User Guide

iii

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

CONTENTS

Preface xxxiii

Document Organization xxxiii

Related Documentation

For a complete list of Prime Access Registrar 6.1 documentation, see the Cisco Prime Access Registrar

6.1 Documentation Overview.

Note We sometimes update the documentation after original publication. Therefore, you should also review

the documentation on Cisco.com for any updates.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a

service request, and gathering additional information, see What’s New in Cisco Product Documentation

at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised

Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a

reader application. The RSS feeds are a free service.

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit

(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the

original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses

are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact

openssl-core@openssl.org.

OpenSSL License:

Redistribution and use in source and binary forms, with or without modification, are permitted provided

that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and

the following disclaimer in the documentation and/or other materials provided with the distribution.

xxxvi

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Obtaining Documentation and Submitting a Service Request

3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: “This product includes software developed by the OpenSSL Project for use in the

OpenSSL Toolkit (http://www.openssl.org/)”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote

products derived from this software without prior written permission. For written permission, please

contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in

their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit

(http://www.openssl.org/)”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN

NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product

includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are

adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,

lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is

covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

If this package is used in a product, Eric Young should be given attribution as the author of the parts of

the library used. This can be in the form of a textual message at program startup or in documentation

(online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided

that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and

the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

xxxvii

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Obtaining Documentation and Submitting a Service Request

The word ‘cryptographic’ can be left out if the routines from the library being used are not

cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory

(application code) you must include an acknowledgement: “This product includes software written

by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO

EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be

changed. i.e. this code cannot simply be copied and put under another distribution license [including the

GNU Public License].

xxxviii

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Obtaining Documentation and Submitting a Service Request

CHAPTER

1-1

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Overview

The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message

types, and using Cisco Prime Access Registrar (Prime Access Registrar) as a proxy server.

Prime Access Registrar is a 3GPP-compliant RADIUS (Remote Authentication Dial-In User

Service)/Diameter server that enables multiple dial-in Network Access Server (NAS) devices to share a

common authentication, authorization, and accounting database.

Prime Access Registrar handles the following tasks:

•Authentication—determines the identity of users and whether they can be allowed to access the

network

•Authorization—determines the level of network services available to authenticated users after they

are connected

•Accounting—keeps track of each user’s network activity

•Session and resource management—tracks user sessions and allocates dynamic resources

Using a RADIUS server allows you to better manage the access to your network, as it allows you to store

all security information in a single, centralized database instead of distributing the information around

the network in many different devices. You can make changes to that single database instead of making

changes to every network access server in your network.

Prime Access Registrar also allows you to manage the complex interconnections of the new network

elements in order to:

•adequately manage the traffic

•perform appropriate load balancing for desired load distribution

•allow binding of different protocol interfaces corresponding to a subscriber/network element

Service providers transform their 3G and 4G wireless networks with complex services, tiered charging,

converged billing, and more by introducing increasing numbers and types of Diameter-based network

elements. LTE and IMS networks are the most likely to implement these new network

elements—including Policy and Charging Rules Functions (PCRF), Home Subscriber Servers (HSS),

Mobility Management Entities (MME), Online Charging Systems (OCS), and others. As a result, as the

traffic levels grow, these wireless networks are becoming more difficult to manage and scale without the

Prime Access Registrar infrastructure.

Note Solaris support is available for Prime Access Registrar Version 6.0. Solaris support for Version 6.1 will

be provided in a future maintenance release.

1-2

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Prime Access Registrar Hierarchy

This chapter contains the following sections:

•Prime Access Registrar Hierarchy

•Prime Access Registrar Directory Structure

•Program Flow

•RADIUS Protocol

•Service and Ports Used in Prime Access Registrar

Prime Access Registrar Hierarchy

Prime Access Registrar’s operation and configuration is based on a set of objects. These objects are

arranged in a hierarchical structure much like the Windows 95 Registry or the UNIX directory structure.

Prime Access Registrar’s objects can themselves contain subobjects, just as directories can contain

subdirectories. These objects include the following:

•Radius— the root of the configuration hierarchy

•UserLists—contains individual UserLists which in turn contain users

•UserGroups—contains individual UserGroups

•Users—contains individual authentication or authorization details of a user

•Clients—contains individual Clients

•Vendors—contains individual Vendors

•Scripts—contains individual Scripts

•Policies—contains a set of rules applied to an Access-Request

•Services—contains individual Services

•CommandSets—contains commands and the action to perform during Terminal Access Controller

Access-Control System Plus (TACACS+) command authorization

•DeviceAccessRules—contains conditions or expressions and the applicable command sets for

TACACS+ command authorization

•FastRules—provides a mechanism to easily choose the right authentication, authorization,

accounting, and query service(s), drop, reject, or break flows, choose session manager or other rules

required for processing a packet

•SessionManagers—contains individual Session Managers

•ResourceManagers—contains individual Resource Managers

•Profiles—contains individual Profiles

•RemoteServers—contains individual RemoteServers

•Advanced—contains Ports, Interfaces, Reply Messages, and the Attribute dictionary

This section contains the following topics:

•UserLists and Groups

•Profiles

•Scripts

•Services

•Session Management Using Resource Managers

1-3

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Prime Access Registrar Hierarchy

UserLists and Groups

Prime Access Registrar lets you organize your user community through the configuration objects

UserLists, users, and UserGroups.

•Use UserLists to group users by organization, such as Company A and Company B. Each list

contains the actual names of the users.

•Use Users to store information about particular users, such as name, password, group membership,

base profile, and so on.

•Use UserGroups to group users by function, such as PPP, Telnet, or multiprotocol users. Groups

allow you to maintain common authentication and authorization requirements in one place, and have

them referenced by many users.

For more information about UserLists and UserGroups, see UserLists and Groups in Chapter 4, “Cisco

Prime Access Registrar Server Objects.”

Profiles

Prime Access Registrar uses Profiles that allow you to group RADIUS attributes to be included in an

Access-Accept packet. These attributes include values that are appropriate for a particular user class,

such as PPP or Telnet user. The user’s base profile defines the user’s attributes, which are then added to

the response as part of the authorization process.

Although you can use Group or Profile objects in a similar manner, choosing whether to use one rather

than the other depends on your site. If you require some choice in determining how to authorize or

authenticate a user session, then creating specific profiles, and specifying a group that uses a script to

choose among the profiles is more flexible. In such a situation, you might create a default group and then

write a script that selects the appropriate profile based on the specific request. The benefit to this

technique is each user can have a single entry, and use the appropriate profile depending on the way they

For more information about Profiles, see Profiles in Chapter 4, “Cisco Prime Access Registrar Server

Objects.”

Scripts

Prime Access Registrar allows you to create scripts you can execute at various points within the

processing hierarchy.

•Incoming scripts—enable you to read and set the attributes of the request packet, and set or change

the Environment dictionary variables. You can use the environment variables to control subsequent

processing, such as specifying the use of a particular authentication service.

•Outgoing scripts—enable you to modify attributes returned in the response packet.

For more information about Scripts, see Scripts in the Chapter 4, “Cisco Prime Access Registrar Server

Objects.”

Services

Prime Access Registrar uses Services to let you determine how authentication, authorization, and/or

accounting are performed.

1-4

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Prime Access Registrar Hierarchy

For example, to use Services for authentication:

•When you want the authentication to be performed by the Prime Access Registrar RADIUS server,

you can specify the local service. In this, case you must specify a specific UserList.

•When you want the authentication performed by another server, which might run an independent

application on the same or different host than your RADIUS server, you can specify either a radius,

ldap, or tacacs-udp service. In this case, you must list these servers by name.

When you have specified more than one authentication service, Prime Access Registrar determines

which one to use for a particular Access-Request by checking the following:

•When an incoming script has set the Environment dictionary variable Authentication-Service with

the name of a Service, Prime Access Registrar uses that service.

•Otherwise, Prime Access Registrar uses the default authentication service. The default

authentication service is a property of the Radius object.

Prime Access Registrar chooses the authentication service based on the variable

Authentication-Service, or the default. The properties of that Service, specify many of the details of

that authentication service, such as, the specific user list to use or the specific application (possibly

remote) to use in the authentication process.

For more information about Services, see Services in the Chapter 4, “Cisco Prime Access Registrar

Server Objects.”

Session Management Using Resource Managers

Prime Access Registrar lets you track user sessions, and/or allocate dynamic resources to users for the

lifetime of their session. You can define one or more Session Managers, and have each one manage the

sessions for a particular group or company.

Session Managers use Resource Managers, which in turn manage resources of a particular type as

described below.

•IP-Dynamic—manages a pool of IP addresses and allows you to dynamically allocate IP addresses

from that pool

•IP-Per-NAS-Port—allows you to associate ports to specific IP addresses, and thus ensure each NAS

port always gets the same IP address

•IPX-Dynamic—manages a pool of IPX network addresses

•Subnet-Dynamic—manages a pool of subnet addresses

•Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps track of

how many sessions are active and denies new sessions after the configured limit has been reached

•User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how many

sessions each user has and denies the user a new session after the configured limit has been reached

•Home-Agent—manages a pool of on-demand IP addresses

•USR-VPN—manages Virtual Private Networks (VPNs) that use USR NAS Clients

•Home-Agent-IPv6—manages a pool of on-demand IPv6 addresses

•Remote-IP-Dynamic—manages a pool of IP addresses that allows you to dynamically allocate IP

addresses from a pool of addresses. It internally works with a remote ODBC database.

•Remote-User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how

many sessions each user has and denies the user a new session after the configured limit has been

reached. It internally works with a remote ODBC database.

1-5

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Prime Access Registrar Directory Structure

•Remote-Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps

track of how many sessions are active and denies new sessions after the configured limit has been

reached. It internally works with a remote ODBC database.

•Session Cache—allows you to define the RADIUS attributes to store in cache.

•Dynamic-DNS—manages the DNS server.

•Remote-Session-Cache—allows you to define the RADIUS attributes to store in cache. It should be

used with session manager of type 'remote'.

•3GPP—allows you to define the attribute for 3GPP authorization.

For more information about Session Managers, see Session Managers in Chapter 4, “Cisco Prime Access

Registrar Server Objects.”

If necessary, you can create a complex relationship between the Session Managers and the Resource

Managers.

When you need to share a resource among Session Managers, you can create multiple Session Managers

that refer to the same Resource Manager. For example, if one pool of IP addresses is shared by two

departments, but each department has a separate policy about how many users can be logged in

concurrently, you might create two Session Managers and three Resource Managers. One dynamic IP

Resource Manager that is referenced by both Session Managers, and two concurrent session Resource

Managers, one for each Session Manager.

In addition, Prime Access Registrar lets you pose queries about sessions. For example, you can query

Prime Access Registrar about which session (and thus which NAS-Identifier, NAS-Port and/or

User-Name) owns a particular resource, as well as query Prime Access Registrar about how many

resources are allocated or how many sessions are active.

Prime Access Registrar Directory Structure

The installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 1-1.

Table 1-1 /opt/CSCOar Subdirectories

Subdirectory Description

.system Contains ELFs, or binary SPARC executables that should not be run directly.

bin Contains shell scripts and programs frequently used by a network

administrator; programs that can be run directly.

conf Contains configuration files.

data Contains the radius directory, which contains session backing files; and the

db directory, which contains configuration database files.

examples Contains documentation, sample configuration scripts, and shared library

scripts.

lib Contains Prime Access Registrar software library files.

logs Contains system logs and is the default directory for RADIUS accounting.

odbc Contains Prime Access Registrar ODBC files.

scripts Contains sample scripts that you can modify to automate configuration, and

to customize your RADIUS server.

temp Used for temporary storage.

1-6

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

When a NAS sends a request packet to Prime Access Registrar with a name and password,

Prime Access Registrar performs the following actions. Table 1-2 describes the flow without regard to

scripting points.

Prime Access Registrar supports Diameter with Extensible Authentication Protocol (EAP) functionality

to enable authentication between NAS and a backend NAS Diameter authentication server. For more

information, see Diameter with EAP Support, page 8-2.

Prime Access Registrar also support 3GPP compliance by implementing a set of protocols. To

understand more about the 3GPP AAA server support and the call flow, see 3GPP Compliance,

page 20-7.

Scripting Points

Prime Access Registrar lets you invoke scripts you can use to affect the Request, Response, or

Environment dictionaries. This section contains the following topics:

ucd-snmp Contains the UCD-SNMP software Prime Access Registrar uses.

usrbin Contains a symbolic link that points to bin.

Table 1-1 /opt/CSCOar Subdirectories (continued)

Subdirectory Description

Table 1-2 From Access-Request to Access-Accept

Prime Access Registrar Server

Action Explanation

Receives an Access-Request The Prime Access Registrar server receives an Access-Request

packet from a NAS.

Determines whether to accept

the request

The Prime Access Registrar server checks to see if the client’s IP

address is listed in /Radius/Clients/<Name>/<IPAddress>.

Invokes the policy SelectPolicy

if it exists

The Prime Access Registrar Policy Engine provides an interface to

define and configure a policy and to apply the policy to the

corresponding access-request packets.

Performs authentication and/or

authorization

Directs the request to the appropriate service, which then performs

authentication and/or authorization according to the type specified

in /Radius/Services/<Name>/<Type>.

Performs session management Directs the request to the appropriate Session Manager.

Performs resource management

for each Resource Manager in

the SessionManager

Directs the request to the appropriate resource manager listed in

/Radius/SessionManagers/<Name>/<ResourceManagers>/<Na

me>, which then allocates or checks the resource according to the

type listed in /Radius/<ResourceManagers>/<Name>/<Type>.

Sends an Access-Accept Creates and formats the response, and sends it back to the client

(NAS).

1-7

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

•Client Scripting

•Client or NAS Scripting Points

•Authentication and/or Authorization Scripting Points

Client Scripting

Though Prime Access Registrar allows external code (Tcl/C/C++/Java) to be used by means of a script,

custom service, policy engine, and so forth, while processing request, response, or while working with

the environment dictionaries, it shall not be responsible for the scripts used and will not be liable for any

direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to,

procurement of substitute goods or services; loss of use, data, or profits; or business interruption)

however caused and on any theory of liability, whether in contract, strict liability, or tort (including

negligence or otherwise) arising in any way out of the use of the script.

Prime Access Registrar also allows you to define internal scripts, by which you can add, modify, or

delete attributes in the request, response, and environment dictionaries for RADIUS, Diameter, and

TACACS+.

Client or NAS Scripting Points

Table 1-3 shows the location of the scripting points within the section that determines whether to accept

the request from the client or NAS. Note, the scripting points are indicated with the asterisk (*) symbol.

Table 1-3 Client or NAS Scripting Points

Action Explanation

Receives an Access-Request. The Prime Access Registrar RADIUS server receives an

Access-Request packet from a NAS.

Determines whether to accept the

request.

The client’s IP address listed in

/Radius/Clients/<Name>/IPAddress.

*Executes the server’s incoming

script.

A script referred to in /Radius/IncomingScript.

*Executes the vendor’s incoming

script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a script

referred to in /Radius/Vendors/<Name>/IncomingScript.

*Executes the client’s incoming

script.

A script referred to in

/Radius/Clients/<Name>/IncomingScript.

Determines whether to accept requests from this specific NAS.

/Radius/Advanced/RequireNASsBehindProxyBeInClientList

set to TRUE.

The NAS’s Identifier listed in /Radius/Clients/<Name>, or its

NAS-IP-Address listed in /Radius/Clients/<Name>/IPAddress.

If the client’s IP address listed in /Radius/Clients/<Name>/IPAddress is different:

*Executes the vendor’s incoming

script.

The vendor listed in /Radius/Clients/Name/Vendor, and is a

script referred to in /Radius/Vendors/<Name>/IncomingScript.

*Executes the client’s incoming

script.

The client listed in the previous /Radius/Clients/Name, and is a

script referred to in /Radius/Clients/Name/IncomingScript.

1-8

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

Authentication and/or Authorization Scripting Points

Table 1-4 shows the location of the scripting points within the section that determines whether to

perform authentication and/or authorization.

Session Management

The Session Management feature requires the client (NAS or proxy) to send all RADIUS accounting

requests to the Prime Access Registrar server performing session management. (The only exception is if

the clients are USR/3Com Network Access Servers configured to use the USR/3Com RADIUS resource

management feature.) This information is used to keep track of user sessions, and the resources allocated

to those sessions.

When another accounting RADIUS server needs this accounting information, the

Prime Access Registrar server performing session management might proxy it to this second server.

The count-sessions /radius all command helps to count the total sessions in Prime Access Registrar.

The options are similar to the query-session command options. The query-session command displays

cached attributes in addition to session details.

Table 1-5 describes how Prime Access Registrar handles session management.

Table 1-4 Authentication and Authorization Scripting Points

Action Explanation

Determines Service to use for

authentication and/or

authorization.

The Service name defined in the Environment dictionary variable

Authentication-Service, and is the same as the Service defined

in the Environment dictionary variable Authorization-Service.

The Service name referred to by

/Radius/DefaultAuthenticationService, and is the same as the

Service defined in /Radius/DefaultAuthorizationService.

Performs authentication and/or

authorization.

If the Services are the same, perform authentication and

authorization.

If the Services are different, just perform authentication.

*Executes the Service’s incoming

script.

A script referred to in

/Radius/Services/<Name>/IncomingScript.

Performs authentication and/or

authorization.

Based on the Service type defined in

/Radius/Services/<Name>/<Type>.

*Executes the Service’s outgoing

script.

A script referred to in

/Radius/Services/<Name>/OutgoingScript.

Determines whether to perform

authorization.

The Service name defined in

/Radius/DefaultAuthorizationService, if different than the

Authentication Service.

*Executes the Service’s incoming

script.

A script referred to in

/Radius/Services/<Name>/IncomingScript.

Performs authorization. Checks that the Service type is defined in

/Radius/Services/<Name>/<Type>.

*Executes the Service’s outgoing

script.

A script referred to in

/Radius/Services/<Name>/OutgoingScript.

1-9

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

This section contains the following topics:

•Failover by the NAS and Session Management

•Cross Server Session and Resource Management

Failover by the NAS and Session Management

When a Network Access Server’s primary RADIUS server is performing session management, and the

NAS determines the server is not responding and begins sending requests to its secondary RADIUS

server, the following occurs:

•The secondary server will not know about the current active sessions that are maintained on the

primary server. Any resources managed by the secondary server must be distinct from those

managed by the primary server, otherwise it will be possible to have two sessions with the same

resources (for example, two sessions with the same IP address).

•The primary server will miss important information that allows it to maintain a correct model of

what sessions are currently active (because the authentication and accounting requests are being sent

to the secondary server). This means when the primary server comes back online and the NAS begins

using it, its knowledge of what sessions are active will be out-of-date and the resources for those

sessions are allocated even if they are free to allocate to someone else.

For example, the user-session-limit resource might reject new sessions because the primary server

does not know some of the users using the resource logged out while the primary server was offline.

It might be necessary to release sessions manually using the aregcmd command release-session.

Note It might be possible to avoid this situation by having a disk drive shared between two

systems with the second RADIUS server started up once the primary server has been

determined to be offline. For more information on this setup, contact Technical Support.

Cross Server Session and Resource Management

Prime Access Registrar can manage sessions and resources across AAA Server boundaries. A session

can be created by an Access-Request sent to Prime AR1, and it can be removed by an Accounting-Stop

request sent to Prime AR2, as shown in Figure 1-1. This enables accurate tracking of User and Group

session limits across multiple AAA Servers, and IP addresses allocated to sessions are managed in one

place.

Table 1-5 Session Management Processing

Action Explanation

Determines whether to perform

session management.

The session management defined in the Environment dictionary

variable Session-Manager.

The session management name referred to in

/Radius/DefaultSessionManager.

Performs session management. Selects Session Manager as defined in

/Radius/SessionManagers/<Name>.

1-10

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

Figure 1-1 Multiple Prime Access Registrar Servers

All resources that must be shared cross multiple front line Prime Access Registrars are configured in the

Central Resource Prime Access Registrar. Resources that are not shared can still be configured at each

front line Prime Access Registrar.

When the front line Prime Access Registrar receives the access-request, it does the regular AA

processing. If the packet is not rejected and a Central Resource Prime Access Registrar is also

configured, the front line Prime Access Registrar will proxy the packet1 to the configured Central

Resource Prime Access Registrar. If the Central Resource Prime Access Registrar returns the requested

resources, the process continues to the local session management (if local session manager is configured)

for allocating any local resources. If the Central Resource Prime Access Registrar cannot allocate the

requested resource, the packet is rejected.

When the Accounting-Stop packet arrives at the frontline Prime Access Registrar,

Prime Access Registrar does the regular accounting processing. Then, if the front line

Prime Access Registrar is configured to use Central Resource Prime Access Registrar, a proxy packet

will be sent to Central Resource Prime Access Registrar for it to release all the allocated resources for

this session. After that, any locally allocated resources are released by the local session manager.

Session-Service Service Step and Radius-Session Service

A new Service step has been added in the processing of Access-Request and Accounting packets. This

is an additional step after the AA processing for Access packet or Accounting processing for Accounting

packet, but before the local session management processing. The Session-Service should have a service

type of radius-session.

An environment variable Session-Service is introduced to determine the Session-Service dynamically.

You can use a script or the rule engine to set the Session-Service environment variable.

Configure Front Line Cisco Prime Access Registrar

To use a Central Resource server, the DefaultSessionService property must be set or the Session-Service

environment variable must be set through a script or the rule engine. The value in the Session-Service

variable overrides the DefaultSessionService.

The configuration parameters for a Session-Service service type are the same as those for configuring a

radius service type for proxy, except the service type is radius-session.

The configuration for a Session-Service Remote Server is the same as configuring a proxy server.

[ //localhost/Radius ]

Name = Radius

Description =

Version = 6.1

IncomingScript =

OutgoingScript =

DefaultAuthenticationService = local-users

1. The proxy packet is actually a resource allocation request, not an Access Request.

Cisco Prime AR1

Cisco Prime AR2

Cisco Prime AR3

Central Resource

Cisco Prime AR

320370

1-11

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Program Flow

DefaultAuthorizationService = local-users

DefaultAccountingService = local-file

DefaultSessionService = Remote-Session-Service

DefaultSessionManager = session-mgr-1

[ //localhost/Radius/Services ]

Remote-Session-Service/

Name = Remote-Session-Service

Description =

Type = radius-session

IncomingScript =

OutgoingScript =

OutagePolicy = RejectAll

OutageScript =

MultipleServersPolicy = Failover

RemoteServers/

1. central-server

[ //localhost/Radius/RemoteServers ]

central-server/

Name = central-server

Description =

Protocol = RADIUS

IPAddress = 209.165.200.224

Port = 1645

ReactivateTimerInterval = 300000

SharedSecret = secret

Vendor =

IncomingScript =

OutgoingScript =

MaxTries = 3

InitialTimeout = 2000

AccountingPort = 1646

Configure Central Prime Access Registrar

Resources at the Central Resource server are configured the same way as local resources are configured.

These resources are local resources from the Central Resource server’s point of view.

Script Processing Hierarchy

For request packets, the script processing order is from the most general to the most specific. For

response packets, the processing order is from the most specific to the most general.

Table 1-6, Table 1-7, and Table 1-8 show the overall processing order and flow:

(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.

Note The client and the NAS can be the same entity, except when the immediate client is acting

as a proxy for the actual NAS.

1-12

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

RADIUS Protocol

Prime Access Registrar is based on a client/server model, which supports AAA (authentication,

authorization, and accounting). The client is the Network Access Server (NAS) and the server is

Prime Access Registrar. The client passes user information on to the RADIUS server and acts on the

response it receives. The server, on the other hand, is responsible for receiving user access requests,

authenticating and authorizing users, and returning all of the necessary configuration information the

client can then pass on to the user.

The protocol is a simple packet exchange in which the NAS sends a request packet to the

Prime Access Registrar with a name and a password. Prime Access Registrar looks up the name and

password to verify it is correct, determines for which dynamic resources the user is authorized, then

returns an accept packet that contains configuration information for the user session (Figure 1-2).

Table 1-6 Prime Access Registrar Processing Hierarchy for Incoming Scripts

Overall Flow Sequence Incoming Scripts

1) Radius.

2) Vendor of the immediate client.

3) Immediate client.

4) Vendor of the specific NAS.

5) Specific NAS.

6) Service.

Table 1-7 Prime Access Registrar Processing Hierarchy for Authentication/Authorization

Scripts

Overall Flow Sequence Authentication/Authorization Scripts

7) Group Authentication.

8) User Authentication.

9) Group Authorization.

10) User Authorization.

11) Session Management.

Table 1-8 Prime Access Registrar Processing Hierarchy for Outgoing Script

Overall Flow Sequence Outgoing Scripts

12) Service.

13) Specific NAS.

14) Vendor of the specific NAS.

15) Immediate client.

16) Vendor of the immediate client.

17) Radius.

1-13

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

RADIUS Protocol

Figure 1-2 Packet Exchange Between User, NAS, and RADIUS

Prime Access Registrar can also reject the packet if it needs to deny network access to the user. Or,

Prime Access Registrar can issue a challenge that the NAS sends to the user, who then creates the proper

response and returns it to the NAS, which forwards the challenge response to Prime Access Registrar in

a second request packet.

In order to ensure network security, the client and server use a shared secret, which is a string they both

know, but which is never sent over the network. User passwords are also encrypted between the client

and the server to protect the network from unauthorized access.

This section contains the following topics:

•Steps to Connection

•Types of RADIUS Messages

•Proxy Servers

Steps to Connection

Three participants exist in this interaction: the user, the NAS, and the RADIUS server.

Setting Up the Connection

To describe the receipt of an access request through the sending of an access response:

Step 1 The user, at a remote location such as a branch office or at home, dials into the NAS, and supplies a name

and password.

Step 2 The NAS picks up the call and begins negotiating the session.

a. The NAS receives the name and password.

b. The NAS formats this information into an Access-Request packet.

c. The NAS sends the packet on to the Prime Access Registrar server.

Step 3 The Prime Access Registrar server determines what hardware sent the request (NAS) and parses the

packet.

a. It sets up the Request dictionary based on the packet information.

b. It runs any incoming scripts, which are user-written extensions to Prime Access Registrar. An

incoming script can examine and change the attributes of the request packet or the environment

variables, which can affect subsequent processing.

Radius

22036

Jane

xyz

request

response

Name=Jane

Password=xyz

1-14

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

RADIUS Protocol

c. Based on the scripts or the defaults, it chooses a service to authenticate and/or authorize the user.

Step 4 Prime Access Registrar’s authentication service verifies the username and password is in its database.

Or, Prime Access Registrar delegates the authentication (as a proxy) to another RADIUS server, an

LDAP, or TACACS server.

Step 5 Prime Access Registrar’s authorization service creates the response with the appropriate attributes for

the user’s session and puts it in the Response dictionary.

Step 6 If you are using Prime Access Registrar session management at your site, the Session Manager calls the

appropriate Resource Managers that allocate dynamic resources for this session.

Step 7 Prime Access Registrar runs any outgoing scripts to change the attributes of the response packet.

Step 8 Prime Access Registrar formats the response based on the Response dictionary and sends it back to the

client (NAS).

Step 9 The NAS receives the response and communicates with the user, which might include sending the user

an IP address to indicate the connection has been successfully established.

Types of RADIUS Messages

The client/server packet exchange consists primarily of the following types of RADIUS messages:

•Access-Request—sent by the client (NAS) requesting access

•Access-Reject—sent by the RADIUS server rejecting access

•Access-Accept—sent by the RADIUS server allowing access

•Access-Challenge—sent by the RADIUS server requesting more information in order to allow

access. The NAS, after communicating with the user, responds with another Access-Request.

When you use RADIUS accounting, the client and server can also exchange the following two types of

messages:

•Accounting-Request—sent by the client (NAS) requesting accounting

•Accounting-Response—sent by the RADIUS server acknowledging accounting

This section contains the following topics:

•Packet Contents

•The Attribute Dictionary

Packet Contents

The information in each RADIUS message is encapsulated in a UDP (User Datagram Protocol) data

packet. A packet is a block of data in a standard format for transmission. It is accompanied by other

information, such as the origin and destination of the data.

Table 1-9 lists a description of the five fields in each message packet.

1-15

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

RADIUS Protocol

The Attribute Dictionary

The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting

attributes that can be part of a client’s or user’s configuration. The dictionary entries translate an attribute

into a value Prime Access Registrar uses to parse incoming requests and generate responses. Attributes

have a human-readable name and an enumerated equivalent from 1-255.

Sixty three standard attributes exist, which are defined in RFC 2138 and 2139. There also are additional

vendor-specific attributes that depend on the particular NAS you are using.

Some sample attributes include:

•User-Name—the name of the user

•User-Password—the user’s password

•NAS-IP-Address—the IP address of the NAS

•NAS-Port—the NAS port the user is dialed in to

•Framed Protocol—such as SLIP or PPP

•Framed-IP-Address—the IP address the client uses for the session

•Filter-ID—vendor-specific; identifies a set of filters configured in the NAS

•Callback-Number—the actual callback number.

Proxy Servers

Any one or all of the RADIUS server’s three functions: authentication, authorization, or accounting can

be subcontracted to another RADIUS server. Prime Access Registrar then becomes a proxy server.

Proxying to other servers enables you to delegate some of the RADIUS server’s functions to other

servers.

Table 1-9 RADIUS Packet Fields

Fields Description

Code Indicates message type: Access-Request, Access-Accept, Access-Reject,

Access-Challenge, Accounting-Request, or Accounting-Response.

Identifier Contains a value that is copied into the server’s response so the client can

correctly associate its requests and the server’s responses when multiple

users are being authenticated simultaneously.

Length Provides a simple error-checking device. The server silently drops a packet

if it is shorter than the value specified in the length field, and ignores the

octets beyond the value of the length field.

Authenticator Contains a value for a Request Authenticator or a Response Authenticator.

The Request Authenticator is included in a client’s Access-Request. The

value is unpredictable and unique, and is added to the client/server shared

secret so the combination can be run through a one-way algorithm. The NAS

then uses the result in conjunction with the shared secret to encrypt the

user’s password.

Attribute(s) Depends on the type of message being sent. The number of attribute/value

pairs included in the packet’s attribute field is variable, including those

required or optional for the type of service requested.

1-16

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Service and Ports Used in Prime Access Registrar

You could use Prime Access Registrar to “proxy” to an LDAP server for access to directory information

about users in order to authenticate them. Figure 1-3 shows user joe initiating a request, the

Prime Access Registrar server proxying the authentication to the LDAP server, and then performing the

authorization and accounting processing in order to enable joe to log in.

Figure 1-3 Proxying to an LDAP Server for Authentication

Service and Ports Used in Prime Access Registrar

Secure Shell Service

SSH Daemon(SSHD) is the daemon program which is used for ssh(1). It provides secure shell encrypted

communications between two hosts over network.

In case of Prime Access Registrar, SSH is used to connect to Prime Access Registrar server and

configure Prime Access Registrar using CLI.

Ports

The following table lists the port numbers that are used for various services in Prime Access Registrar

for AAA.

NAS

Access

registrar

LDAP

22035

user=joe

password=xyz request

response

Authorization

accounting

Authentication

1-17

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Service and Ports Used in Prime Access Registrar

Table 1-10 Ports Used in Prime Access Registrar

Names Description

Port

Numbers

Service of the

Ports

Access from

Network Node

Configuration

Setting

Protocol

Name and

Reference

AR AAA Service The RADIUS

packet listener uses

these ports by

default.

Solaris:

1645-udp

Linux:

1812-udp

RADIUS AA Network Access

Server

You can change the

default or define

new RADIUS port

numbers under

/Radius/Advanced/

Ports in the CLI

and Configuration

> Advanced >

Ports in the GUI.

RADIUS AA

(Authenticati

on, and

Authorizatio

n) service.

Solaris:

1646-udp

radacct

Linux:

1813-udp

radacct

RADIUS

Accounting

Network Access

Server

You can change the

default or define

new RADIUS port

numbers under

/Radius/Advanced/

Ports in the CLI

and Configuration

> Advanced >

Ports in the GUI.

RADIUS

Accounting

service.

Refer to RFC

6733 for

information.

3799/udp RADIUS

Dynamic

Authorizatio

n (CoA/PoD)

Network Access

Server

N/A RADIUS

Dynamic

authorization

which is used

with

(CoA/PoD)

packet types.

AR AAA Service The TACACS+

packet listener uses

this port by default.

49/tcp TACACS+ Network Access

Server

You can change the

default or define

new RADIUS port

numbers under

/Radius/Advanced/

Ports in the CLI

and Configuration

> Advanced >

Ports in the GUI.

TACACS+

based on

AAA service

(Authenticati

on,

Authorizatio

n, and

Accounting).

Refer to RFC

1491 for

information.

1-18

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Service and Ports Used in Prime Access Registrar

AR AAA Service The DIAMETER

packet listener uses

these ports by

default.

3868/tcp DIAMETER Network Access

Server

You can enable or

disable this service

Radius/Advanced/

Diameter/IsDiamet

erEnabled.

DIAMETER

AA Service

(Authenticati

on, and

Authorizatio

n) by tcp

protocol.

Refer to RFC

4005 for

information.

3868/sctp DIAMETER Network Access

Server

You can enable or

disable this service

Radius/Advanced/

Diameter/IsDiamet

erEnabled.1

DIAMETER

AA Service

(Authenticati

on, and

Authorizatio

n) by SCTP

protocol.

AR MCD Server MCD is used to

store Prime Access

Registrar

configuration.

2786/tcp MCD

database

Server

This service can

be accessed

from local host

by Prime Access

Registrar radius

and server agent

process.

N/A Proprietary

IPC

mechanism.

AR Server Agent AR Server Agent is

used to log all the

activities of

Prime Access Regi

strar processes.

2785/tcp Internal IPC

mechanism

This service can

be accessed

from local host

by Prime Access

Registrar radius

and server agent

process.

N/A Proprietary

IPC

mechanism.

Table 1-10 Ports Used in Prime Access Registrar (continued)

Names Description

Port

Numbers

Service of the

Ports

Access from

Network Node

Configuration

Setting

Protocol

Name and

Reference

1-19

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Service and Ports Used in Prime Access Registrar

AR GUI Service Prime Access

Registrar GUI

processes use these

ports by default.

8080/tcp AR HTTP

service

This service is

accessible from

any end user

desktop browser

using http

protocol.

You can change the

default port

numbers in editing

the server.xml file.

Standard

HTTP

protocol

8443/tcp AR HTTPS

service

This service is

accessible from

any end user

desktop browser

using https

protocol.

You can change the

default port

numbers in editing

the server.xml file.

Standard

HTTPS

protocol

8005/tcp Internally

used by

Apache

Tomcat

container

Local host You can change the

default port

numbers in editing

the server.xml file..

To shutdown

Tomcat JVM

service

instance.

8009/tcp Apache

Tomcat

container

AJP 1.3

Connector

Local host You can change the

default port

numbers in editing

the server.xml file.

Apache JServ

protocol.

AJP 1.3

Connector.

SNMP Master

Agent

SNMP Packet

listener supports

these ports by

default.

161/udp Simple Net

Management

Protocol

This service is

accessible from

any network

management

host.

Refer to net-snmp

documentation for

more information.

SNMP MIBs

server

162/udp Traps for

SNMP

This service is

accessible to

any SNMP trap

client when you

want to use

net-snmp

snmptrap

daemon as a

SNMP trap

server.

Refer to

Configuring Traps

for more

information.

SNMP trap

server

Table 1-10 Ports Used in Prime Access Registrar (continued)

Names Description

Port

Numbers

Service of the

Ports

Access from

Network Node

Configuration

Setting

Protocol

Name and

Reference

1-20

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 1 Overview

Service and Ports Used in Prime Access Registrar

CPAR SIGTRAN

Stack (radius)

Listen on these

ports for internal

configuration from

stack manager

events

9041/TCP Stack

Manager

Configuratio

n/Event

Listener

This service can

be accessed

from local host

by Prime Access

Registrar –

Radius Process.

N/A CPAR

Specific IPC

Protocol

implementati

9041/UDP Stack

Manager

Configuratio

n/Event

Listener

This service can

be accessed

from local host

by Prime Access

Registrar –

Radius Process.

N/A CPAR

Specific IPC

Protocol

implementati

CPAR SIGTRAN

stack

manager(m3ua-sta

ckmgr)

Configure stack

and receive

configuration from

m3ua-cliclient

9100/TCP SIGTRAN

Stack

Manager

This service can

be accessed

from local host

by Prime Access

Registrar –

Radius Process

and

m3ua-cliclient

Process.

N/A CPAR

Specific IPC

Protocol

implementati

9100/UDP SIGTRAN

Stack

Manager

This service can

be accessed

from local host

by Prime Access

Registrar –

Radius Process

and

m3ua-cliclient

Process.

N/A CPAR

Specific IPC

Protocol

implementati

1. If an error occurs while starting the Diameter SCTP interface, add install sctp /bin/true to /etc/modprobe.conf. Then, configure port 3868 with Type

Diameter-TCP using aregcmd in /Radius/Advanced/Ports.

Table 1-10 Ports Used in Prime Access Registrar (continued)

Names Description

Port

Numbers

Service of the

Ports

Access from

Network Node

Configuration

Setting

Protocol

Name and

Reference

CHAPTER

2-1

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Using the aregcmd Commands

This chapter describes how to use each of the aregcmd commands. The Cisco Prime Access Registrar

aregcmd command is a command-line based configuration tool. It allows you to set any Cisco Prime

Access Registrar (Prime Access Registrar) configurable option, as well as, start and stop the server and

check statistics.

This chapter contains the following sections:

•General Command Syntax

•aregcmd Commands

•aregcmd Command Logging

•aregcmd Command Line Editing

•aregcmd Error Codes

General Command Syntax

Prime Access Registrar stores its configuration information in a hierarchy. Using the aregcmd command

cd (change directory), you can move through this information in the same manner as you would through

any hierarchical file system. Or you can supply full pathnames to these commands to affect another part

of the hierarchy, and thus avoid explicitly using the cd command to change to that part of the tree.

•aregcmd command parsing is case insensitive, which means you can use upper or lowercase letters

to designate elements. In addition, when you reference existing elements in the configuration, you

need only specify enough of the element’s name to distinguish it from the other elements at that

level. For example, instead of entering cd Administrators, you can enter cd ad when no other

element at the current level begins with ad.

•aregcmd command parsing is command-line order dependent; that is, the arguments are interpreted

based on their position on the command line. To indicate an empty string as a place holder on the

command line, use either single (') or double quotes (""). In addition, when you use any arguments

that contain spaces, you must quote the arguments. For example, when you use the argument, “Local

Users,” you must enclose the phrase in quotes.

The aregcmd command can contain a maximum of 255 characters when specifying a parameter and 511

characters for the entire command.

The aregcmd command syntax is:

aregcmd [-C <clustername>] [-N <adminname>] [-P <adminpassword>] [-V]

[-f <scriptfile>] [-l <directoryname> ] [-n] [<command> [<args>]] [-p] [-q] [-v]

•-C—Specifies the name of the cluster to log into by default

2-2

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

General Command Syntax

•-N—Specifies the name of the administrator

•-P—Specifies the password

•-V—Specifies view-only mode

•-f—Specifies a file that can contain a series of commands

•-l—Specifies a directory where the Prime Access Registrar license file is stored and returns

information about licensed components

•-n—Turns off prefix mode

•-p—Specifies prefix mode

•-q—Turns off verbose mode

•-v—Specifies verbose mode

Note The verbose (-v) and prefix (-p) modes are on by default when you run aregcmd interactively (for

example, not entered on the command line or not running commands from a script file). Otherwise,

verbose and prefix modes are off.

When you include a command (with the appropriate arguments) on the command line, aregcmd runs

only that one command and saves any changes.

This section contains the following topics:

•View-Only Administrator Mode

•Configuration Objects

•aregcmd Command Performance

View-Only Administrator Mode

Previous releases of Prime Access Registrar provided only super-user administrative access. If you were

able to log into aregcmd, you could do anything to the system, including starting and stopping the

system and changing the configuration. Prime Access Registrar provides view-only administrative

access. View-only access restricts an administrator to only being able to observe the system and prevents

that user from making changes.

View-only access can be encountered in three ways:

•Specific administrators can be restricted to view-only access whenever they log in.

•Administrators not restricted to view-only access can choose to start aregcmd in a view-only mode.

This might be used when an administrator wants to ensure that he or she does not make any changes.

•When an administrator who is not view-only logs in to a slave server, they will be unable to make

changes to any parts of the configuration other than /Radius/Replication,

/Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the properties in /Radius/Advanced.

This is because the rest of the configuration is replicated from the master server and changes directly

to the slave will cause problems.

Note When a user logs in, the system determines whether a user’s session is view-only or not. If the

configuration is changed after a user has logged in, that change does not take effect until the affected

user logs out and logs back in.

2-3

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

General Command Syntax

ViewOnly Property

The ViewOnly property has been added to the Administrators configuration. The default setting for the

ViewOnly property is FALSE. The following shows the default setting for the admin user:

cd /Administrators/admin

[ //localhost/Administrators/admin ]

Name = admin

Description =

Password = <encrypted>

ViewOnly = FALSE

You can designate specific administrators to be view-only administrators by setting the new ViewOnly

property to TRUE.

•If that property is set to TRUE, any time the administrator logs in to aregcmd the session will be in

view-only mode.

•If set to FALSE, when the administrator logs in to a master server, the session will be full super-user

capability.

If the administrator logs in to a slave, they only part of the configuration they will be able to modify is

that part under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces or the

properties in /Radius/Advanced.

When in a view-only session, the following commands will cause an error: add, delete, set, unset,

insert, validate, save, start, stop, reload, reset-stats, release-sessions, and trace. The following error

message will be displayed:

316 Command failed: session is ViewOnly

When in a slave server session, the following commands will cause an error when the object or property

being operated on is not under /Radius/Replication, /Radius/Advanced/Ports,

/Radius/Advanced/Interfaces or the properties in /Radius/Advanced: add, delete, set, unset, and

insert. The following error message will be displayed:

317 Command failed: session is ViewOnly

Configuration Objects

The Prime Access Registrar aregcmd command lets you manipulate configuration objects, that define

properties or the behavior of the RADIUS server, such as valid administrators and types of services. For

descriptions of those objects, see Chapter 4, “Cisco Prime Access Registrar Server Objects.”

aregcmd Command Performance

You can impact aregcmd command performance and server response time by having

Prime Access Registrar userlists that contain more than 10,000 users. Prime Access Registrar userlists

were not designed to contain 10,000 users in any one list.

If you must provide service for groups greater than 10000 users, we recommend that you use an external

data store such as an LDAP directory or an Oracle database. If you are unable to use an external data

store, create multiple userlists instead, keeping each userlist under 10,000 users.

2-4

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

Multiple userlists require multiple services (one for each userlist), because a service cannot reference

more than one userlist. The multiple services can then be combined using the Service Grouping feature

with ResultRule, OR, as follows:

[ //localhost/Radius/Services/GroupService ]

Name = GroupService

Description =

Type = group

IncomingScript~ =

OutgoingScript~ =

ResultRule = OR

GroupServices/

1. UserService1

2. UserService2

3. UserService3

RPC Bind Services

The Prime Access Registrar server and the aregcmd CLI requires RPC services to be running before the

server is started. If the RPC services are stopped, you must restart RPC services, then restart the

Prime Access Registrar server.

Use the following commands to restart RPC services:

arserver stop

/etc/init.d/rpc start

arserver start

If RPC services are not running, the following message is displayed when you attempt to start aregcmd:

400 Login failed

aregcmd Commands

This section contains the complete list of aregcmd commands. You can use them on the command line

or insert them into scripts. The commands are listed alphabetically.

This section contains the following topics:

•add

•cd

•delete

•exit

•filter

•find

•help

•insert

•login

•logout

2-5

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

•ls

•next

•prev

•pwd

•query-sessions

•quit

•release-sessions

•reload

•reset-stats

•save

•set

•start

•stats

•status

•stop

•tacacs-stats

•tacacs-reset-stats

•dia-stats

•trace

•trace-file-count

•unset

•validate

add

Use the aregcmd command add to create new elements in the configuration. The add command is

context sensitive, which means the type of element added is determined by the current context, or the

path specified as the first parameter. The add command has one required argument; the name of the

element you wish to add. You can also provide other parameters, or you can supply this information after

aregcmd has added the new element. The optional second argument is a description of the element.

The syntax is:

add [<path>/]<name> [...]

Use the aregcmd command cd to change the working context, or level in the configuration hierarchy.

When you use the cd command without any parameters, it returns you to the root of the tree. When you

use the optional path argument, you can specify a new context. To change to a higher level in the tree

hierarchy, use the “..” syntax (as you would in a UNIX file system). When you change to a new context,

aregcmd displays the contents of the new location, when you are using the command in interactive

mode, or if verbose mode is on.

2-6

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

The syntax is:

cd [<path>]

delete

Use the aregcmd command delete to remove an element from the configuration hierarchy. You cannot

remove properties on an element; you can only remove entire elements. The delete command is

recursive; that is, it will remove any subelements contained within an element being removed. When the

element is in the current context, you need only provide the name of the element to be deleted. You can

optionally provide a complete path to an element elsewhere in the configuration hierarchy.

The syntax is:

delete [<path>/]<name>

exit

Use the aregcmd command exit to terminate your aregcmd session. If you have any unsaved

modifications, Prime Access Registrar asks if you want to save them before exiting. Any modifications

you don’t choose to save are lost.

The syntax is:

exit

filter

Use the aregcmd command filter to display a selected view of a list. You can use the filter command to

present only the elements of a list that have properties equal to the value you specify. You can also use

the filter command to restore the view of the list after it has been filtered.

When using the filter command, you must provide a property name and a value, and you can optionally

provide the path to the list. Prime Access Registrar displays a list with only those elements that have a

value equal to the specified value. When you want to filter the current context, you can omit the path

argument.

The filter command is sticky, in that, after you have filtered a list, you must explicitly unfilter it before

you can view the complete list again. To restore the unrestricted view of the list, use the filter command

and specify the string all. To restore the list in current context, you can omit the pathname.

The syntax is:

filter [<path>] <property> <value>

filter [<path>] all

find

Use the aregcmd command find to locate a specific item in a list. The find command takes one required

argument, which is a full or partial pathname. After you use the command, Prime Access Registrar

displays a page beginning with the entry that most closely matches the pathname you provided.

2-7

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

The syntax is:

find <path>

help

Use the aregcmd command help (with no argument specified) to display a brief overview of the

command syntax. When you specify the name of a command, Prime Access Registrar displays help for

only that command.

The syntax is:

help [<command>]

insert

Use the aregcmd command insert to add an item anywhere in ordered list. The required parameters are

the numeric index of the position in the list in which you want to insert the new item, and the item value.

When the list to which you are adding is not the current context, you can specify the complete path to

the position in the list by prepending the path for the list to the numeric index. After the new value has

been inserted into the list, Prime Access Registrar appropriately renumbers the list.

The syntax is:

insert [<path>/]<index> <value>

This command applies to lists of servers by index and the Resource Managers list in Session Managers.

Use the aregcmd command login to connect to a cluster, which contains the RADIUS server and

definition of the authorized administrators. When you do not specify the cluster, admin name, and

password, aregcmd prompts you for them.

When you are currently logged in to a cluster, the login command allows you to connect to another

cluster. When you have changes in the current cluster that you have not saved, aregcmd asks if you want

to save them before logging into another cluster. Any changes you do not save are lost.

After you successfully log in, and if the server is running, Prime Access Registrar displays the cluster

server’s health. Note, to log into a cluster, the Prime Access Registrar Server Agent for that cluster must

be running.

The syntax is:

logout

Use the aregcmd command logout to log out of the current cluster. After you log out, you have to log

into make any modifications to the configuration hierarchy, or to manage the server(s). When you have

any unsaved modifications, Prime Access Registrar asks if you want to save them before logging out.

Any modifications you do not choose to save are lost.

2-8

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

The syntax is:

logout

Use the aregcmd command ls to list the contents of a level in the configuration hierarchy. This command

works much like the UNIX ls command. When you use it without any parameters, it lists the items in the

current context. When you specify a path, it lists the elements found in that context. When you use the

-R argument, it recursively lists all of the elements in and below the specified (or current) context.

For similar commands, refer to the next and prev commands.

The syntax is:

ls [-R] [<path>]

Use the aregcmd next command to review the remaining pages produced from the ls command. Every

time you use the cd command, it automatically invokes the ls command to display the contents of the

location. When the output from the ls command is more than one page (a page is about 24 lines) in

length, Prime Access Registrar displays only the first page.

Note ls command retrieves only user-added objects such as Users, UserLists, and attributes.

The next command takes an optional path and count. The path specifies the context in which you wish

to see the next page and the count specifies the number of lines you wish to see. When you use the next

command without the path, Prime Access Registrar uses the current context. When you do not specify a

count, Prime Access Registrar uses the last count value you used with the next or prev command. If you

never specify a count, Prime Access Registrar uses the default value, which is 20.

Note, the current page for a context is sticky. This means, for example, when you use the next command

to view entries 20 through 30, until you use the next or prev command on the same context, you will

continue to see these entries even if you use the cd command to change to a different context, then return

to the original.

The syntax is:

next [<path>] [<count>]

Use the aregcmd command prev to page backwards through the output of the ls command. It behaves

much like the next command, in that it takes an optional path identifying a context to display and a count

parameter indicating how many lines to display.

The syntax is:

prev [<path>] [<count>]

2-9

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

pwd

Use the aregcmd command pwd to display the absolute pathname of the current context (level in the

configuration hierarchy).

The syntax is:

pwd

query-sessions

Use the aregcmd command query-sessions to query the server about the currently active user sessions.

You can request information about all of the active sessions or just those sessions that match the type

you specify.

The syntax is:

query-sessions <path> [all]

query-sessions <path> with-<type> <value> [send-CoA [with-profile <profile name>] ]

query-sessions <path> with-Attribute <name> <value> [send-CoA [with-profile <profile

name>] ]

Where <path> is the path to the server, Session Manager, or Resource Manager to query and

with-<type> is one of the following: with-NAS, with-User, with-IP-Address, with-IPX-Network,

with-USR-VPN, with-Key, with-ID or with-Age. The optional [with-profile <profile name>]

parameter indicates a profile name as configured in /Radius/Profiles.

The query-sessions command with an optional [send-CoA] at the end causes the

Prime Access Registrar server to send a Change of Authorization (CoA) request to the client. The CoA

request includes the CoA attributes configured for the client. When the optional profile name is also

included in the command, the Prime Access Registrar server includes the attribute-value (AV) pairs from

the corresponding profile in /Radius/Profiles in the CoA request.

quit

Use the aregcmd command quit to terminate your aregcmd session. You can use it interchangeably with

the exit command.

The syntax is:

quit

When you quit the aregcmd command, if you have made changes, the Prime Access Registrar server

asks if you want to save the changes. Any unsaved changes are lost.

release-sessions

Use the aregcmd command release-sessions to request the server to release one or more currently active

user sessions. This command might be useful, for example, in the case where you have taken a NAS

offline, however, the server believes user sessions for that NAS are still active.

2-10

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

The syntax is one of:

release-sessions <path> all

release-sessions <path> with- <type> <value> [send-pod] [send-notification]

release-sessions <path> with-Attribute <name> <value> [send-pod] [send-notification]

Where <path> is the path to the server, Session Manager, or Resource Manager to query and

with-<type> is one of the following: with-NAS, with-User, with-IP-Address, with-IPX-Network,

with-USR-VPN, with-Key, or with-ID.

The optional [send-pod <send notification>] parameter sends the disconnect packet to the NAS to clear

sessions and an Accounting-Stop notification to the client listed in the session record.

The optional with-Attribute parameter enables release a session based on a specific attribute and value.

reload

Use the aregcmd command reload to stop the server (when it is running), and then immediately start

the server, forcing it to reread its configuration information. When you have modified the configuration

hierarchy, Prime Access Registrar asks you if you want to save your changes before restarting the server.

You must save your changes in order for the reloaded server to be able to use them.

The syntax is:

reload

reset-stats

Use the aregcmd command reset-stats to reset all server statistics displayed with the stats command.

The reset-stats command also resets SNMP counters.

The reset-stats command provides a way of resetting the server statistics without having to reload or

restart the server.

The syntax is:

reset-stats

save

Use the aregcmd command save to validate the changes you made and commit them to the configuration

database, if no errors are found.

Note Using the save command does not automatically update the running server. To update the server, you

must use the reload command.

The syntax is:

save

Table 2-1 lists the RADIUS server objects and the effect of Dynamic Updates upon them.

2-11

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

set

Use the aregcmd command set to provide values for properties on existing configuration elements. You

only need to provide the set command with the name of the property you wish to set (or just enough of

the name to distinguish it from other properties) and the new value for that property. It also applies to

the Profiles attribute list, the Rules attributes list, the enumeration list in the Attribute dictionary, and

the LDAPtoRadiusMappings and LDAPtoEnvironmentMappings mappings.

The set command can also be used to order servers in a list. To specify a new position in a list for a server,

use the set command and provide the numeric position of the server and the server’s name.

The syntax is:

set [<path>/]<property> <value>

When the list is a list of servers by index, the syntax is:

set [<path>/]<index> <server name>

Note If the index is already in use, the old server name will be replaced by the new server name.

Table 2-1 Dynamic Updates Effect on RADIUS Server Objects

Object Add

Modify or

Delete

Radius Yes Yes

UserLists Yes Yes

UserGroups Yes Yes

Policies Yes Yes

Clients Yes Yes

Vendors Yes Yes

Scripts Yes Yes

Services Yes Yes

SessionManagers Yes No

ResourceManagers Yes No

Profiles Yes Yes

Rules Yes Yes

Translations Yes Yes

TranslationGroups Yes Yes

RemoteServers Yes No

Replication Yes Yes

Advanced Yes Yes

SNMP No No

Ports No No

Interfaces No No

2-12

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

To remove a value from a property (make a property equal to NULL), use a pair of single or double

quotes as the value, as shown below:

set <property> ""

When you need to set an attribute to a value that includes a space, you must double-quote the value, as

in the following:

set Framed-Route "192.168.1.0/24 192.168.1.1"

start

Use the aregcmd command start to enable the server to handle requests. When the configuration

hierarchy has been modified, Prime Access Registrar asks you if you want to save the changes before

starting the server.

The syntax is:

start

stats

Use the aregcmd command stats to provide statistical information on the specified server. You can only

issue this command when the server is running.

Note that aregcmd supports the PAGER environment variable. When the aregcmd stats command is

used and the PAGER environment variable is set, the stats command output is displayed using the

program specified by the PAGER environment variable.

The syntax is:

stats

The following is an example of the statistical information provided after you issue the stats command:

RemoteServer statistics for:ServerA, 209.165.201.1, port 1645

active = TRUE

maxTries = 3

RTTAverage = 438ms

RTTDeviation = 585ms

TimeoutPenalty = 0ms

totalRequestsPending = 0

totalRequestsSent = 14

totalRequestsOutstanding = 0

totalRequestsTimedOut = 0

totalRequestsAcknowledged = 14

totalResponsesDroppedForNotInCache = 0

totalResponsesDroppedForSignatureMismatch = 0

totalRequestsDroppedAfterMaxTries = 0

lastRequestTime = Mon Feb 18 17:19:46 2013

lastAcceptTime = Mon Feb 18 17:18:11 2013

2-13

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

Table 2-2 lists the statistics displayed by the stats command and the meaning of the values.

Table 2-2 aregcmd stats Information

Stats Value Meaning

RemoteServer statistics for: Provides server’s type, name, IP address, and

port used

active Indicates whether the server was active (not in

a down state)

maxTries Number of retry attempts to be made by the

RemoteServer Object based on the

RemoteServer’s maxTries property setting

RTTAverage Average round trip time since the last server

restart

RTTDeviation Indicates a standard deviation of the

RTTAverage

TimeoutPenalty Indicates any change made to the initial

timeout default value

totalRequestsPending Number of requests currently queued

totalRequestsSent Number of requests sent since the last server

restart

Note totalRequestsSent should equal the

sum of totalRequestsOutstanding and

totalRequestsAcknowledged.

totalRequestsOutstanding Number of requests currently proxied that

have not yet returned

totalRequestsTimedOut Number of requests that have timed out since

last server restart or number requests not

returned from proxy server within the

[configured] initial timeout interval

totalRequestsAcknowledged Number of responses received since last

server restart

totalResponsesDroppedForNotInCache Number of responses dropped because their

ID did not match the ID of any Pending

requests

totalResponsesDroppedForSignatureMismatch Number of responses dropped because their

response authenticator did not decode to the

correct shared secret

totalRequestsDroppedAfterMaxTries Number of requests dropped because no

response was received after retrying the

configured number of times. This value is

different from totalRequestsTimedOut

because using the default configuration

values, no response within 2000 ms bumps the

TimedOut counter, but it waits 14000 ms

(2000 + 4000 + 8000) to bump this counter.

2-14

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

status

Use the aregcmd command status to learn whether or not the specified server has been started. When

the server is running, Prime Access Registrar displays its health.

The syntax is:

status

stop

Use the aregcmd command stop to cause the server to no longer accept requests.

The syntax is:

stop

tacacs-stats

Use the aregcmd command tacacs-stats to provide statistical information of TACACS+.

The syntax is:

tacacs-stats

The following is an example of the statistical information provided after you issue the tacacs-stats

command:

Global Tacacs+ Statistics

serverStartTime = Mon Apr 15 01:17:34 2013

serverResetTime = Mon Apr 15 01:17:34 2013

serverState = Running

totalPacketsReceived = 60

totalPacketsSent = 60

totalRequests = 60

totalResponses = 60

totalAuthenticationRequests = 2

totalAuthenticationAccepts = 2

totalAuthenticationRejects = 0

totalAuthenticationChallengeRequests = 0

totalAuthenticationResponses = 2

totalAuthorizationRequests = 56

totalAuthorizationAccepts = 38

totalAuthorizationRejects = 18

totalAuthorizationResponses = 56

totalAccountingRequests = 2

totalAccountingAccepts = 2

totalAccountingRejects = 0

totalAccountingResponses = 2

totalPacketsInUse = 0

lastRequestTime Date and time of last proxy request

lastAcceptTime Date and time of last ACCEPT response to a

client

Table 2-2 aregcmd stats Information (continued)

Stats Value Meaning

2-15

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

totalPacketsDropped = 0

See TACACSStatistics for more information.

tacacs-reset-stats

Use the aregcmd command tacacs-reset-stats to reset TACACS+ statistics displayed with the stats

command. The tacacs-reset-stats command also resets SNMP counters.

The tacacs-reset-stats command provides a way of resetting the TACACS+ statistics without having to

reload or restart the server.

The syntax is:

tacacs-reset-stats

dia-stats

Use the aregcmd command dia-stats to provide statistical information of Diameter.

The syntax is:

dia-stats

The following is an example of the statistical information provided after you issue the following

command:

dia-stats /Radius/RemoteServers/dia

Diameter Remote server statistics for: dia, 10.81.79.76, port 3868

active = TRUE

cDiaRemSvrRTTAverage = 25ms

cDiaRemSvrRTTDeviation = 0ms

cDiaRemSvrServerType = Diameter

cDiaRemSvrTotalRequestsPending = 0

cDiaRemSvrTotalRequestsOutstanding = 0

cDiaRemSvrStatsState = Closed

cDiaRemSvrStatsASRsIn= 0

cDiaRemSvrStatsASRsOut= 0

cDiaRemSvrStatsASAsIn = 0

cDiaRemSvrStatsASAsOut = 0

cDiaRemSvrStatsACRsIn = 0

cDiaRemSvrStatsACRsOut = 0

cDiaRemSvrStatsACAsIn = 0

cDiaRemSvrStatsACAsOut = 0

cDiaRemSvrStatsCERsIn = 0

cDiaRemSvrStatsCERsOut = 0

cDiaRemSvrStatsCEAsIn = 0

cDiaRemSvrStatsCEAsOut = 0

cDiaRemSvrStatsDWRsIn = 0

cDiaRemSvrStatsDWRsOut = 0

cDiaRemSvrStatsDWAsIn = 0

cDiaRemSvrStatsDWAsOut = 0

cDiaRemSvrStatsDPRsIn = 0

cDiaRemSvrStatsDPRsOut = 0

cDiaRemSvrStatsDPAsIn = 0

cDiaRemSvrStatsDPAsOut = 0

cDiaRemSvrStatsRARsIn = 0

cDiaRemSvrStatsRARsOut = 0

cDiaRemSvrStatsRAAsIn = 0

cDiaRemSvrStatsRAAsOut = 0

2-16

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

cDiaRemSvrStatsSTRsIn= 0

cDiaRemSvrStatsSTRsOut = 0

cDiaRemSvrStatsSTAsIn = 0

cDiaRemSvrStatsSTAsOut = 0

cDiaRemSvrStatsRedirectEvents = 0

cDiaRemSvrStatsAccDupRequests = 0

cDiaRemSvrStatsMalformedRequests = 0

cDiaRemSvrStatsAccsNotRecorded = 0

cDiaRemSvrStatsWhoInitDisconnect = 0

cDiaRemSvrStatsAccRetrans = 0

cDiaRemSvrStatsTotalRetrans= 0

cDiaRemSvrStatsAccPendRequestsOut = 0

cDiaRemSvrStatsAccReqstsDropped = 0

cDiaRemSvrStatsHByHDropMessages = 0

cDiaRemSvrStatsEToEDupMessages= 0

cDiaRemSvrStatsUnknownTypes= 0

cDiaRemSvrStatsProtocolErrors = 0

cDiaRemSvrStatsTransientFailures = 0

cDiaRemSvrStatsPermanentFailures = 0

cDiaRemSvrStatsDWCurrentStatus= 0

cDiaRemSvrStatsTransportDown = 0

cDiaRemSvrStatsTimeoutConnAtmpts = 5

trace

Use the aregcmd command trace to set the trace level in the specified server to a new value. The trace

level governs how much information is displayed about the contents of a packet. When the trace level is

zero, no tracing is performed. The higher the trace level, the more information displayed. The highest

trace level currently used by the Prime Access Registrar server is trace level 5.

Note Although the highest trace level supported by the Prime Access Registrar server is trace level 5, an

extension point script might use a higher level. There is no harm in setting the trace to a level higher

than 5. However, increasing the trace level impacts the system performance.

The trace levels are inclusive, meaning that if you set trace to level 3, you will also get the information

reported for trace levels 1 and 2. If you set trace level 4, you also get information reported for trace

levels 1, 2, and 3.

When you do not specify a server, Prime Access Registrar sets the trace level for all of the servers in the

current cluster. When you do not specify a value for the trace level, Prime Access Registrar displays the

current value of the trace level. The default is 0.

The syntax for setting the trace level is:

trace [<server>] [<level>]

Table 2-3 lists the different trace levels and the information returned.

Table 2-3 Trace Levels and Information Returned

Trace Level Information Returned by Trace Command

0 No trace performed.

1 Reports when a packet is sent or received or when there is a change in a

remote server’s status.

2-17

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Commands

trace-file-count

Use the aregcmd command trace-file-count to change the trace log file count dynamically without

requiring a server reload. The syntax is:

trace-file-count n

Where n is a number that specifies the number of trace log files. This function is helpful for debugging

situations when you do not want to perform a reload.

2 Indicates the following:

•Which services and session managers are used to process a packet

•Which client and vendor objects are used to process a packet

•Detailed remote server information for LDAP and RADIUS, such as

sending a packet and timing out

•Details about poorly formed packets

•Details included in trace level 1

3 Indicates the following:

•Error traces in TCL scripts when referencing invalid RADIUS attributes.

•Which scripts have been executed

•Details about local UserList processing

•Details included in trace levels 1 and 2

4 Indicates the following:

•Information about advanced duplication detection processing

•Details about creating, updating, and deleting sessions

•Trace details about all scripting APIs called

•Details included in trace levels 1, 2, and 3

5 Indicates the following:

•Details about use of the policy engine including:

–

Which rules were run

–

What the rules did

–

If the rule passed or failed

–

Detailed information about which policies were called

•Details included in trace levels 1, 2, 3, and 4

Table 2-3 Trace Levels and Information Returned (continued)

Trace Level Information Returned by Trace Command

2-18

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

OpenSSL Commands

unset

Use the aregcmd command unset to remove items from an ordered list. Specify the numeric index of

the element to remove. When the ordered list is not the current context, specify the path to the list before

specifying the numeric index.

When you remove an item from the list, Prime Access Registrar renumbers the list.

The syntax is:

unset [<path>/]<index>

This command applies to lists of servers by index, the Profiles attribute list, the Rules Attributes list, the

enumeration list in the Attribute dictionary, and the LDAPtoRadiusMappings and

LDAPtoEnvironmentMappings mappings.

validate

Use the aregcmd command validate to check the consistency and validity of the specified server’s

configuration. If Prime Access Registrar discovers any errors, it displays them.

The syntax is:

validate

OpenSSL Commands

This section contains a list of OpenSSL commands. You can use them on the command line or insert

them into scripts.

This section contains the following topics:

•ecparam

•req

•ca

ecparam

Use the OpenSSL command ecparam to manipulate or generate ellipitical curve (EC) parameter files.

The syntax is:

ecparam

2-19

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Command Logging

req

Use the OpenSSL command req to create and process certificate requests.

The syntax is:

req

Use the OpenSSL command ca used to sign certificate requests and generate CRLs it also maintains a

text database of issued certificates and their status.

The syntax is:

aregcmd Command Logging

aregcmd now records the commands that are either entered interactively, on the command line, or

executed in batch mode. The recorded commands are saved in the aregcmd_log file, which resides in

the logs directory within the Prime Access Registrar installation directory.

For security reasons, aregcmd blocks out the actual password that is entered as part of the command and

replaces it with <passwd>.

In interactive mode, aregcmd logs the actions that are taking place in the exit/logout dialog box. The

action can be save or not save if the configuration database has been modified after the last execution

of the save command.

In non-interactive (batch or command-line) mode, aregcmd replaces the empty field with a NULL

string.

aregcmd is now installed as a setgid program where the group is set to staff. This allows a non-root user

to run aregcmd while still being able to write to the aregcmd_log log file. During the installation of the

Prime Access Registrar software, you are prompted whether you want to install aregcmd with

setuid/setgid permissions. You must reply “yes” unless you only run aregcmd as user root.

The following is the format of an entry in the exit/logout dialog box when not save has been specified:

mm/dd/yyyy HH:MM:SS aregcmd Info Configuration 0 [<clustername> <username>] ( exit )

mm/dd/yyyy HH:MM:SS aregcmd Info Configuration 0 [<clustername> <username>] ( *** New

config is not saved! ...proceed to logout.)

The following is sample output of an entry in the exit/logout dialog box when not save has been

specified:

10/12/2013 16:18:56 aregcmd Info Configuration 0 [localhost admin] --> quit

10/12/2013 16:19:02 aregcmd Info Configuration 0 [localhost admin] --> *** New config is

not saved! ...proceed to logout.

The following is the format of an entry in the exit/logout dialog box when save has been specified:

mm/dd/yyyy HH:MM:SS aregcmd Info Configuration 0 [<clustername> <username>] ( exit )

mm/dd/yyyy HH:MM:SS aregcmd Info Configuration 0 [<clustername> <username>] ( *** New

config saved!...proceed to logout.)

2-20

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Command Line Editing

Commands entered at the aregcmd prompt can be edited with a subset of the standard EMACS-style

keystrokes. In addition, the command history can be accessed using the arrow keys on the keyboard. Use

the Up arrow to retrieve the previous command and the Down arrow to retrieve the next command. A

description of the supported key strokes are shown in Table 2-4.

aregcmd Error Codes

Table 2-5 lists the error codes used in aregcmd.

Table 2-4 aregcmd Command Line Editing Keystrokes

Key Stroke Description

Ctrl A Go to the beginning of the line.

Ctrl B Move back one character.

Ctrl D Delete the character at the cursor.

Ctrl E Go to the end of the line.

Ctrl F Move forward one character.

Ctrl N Retrieve the next line.

Ctrl P Retrieve the previous line.

Table 2-5 aregcmd Error Codes

Error

Code Meaning

200 OK

300 Command failed to parse; usually an unbalanced quotation

301 Unknown command; usually caused by a misspelled command

302 Ambiguous command; characters you have entered select more than one command

303 Not logged in; you have logged out of aregcmd and attempted another aregcmd

command

304 Too few arguments

305 Too many arguments

306 Invalid argument

307 Object not found or path ambiguous; you have tried to set an unknown object or

provided a partial name that matches multiple objects

308 Object already exists

309 Confirmation password did not match; when setting a user password, the re-entered

password did not match the initial entry

310 Command failed; a generic response for a command that failed for a reason other than

those listed here

311 Command is interactive; possibly due to attempting to batch mode with an interactive

command

312 Validation failed; a new or modified object is not valid

2-21

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Error Codes

313 Failed to reread; an error occurred while synchronizing changes from another

aregcmd session; occurs only when using multiple aregcmd instances

314 Failed to open the pager; the PAGER environment variable is set to something that

does not exist and the stats command is entered

315 Property is not modifiable; an administrator has attempted to modify a read-only

property

316 Command failed: session is ViewOnly; an view-only administrator has attempted to

modify a property

317 Command failed: server is a Replication Slave; an administrator has attempted to

modify a replicated property on a slave of an SMDBR network

400 Login failed; an incorrect username or password was given during aregcmd log in

401 Unable to access server; aregcmd was unable to communicate with the radius

process usually because the process is not running or is otherwise unresponsive

402 Login failed: version of aregcmd is incompatible with server; a new version of

aregcmd has tried to connect with an older version of Prime Access Registrar

500 Internal error; a generic aregcmd error

Table 2-5 aregcmd Error Codes (continued)

Error

Code Meaning

2-22

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 2 Using the aregcmd Commands

aregcmd Error Codes

CHAPTER

3-1

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Using the Graphical User Interface

Cisco Prime Access Registrar (Prime Access Registrar) is a Remote Authentication Dial-In User Service

(RADIUS) / Diameter server that enables multiple dial-in Network Access Server (NAS) devices to

share a common authentication, authorization, and accounting database.

This chapter describes how to use the standalone graphical user interface (GUI) of

Prime Access Registrar to:

•Configure Cisco Prime Access Registrar

•Manage Network Resources managed by Prime Access Registrar

•Administer Prime Access Registrar related activities

The following topics help you to work with and understand the Prime Access Registrar GUI:

•Launching the GUI

•Common Methodologies

•Dashboard

•Configuring Cisco Prime Access Registrar

•Network Resources

•Administration

•Read-Only GUI

Launching the GUI

Prime Access Registrar requires you to use Microsoft Internet Explorer 8.0 SP1 (Windows 2000 and

Windows XP). You start the GUI by pointing your browser to the Prime Access Registrar server and port

8080, as in the following:

http://ar_server_name:8080

Note You can also use Mozilla Firefox 16.0 and Google Chrome 23.0 browsers to launch the

Prime Access Registrar GUI. It can be launched using IPv6 address also.

To start a secure socket layer (SSL) connection, use https to connect to the Prime Access Registrar

server and port 8443, as in the following:

https://ar_servr_name:8443

3-2

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Launching the GUI

By default, both HTTP and HTTPS are enabled. The following sections describe how to disable HTTP

and HTTPS:

•Disabling HTTP

•Disabling HTTPS

Note For proper function of Prime Access Registrar GUI, the DNS name resolution for the server's hostname

should be defined precisely.

Disabling HTTP

To disable HTTP access, you must edit the server.xml file in the /cisco-ar/apache-tomcat-7.0.42/conf

directory. You must have root privileges to edit this file.

Use a text editor such as vi to open the server.xml file, and comment out lines 96-99. Use the <!--

character sequence to begin a comment. Use the --> character sequence to end a comment.

The following are lines 93-99 of the server.xml file:

<Connector port="8080" maxHttpHeaderSize="8192"

maxThreads=”150 minSpare/Threads=”25” maxSpareThreads=”75”

enableLookups="false" redirectPort="8443" acceptCount="100"

connectionTimeout="20000" disableUploadTimeout="true" />

The following example shows these lines with beginning and ending comment sequences to disable

HTTP:

<!--

<Connector className="org.apache.catalina.connector.http.HttpConnector"

port="8080" minProcessors="5" maxProcessors="75"

enableLookups="true" redirectPort="8443"

acceptCount="10" debug="0" connectionTimeout="60000"/>

-->

After you modify the server.xml file, you must restart the Prime Access Registrar server for the changes

to take effect. Use the following command line to restart the server:

/opt/CSCOar/bin/arserver restart

Disabling HTTPS

To disable HTTPS access, you must edit the server.xml file in the /cisco-ar/apache-tomcat-7.0.42/conf

directory. You must have root privileges to edit this file.

Use a text editor such as vi to open the server.xml file, and comment out lines 116-121. Use the <!--

character sequence to begin a comment. Use the --> character sequence to end a comment.

The following are lines 111-121 of the server.xml file:

<!-- CHANGE MADE: enabled HTTPS.

3-3

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Launching the GUI

Note: to disable HTTPS, comment out this Connector -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads=”75”

enableLookups="true" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false"

keystoreFile="/cisco-ar/certs/tomcat/server-cert.p12"

keystorePass="cisco" keystoreType="PKCS12" sslProtocol="TLS" />

</Connector>

The following example shows these lines with beginning and ending comment sequences to disable

HTTPS.

<!-- CHANGE MADE: enabled HTTPS.

Note: to disable HTTPS, comment out this Connector -->

<!--

<Connector className="org.apache.catalina.connector.http.HttpConnector"

port="8443" minProcessors="5" maxProcessors="75"

enableLookups="true"

acceptCount="10" debug="0" scheme="https" secure="true">

<Factory className="org.apache.catalina.net.SSLServerSocketFactory"

keystoreFile="/cisco-ar/certs/tomcat/server-cert.p12"

keystorePass="cisco" keystoreType="PKCS12"

clientAuth="false" protocol="TLS"/>

</Connector>

-->

After you modify the server.xml file, you must restart the Prime Access Registrar server for the changes

to take effect. Use the following command line to restart the server:

/opt/CSCOar/bin/arserver restart

The login page has fields for a username and password. This page displays when you first attempt to log

into the system, if a session times out, or after you log out of the system.

Logging In

Users who are configured as Administrators can log into the Prime Access Registrar server.

Logging in

To log into the Prime Access Registrar GUI:

Step 1 Enter the relevant url in the browser. The Prime Access Registrar Login page is displayed.

Step 2 Enter the credentials in the provided fields.

Step 3 Click Login. The Prime Access Registrar main page is displayed.

3-4

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Common Methodologies

Note After installation of Prime Access Registrar server, when you log into the application for the first time,

the application redirects to the change password page.

Refreshing the pages using the GUI

To stop the server (when it is running), and then immediately start the server, click the Reload link.

Restarting the GUI

To restart the Prime Access Registrar server, click the Restart link.

Note If aregcmd interface is active, then it needs to be closed for restarting the Prime Access Registrar

server.

Logging Out

To log out of the Prime Access Registrar GUI, click Logout in the upper right portion of the

Prime Access Registrar GUI window.

Common Methodologies

This section explains the operations that are common across the GUI interface of

Prime Access Registrar. The functions explained in this section are referred throughout to this help

system.

This section describes the following:

•Filtering Records

•Deleting Records

•Setting Record Limits per Page

•Performing Common Navigations

•Relocating Records

Filtering Records

To filter a record:

Step 1 Navigate to the required page. For example, choose Configuration > Profiles. The Profile page is

displayed.

Step 2 Enter the known details of the record in the Filter text box.

Step 3 Click Go. The matching records are displayed in the search criteria below.

3-5

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Common Methodologies

Step 4 Click Clear Filter to clear the performed filter.

You can also perform the following:

•Deleting Records

•Editing Records

•Setting Record Limits per Page

•Performing Common Navigations

•Relocating Records

Editing Records

To edit the required records:

Step 1 Navigate to the required page.

Step 2 Search for a record using the filter option, if required.

Step 3 Choose the required record that you want to edit.

Step 4 Click Edit. The selected record details are displayed in the appropriate page.

Step 5 Make the necessary changes.

Step 6 Click Submit or Update to save the details. The page is displayed with the updated details and a message

is prompted. Otherwise click Cancel to return to the page without saving the details.

You can also perform the following:

•Filtering Records

•Deleting Records

•Setting Record Limits per Page

•Performing Common Navigations

•Relocating Records

Deleting Records

To delete a record:

Step 1 Navigate to the required page. For example, choose Configuration > Profiles. The Profile page is

displayed.

Step 2 Search for a record using the filter option, if required.

Step 3 Check the check box against the record that you want to delete.

3-6

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Common Methodologies

Step 4 Click Delete. A message is displayed on successful deletion of the record.

You can also perform the following:

•Filtering Records

•Editing Records

•Setting Record Limits per Page

•Performing Common Navigations

•Relocating Records

Setting Record Limits per Page

To set the numbers of records to be displayed per page, select the record limit from the list available and

click the Go button. The available denominations are 10, 25, 50, 100, and All.

You can also perform the following:

•Filtering Records

•Editing Records

•Deleting Records

•Performing Common Navigations

•Relocating Records

Performing Common Navigations

On existence of more records that cannot be accommodated in a page, the records are displayed in

multiple pages. Table 3-1 describes the icons used for page navigation.

You can also perform the following:

Table 3-1 Page Navigation Icons

Icons Description

To view the next page

To return back to previous page

To view the last page

To return to the first page

3-7

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Common Methodologies

•Filtering Records

•Editing Records

•Deleting Records

•Setting Record Limits per Page

•Relocating Records

Relocating Records

Table 3-2 describes the icons used for relocating records.

You can also perform the following:

•Filtering Records

•Editing Records

•Deleting Records

•Setting Record Limits per Page

•Performing Common Navigations

Table 3-2 Icons for Relocating Records

Icons Description

To move a record from the Available List to the Selected List

To move a record from the Selected List to the Available List

To move all the records from the Available List to the Selected List

To move all the records from the Selected List to the Available List

To move the selected record one step above

To move the selected record one step below

To move the selected record to the first position

To move the selected record to the last position

3-8

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Dashboard

The dashboard of the Prime Access Registrar GUI shows you the overview on the status on the server

and user session details. It consists of the three tabs: Server Status, User Sessions, and System

Information.

The Server Status provides the following details:

•AAA Server status— includes the AAA Process, Process ID, and Status.

•Health status of the AAA Server— the status of the AAA Server with respect to the performance

condition is displayed.

The User Sessions consists of two graphs.

•Number of Sessions versus Duration in Days

•Number of Sessions versus Duration in Weeks

The Number of Sessions vs Duration in Weeks report provides the session details with respect to the

number of weeks for which it is queried. The Number of Sessions vs Duration in Days report provides

the session details with respect to the number of days for which it is queried. The Time(mins) vs

Username report provides the accumulated time with respect to the selected username. This report can

also be viewed in the form of chart and grid. Click the relevant icons below the graph to view the details

in the respective formats.

The System Information section consists of two graphs:

•Disk Availability for Prime Access Registrar Directory

•CPU Utilization

The Disk Availability for Prime Access Registrar Directory report provides the details of the available

disk space and used disk space in the Prime Access Registrar directory. When you hover the mouse on

the pie chart, the details of the disk space are displayed. The CPU Utilization report provides the

utilization of the CPU for a specific time. The CPU usage is represented in kilobits per seconds.

Sessions

The Sessions feature of the dashboard helps you in viewing the records based on session id. Table 3-3

lists and describes the various session views in the page.

Table 3-3 Different Session Views

Fields Description

Release Click to release the selected session details.

Release All Click to release all the records from the list.

Send CoA Click to send the CoA packet to the client device.

SendPoD Click to send the disconnect packet to the NAS to clear sessions and

an Accounting-Stop notification to the client listed in the session

record.

Query All Sessions Click to query all the sessions in the server.

3-9

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

To view sessions details:

Step 1 Choose Dashboard > Sessions. The Sessions page appears.

Step 2 Choose the required session id to view Release, Release All, Send CoA, Send PoD, and Query All

Session details. The session details are displayed as described in the above table.

Note You can locate the session id using the filter option. See Filtering Records for more details.

Configuring Cisco Prime Access Registrar

Prime Access Registrar’s operation and configuration are based on a set of objects. On configuring the

Prime Access Registrar major components, the server objects can be created. These objects include the

following:

•RADIUS— the root of the configuration hierarchy

•Profiles—contains individual Profiles

•UserGroups—contains individual UserGroups

•UserList—contains individual UserLists which in turn contain users

•Users—contains individual authentication or authorization details of a user

•Scripts—contains individual Scripts

•Policies—contains a set of rules applied to an Access-Request

•Services—contains individual Services

•CommandSets—contains commands and the action to perform during Terminal Access Controller

Access-Control System Plus (TACACS+) command authorization

•DeviceAccessRules—contains conditions or expressions and the applicable command sets for

TACACS+ command authorization

•FastRules—provides a mechanism to easily choose the right authentication, authorization,

accounting, and query service(s), drop, reject, or break flows, choose session manager or other rules

required for processing a packet

•Replication—maintains identical configurations on multiple machines simultaneously

•RADIUSDictionary—passes information between a script and the RADIUS server, or between

scripts running on a single packet

•VendorDictionary—allows to maintain the attributes of the vendor with respect to vendor id, vendor

type and the attributes required to support the major NAS

•Vendor Attributes—communicates prepaid user balance information from the

Prime Access Registrar server to the AAA client, and actual usage, either interim or total, between

the NAS and the Prime Access Registrar server

•Vendors—contains individual Vendors

3-10

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•Translations—adds new attributes to a packet or change an existing attribute from one value to

another.

•TranslationGroups—add translation groups for different user groups

•SessionManagers—contains individual Session Managers

•ResourceManager—contains individual Resource Managers

•Remote Servers—contains individual Remote Servers

•Diameter—contains Session Management, Applications, Commands, Diameter Attributes

•Rules—allows to set rules for service selection

RADIUS

The Radius object is the root of the hierarchy. For each installation of the Cisco Prime Access Registrar

server, there is one instance of the Radius object. You reach all other objects in the hierarchy from the

Radius.

Table 3-4 lists and describes the fields in the Radius Properties page.

Note Fields which are represented with the term “required” in the windows of the Prime Access Registrar

GUI, denote mandatory input.

Table 3-4 Radius Properties

Fields Description

Name Required; must be unique in the list of servers in the cluster.

Version Required; the currently installed version of Prime Access Registrar.

Description Optional; description of the server.

DefaultSessionManager Optional; Cisco Prime Access Registrar uses this property if none

of the incoming scripts sets the environment dictionary variable

Session-Manager.

IncomingScript Optional; if there is a script, it is the first script

Cisco Prime Access Registrar runs when it receives a request from

any client and/or for any service.

OutgoingScript Optional; if there is a script, it is the last script

Cisco Prime Access Registrar runs before it sends a response to any

client.

DefaultAuthenticationService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Authentication-Service.

DefaultAuthorizationService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Authorization-Service.

3-11

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Up or Changing the Radius Properties

To set or change the Radius properties:

Step 1 Choose Configuration > Radius. The Radius Properties page appears.

Step 2 Specify the relevant details.

Step 3 Click Save to save the changes made to the Radius properties page.

On successful setting up of the RADIUS, a message is displayed.

Profiles

You use Profiles to group RADIUS attributes that belong together, such as attributes that are appropriate

for a particular class of PPP or Telnet user. You can reference profiles by name from either the

UserGroup or the User properties. Thus, if the specifications of a particular profile change, you can

make the change in a single place and have it propagated throughout your user community.

Although you can use UserGroups or Profiles in a similar manner, choosing whether to use one rather

than the other depends on your site. When you require some choice in determining how to authorize or

authenticate a user session, then creating specific profiles, and creating a group that uses a script to

choose among them is more flexible.

In such a situation, you might create a default group, and then write a script that selects the appropriate

profile based on the specific request. The benefit to this technique is each user can have a single entry,

and use the appropriate profile depending on the way they log in.

Table 3-5 lists and describes the fields in the Add Profiles page.

DefaultAccountingService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Accounting-Service.

DefaultSessionService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Session-Service.

Table 3-4 Radius Properties (continued)

Fields Description

Table 3-5 Profile Properties

Fields Description

Name Required; must be unique in the Profiles list.

Description Optional; description of the profile.

RADIUS Optional; set Radius, if the attribute and value needs to be defined

for RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined

for Vendor.

3-12

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Profiles page for the following:

•Filtering Records

•Adding Profile Details

•Editing Records

•Deleting Records

Adding Profile Details

To add new profile details:

Step 1 Choose Configuration > Profiles. The Profiles page is displayed.

Step 2 Click Add. The Add Profile page is displayed.

Step 3 Specify the required details.

Step 4 Click Submit to save the specified details in the Profiles page. Otherwise click Cancel to return to the

Profiles page without saving the details. On successful creation of the profiles, the Profiles page is

displayed else a respective error message is displayed.

UserGroups

The UserGroups objects allow you to maintain common authentication and authorization attributes in

one location, and then have many users reference them. By having a central location for attributes, you

can make modifications in one place instead of having to make individual changes throughout your user

community.

For example, you can use several UserGroups to separate users by the services they use, such as a group

specifying PPP and another for Telnet.

Table 3-6 lists and describes the fields in the Add User Groups page.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Value Attribute Optional; set the value for the selected attribute. Click the Add

button to save the details and list it in Radius and Value list. To

navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant

attribute and click the Delete button below.

Table 3-5 Profile Properties (continued)

Fields Description

3-13

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the User Groups page for the following:

•Filtering Records

•Adding UserGroup Details

Table 3-6 UserGroups Properties

Fields Description

General Properties tab

UserGroup Name Required; must be unique in the UserGroup list.

Description Optional; description of the group.

BaseProfile Optional; when you set this to the name of a profile,

Cisco Prime Access Registrar adds the properties in the Profile to the

response dictionary as part of the authorization.

AuthenticationScript Optional; when you set this property to the name of a script, you can use

the Script to perform additional authentication checks to determine

whether to accept or reject the user.

AuthorizationScript Optional; when you set this property to the name of a script, you can use

the script to add, delete, or modify the attributes of the Response

dictionary.

Attribute List tab

RADIUS Optional; set Radius, if the attribute and value needs to be defined for

RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined for

Vendor.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Attribute Value Optional; set the value for the selected attribute. Click the Add button to

save the details and list it in Name and Value list. To navigate between

the listed attributes, use the navigation option available adjacent to the

list. See Relocating Records for more details. To delete the available

attributes, select the relevant attribute and click the Delete button below.

CheckItems List tab

RADIUS Optional; set Radius, if the attribute and value needs to be defined for

RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined for

Vendor.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Attribute Value Optional; set the value for the selected attribute. Click the Add button to

save the details and list it in Check Name and Check Value list. To

navigate between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To delete

the available attributes, select the relevant attribute and click the Delete

button below.

3-14

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•Editing Records

•Deleting Records

Adding UserGroup Details

To add new user groups details:

Step 1 Choose Configuration > UserGroups. The User Groups page is displayed.

Step 2 Click Add to add new user group details. The Add UserGroup page is displayed.

Step 3 Specify the required details.

Step 4 Click Submit to save the specified details in the User Groups page. Otherwise click Cancel to return to

the User Groups page without saving the details.

On successful creation of the user groups, the User Groups page is displayed else a respective error

message is displayed.

UserList

The UserLists object contains all of the individual UserLists, which in turn, contain the specific users

stored within Prime Access Registrar. Prime Access Registrar references each specific UserList by

name from a Service whose type is set to local. When Prime Access Registrar receives a request, it

directs it to a Service. When the Service has its type property set to local, the Service looks up the user’s

entry in the specific UserList and authenticates and/or authorizes the user against that entry.

You can have more than one UserList in the UserLists object. Therefore, use the UserLists object to

divide your user community by organization. For example, you might have separate UserLists objects

for Company A and B, or you might have separate UserLists objects for different departments within a

company.

Using separate UserLists objects allows you to have the same name in different lists. For example, if

your company has three people named Bob and they work in different departments, you could create a

UserList for each department, and each Bob could use his own name. Using UserLists lets you avoid the

problem of Bob1, Bob2, and so on.

If you have more than one UserList, Prime Access Registrar can run a script in response to requests. The

script chooses the Service, and the Service specifies the actual UserList which contains the user. The

alternative is dynamic properties.

Note The attributes defined for a user list must match the protocol of the incoming packet. For example, if the

incoming packet is a Diameter packet, the attributes defined must be specific to Diameter or common to

both RADIUS and Diameter. Similarly, if the incoming packet is a RADIUS packet, the attributes

defined must be specific to RADIUS or common to both RADIUS and Diameter. Otherwise, the

incoming packet will not be processed.

Table 3-7 lists and describes the fields in the Add User List page.

3-15

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the User List page for the following:

•Filtering Records

•Adding UserList Details

•Editing Records

•Deleting Records

Adding UserList Details

To add new user list details:

Step 1 Choose Configuration > UserList. The User List page is displayed.

Step 2 Click Add to add new user list details. The Add UserList page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the User List page. Otherwise click Cancel to return to the

User List page without saving the details.

On successful creation of the user list, the User List page is displayed else a respective error message is

displayed.

Note After adding a new user list, you can add users to the user list. See Adding User Details for more

information.

Users

The user objects are created to hold the necessary details to authenticate or authorize a user. These users

form the component of User Lists, where their details are stored within Prime Access Registrar. The

users in local Userlist can have multiple profiles.

Note Usernames might not include the forward slash (/) character. If the Prime Access Registrar server

receives an access request packet with a Username attribute containing a forward slash character and the

Prime Access Registrar server uses an internal UserList to look up users, the server produces an error

(AX_EINVAL) and might fail. If usernames require a forward slash, use a script to translate the slash to

an acceptable, unused character.

Table 3-7 User List Properties

Fields Description

UserList Name Required; must be unique.

Description Optional; description of the user.

3-16

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Table 3-8 lists and describes the fields in the Add Users page.

Table 3-8 Users Properties

Fields Description

General Properties tab

Name Required; must be unique.

Enabled Required; must be checked to allow user access. If Enabled is not checked,

user is denied access.

Allow Null Pwd During authentication, if the Allow NULL Password environment variable is

set to TRUE, user authentication is bypassed. By default, the Allow NULL

Password environment variable is not set.

UserGroup Use the drop-down list to select a UserGroup and use the properties specified

in the UserGroup to authenticate and/or authorize the user. The default is none.

Password Required; length must be between 0-253 characters.

Base Profile Optional; use the drop-down list to select a Profile. If the service-type is not

equal to Authenticate Only, Prime Access Registrar adds the properties in the

Profile to the Response dictionary as part of the authorization. This field is

optional for the CLI, but required for the GUI. Use the menu to select a profile

other than the default None.

Confirm Password Required; must match password.

User Defined Optional; you can use this property to store notational information which you

can then use to filter the UserList. This property also sets the environment

variable for UserDefined.

Authentication Script Optional; use the drop-down list to select the name of a script to perform

additional authentication checks to determine whether to accept or reject the

user. This field is optional for the CLI, but required for the GUI. Use the menu

to select an Authentication Script other than the default None.

Authorization Script Optional; use the drop-down list to select the name of a script to add, delete,

or modify the attributes of the Response dictionary. This field is optional for

the CLI, but required for the GUI. Use the menu to select an Authorization

Script other than the default None.

Description Optional; description of the user.

Attribute List tab

RADIUS Optional; set Radius, if the attribute and value needs to be defined for

RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined for Vendor.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Attribute Value Optional; set the value for the selected attribute. Click the Add button to save

the details and list it in Name and Value list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See

Relocating Records for more details. To delete the available attributes, select

the relevant attribute and click the Delete button below.

3-17

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Users page for the following:

•Filtering Records

•Adding User Details

•Editing Records

•Deleting Records

Adding User Details

To add new user details:

Step 1 Choose Configuration > UserList. The User List page is displayed.

Step 2 Click the user list name link. The Users page is displayed.

Step 3 Click Add to add new user details. The Add Users page is displayed.

Step 4 Specify the required details.

Step 5 Click Submit to save the specified details in the Users page. Otherwise click Cancel to return to the

Users page without saving the details.

On successful creation of the user details, the Users page is displayed else a respective error message is

displayed.

Scripts

The Script objects define the function Cisco Prime Access Registrar invokes whenever the Script is

referenced by name from other objects in the configuration.

There are four types of scripts:

CheckItems List tab

RADIUS Optional; set Radius, if the attribute and value needs to be defined for

RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined for Vendor.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Attribute Value Optional; set the value for the selected attribute. Click the Add button to save

the details and list it in Check Name and Check Value list. To navigate between

the listed attributes, use the navigation option available adjacent to the list. See

Relocating Records for more details. To delete the available attributes, select

the relevant attribute and click the Delete button below.

Table 3-8 Users Properties (continued)

Fields Description

3-18

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•REX (RADIUS EXtension) scripts are written in C or C++, and thus are compiled functions that

reside in shared libraries

•TCL scripts are written in TCL, and are interpreted functions defined in source files.

•Java scripts

•Internal scripts, which allow you to add, modify, or delete attributes in the request, response, and

environment dictionaries for RADIUS, Diameter, and TACACS+. For more information about

internal scripts, see Internal Scripts, page 11-14.

When you use a Prime Access Registrar file service, Prime Access Registrar automatically closes any

opened files. However, if you write scripts that manipulate files, you are responsible for closing them.

If you have more than one extension point script (defined under /Radius/Scripts) using the same Java

class, only one instance of the class is created and used for all the extension point scripts.

For more information about scripts, see Chapter 11, “Using Extension Points.”

Table 3-9 lists and describes the fields in the Add Scripts page.

Table 3-9 Script Object Properties

Fields Description

Script Name Required; must be unique in the Scripts list.

Language Required; specify either REX, Tcl, Java, or Internal.

Description Optional; description of the script.

File/Class Name Required; specifies either a relative or absolute path. When you specify

a relative path, the path must be relative to the

$INSTALL/scripts/radius/$Language directory. When you specify an

absolute path, the server must be able to reach it.

For Java language scripts, the name of the class that implements the

extension interface; the .class file should be placed in

/cisco-ar/scripts/radius/java

Entry Point Required; when not set, Prime Access Registrar uses the value specified

in the Name property.

Init Entry Point Optional; if set, it must be the name of the global symbol

Prime Access Registrar should call when it initializes the shared library

at system start up, and just before it unloads the shared library.

Init Entry Point

Arg

Optional; when set, it provides the arguments to be passed to the

InitEntryPoint in the environmental variable Arguments.

Note The InitEntryPoint properties allow you to perform

initialization before processing and then cleanup before stopping

the server. For example, when Prime Access Registrar unloads

the script (when it stops the RADIUS server) it calls the

InitEntryPoint again to allow it to perform any clean-up

operations as a result of its initialization. One use of the function

might be to allow the script to close an open Accounting log file

before stopping the RADIUS server.

The following fields appear if the language is set as Internal

Protocol Required; select RADIUS or Diameter to indicate the protocol for which

the attributes are to be modified.

3-19

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

ActionStatements Select one of following the options:

•Simple Attribute Operation—allows you to add, modify, or delete an

attribute value to the request, response, or environment dictionary

•Copy an Attribute—allows you to copy an attribute value from one

dictionary to another

•Concatenate Operation—allows you to concatenate an attribute

value from one dictionary to another

•Replace Operation—allows you to replace an attribute value from

one dictionary to another

•Value Based Manipulations—allows you to manipulate attribute

values in a dictionary based on a given text

•Log or Trace Messages—allows you to create different levels of log

or trace messages

•I can do it myself—allows you to create your own script for the

selected protocol

Left Side of Statement

Operation Choose the operation to perform as Add, Modify, or Delete.

Dictionary Choose Request, Response, or Environment to specify the RADIUS

dictionary to apply the action to.

Attr Type Applicable for RADIUS protocol; select RADIUS or VENDOR to

indicate the attribute type.

Group AVP Applicable for Diameter protocol; select the group AVP and its level to

apply the action to.

Attribute Based on the attribute type/group AVP selected, choose the appropriate

attribute to apply the action to.

Env Attribute Enter the environment attribute to apply the action to.

This field is available only if the Dictionary chosen is Environment.

Right Side of Statement

Text Enter the text that needs to be added, modified, or deleted to/from the

given attribute in the selected dictionary.

Only this field is available if the action statement is Simple Attribute

Operation or Replacement Operation.

This field is also available under the following circumstances:

•If the action statement is Copy an Attribute, Concatenate

Operation, or Value Based Manipulations, and if the type is

chosen as Custom Text

Type Select Radius, Diameter, or Custom Text.

Dictionary If the type is set as Radius or Diameter, choose Request, Response, or

Environment to specify the dictionary to apply the action to.

Attr Type Applicable for RADIUS protocol; select RADIUS or VENDOR to

indicate the attribute type.

Table 3-9 Script Object Properties (continued)

Fields Description

3-20

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Group AVP Applicable for Diameter protocol; select the group AVP and its level to

apply the action to.

Attribute Based on the attribute type/group AVP selected, choose the appropriate

attribute to apply the action to.

Env Attribute Enter the environment attribute to apply the action to.

This field is available only if the Dictionary chosen is Environment.

Concatenate / Replace Options

This section is available if the Action Statements field is set to Concatenate Operation or

Replace Operation.

Type Select Radius, Diameter, or Custom Text.

Text Enter the text to concatenate to or replace the given attribute value in the

selected dictionary.

Only this field is available if the action statement is Replace Operation.

This field is also available if the action statement is Concatenate

Operation and if the type is chosen as Custom Text

Dictionary If the type is Radius, choose Request, Response, or Environment to

specify the RADIUS dictionary to apply the action to.

Attr Type Applicable for RADIUS protocol; select RADIUS or VENDOR to

indicate the attribute type.

Group AVP Applicable for Diameter protocol; select the group AVP and its level to

apply the action to.

Attribute Based on the attribute type/group AVP selected, choose the appropriate

attribute to apply the action to.

Env Attribute Enter the environment attribute to apply the action to.

This field is available only if the Dictionary chosen is Environment.

Text Manipulations

This section is available if the Action Statements field is set to Value Based Manipulations.

Operation Select one of the following options:

•Begins With—to manipulate the attribute value beginning with the

given text

•Contains—to manipulate the attribute value that contains the given

text

•Ends With—to manipulate the attribute value that ends with the

given text

•Strip Text—to strip the given text from the attribute value

Text The text you need to manipulate the attribute value with.

This following fields are available if the Action Statements field is set to Log or Trace

Messages.

Table 3-9 Script Object Properties (continued)

Fields Description

3-21

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Scripts page for the following:

•Filtering Records

•Adding Script Details

•Editing Records

•Deleting Records

Adding Script Details

To add new script details:

Step 1 Choose Configuration > Scripts. The Scripts page is displayed.

Step 2 Click Add to add new scripts details. The Script Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Save to save the specified details in the Scripts page. Otherwise click Cancel to return to the

Scripts page without saving the details.

On successful creation of the scripts, the Scripts page is displayed else a respective error message is

displayed.

Policies

A Policy is a set of rules applied to an Access-Request.

Table 3-10 lists and describes the fields in the Add Policies page.

Log Type Select one of the following options:

•log—to add a log message

•trace—to add a trace message

Level Applicable only for logs; level of the log message to add.

Message The log or trace message to add.

This following field is available if the Action Statements field is set to I can do it myself.

Statement Enter the action statement as a free text.

Table 3-9 Script Object Properties (continued)

Fields Description

Table 3-10 Policies Properties

Fields Description

Name Required; must be unique in the Policies list

Description Optional; description of the Policy

3-22

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Policies page for the following:

•Filtering Records

•Adding Policy Details

•Editing Records

•Deleting Records

Adding Policy Details

To add new policy details:

Step 1 Choose Configuration > Policies. The Policies page is displayed.

Step 2 Click Add to add new policy details. The Policy Details page is displayed.

Step 3 Specify the required details.

Step 4 Click Submit to save the specified details in the Policies page. Otherwise click Cancel to return to the

Policies page without saving the details.

On successful creation of the policies, the Policies page is displayed else a respective error message is

displayed.

Services

Cisco Prime Access Registrar supports authentication, authorization, and accounting (AAA) services. In

addition to the variety of built-in AAA services (specified in the Type property),

Cisco Prime Access Registrar also enables you to add new AAA services through custom shared

libraries.

This section lists the types of services available in Prime Access Registrar with their required and

optional properties. The service you specify determines what additional information you must provide.

The various types of services are:

•Simple Services

•ServiceWithRS

•PEAP Service

•EAP Service

Rules/Policies Required; set the rules/polices to be grouped.

Operators Required; set the operators to be grouped along with selected rules/policies. The

selected rules and operators will be grouped and listed in the Grouping Box. To

delete the available groups, select the relevant group from the Grouping list and

click the Delete button below.

Table 3-10 Policies Properties (continued)

Fields Description

3-23

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•Diameter Service

Simple Services

Prime Access Registrar provides the following simple services:

•Rex

•File

•Trusted-ID

•Group

•Local

•Java

•WiMAX

•RADIUS-Query

•Dyn-Authz

•Diameter-RADIUS

•RADIUS-Diameter

•Diameter-Query

•3GPPAuthorization

•3GPP-Reverse-Authorization

Rex

Select rex service when a custom service needs to be created and a script for authentication,

authorization, or accounting has to be used.

File

Select File type when local accounting is to be performed using a specific file. The files under the

configuration will be saved in the configured name when the server is invoked even if the service is not

being invoked by any request packets.

Prime Access Registrar flushes the accounting record to disk before it acknowledges the request packets.

Based on the specified maximum file size and age, it closes the accounting file, moves it to a new name,

and reopens the file as a new file. The file names are based on its creation and modification dates.

Trusted-ID

Select the trusted-id service type to authorize and authenticate a user based on a Trusted ID. Using SSG's

Transparent Auto-Login (TAL) feature, a TAL access-request packet contains a Trusted ID, such as a

MAC address, that identifies the user without the user's real username and password. If

Prime Access Registrar knows the user associated with the Trusted ID, it uses the Trusted ID to

authenticate and authorize the user. For more information, see Chapter 15, “Using Trusted ID

Authorization with SESM.”

3-24

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Group

A group service contains a list of references to other services and specifies whether the responses from

each of the services should be handled as a logical AND or OR function, which is specified in the

Result-Rule attribute of Group Services. The default value is AND.

When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially,

and the Group Service waits for a response from the first referenced service before moving on to the next

service (if necessary).

The ResultRule settings parallel-and and parallel-or are similar to the AND and OR settings except that

they ask each referenced service to process the request simultaneously instead of asking each referenced

server sequentially, thereby saving processing time.

Local

Select local services when authentication and authorization needs to be performed by

Prime Access Registrar server using a specific UserList.

Java

Select Java service type when a custom service needs to be created and to use an extension point script

to provide the service’s functionality and handle both RADIUS and TACACS requests for

authentication, authorization, or accounting.

WiMAX

Prime Access Registrar uses the Extensible Authentication Protocol (EAP) to enable the WiMAX

feature. It captures the IP attributes and Mobility Keys that are generated during network access

authentication.

RADIUS-Query

Select this service type to query cached data through RADIUS Packets. It contains the list of session

managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet

in response to a RADIUS Query request. It is initiated through an extension point script or through the

Rule and Policy Engine by setting it to a new environment variable named Query-Service.

Dyn-Authz

Select this service type to process dynamic authorization requests. This involves Change of

Authorization (COA) and Packet of Disconnect (POD) features. For more information about these

features, see Chapter 17, “Using Cisco Prime Access Registrar Server Features.”

Diameter-RADIUS

Select this service for Diameter to RADIUS translation to translate incoming RADIUS request to a

Diameter request. Prime Access Registrar provides scripting points, which operate on the original

packet and on the newly translated packet based on request and response mapping. For more information,

see Chapter 8, “Diameter.”

3-25

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

RADIUS-Diameter

Select this service for RADIUS to Diameter translation to translate incoming Diameter request to a

RADIUS request. Prime Access Registrar provides scripting points, which operate on the original packet

and on the newly translated packet based on request and response mapping. For more information, see

Chapter 8, “Diameter.”

Diameter-Query

Select this service type to query cached data through Diameter Packets. It contains the list of session

managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet

in response to a Diameter Query request. It is initiated through an extension point script or through the

Rule and Policy Engine by setting it to a new environment variable named Query-Service.

3GPPAuthorization

Select this service to enable 3GPP authorization of subscribers. For more information about 3GPP

authorization, see Chapter 20, “Wireless Support.”

3GPP-Reverse-Authorization

Select this service to enable 3GPP reverse authorization of subscribers. For more information about

3GPP reverse authorization, see Chapter 20, “Wireless Support.”

Table 3-11 lists and describes the fields in the Services Details page. The fields listed below are the entire

list of all the available types. The fields are displayed based on the type selected.

Table 3-11 Simple Service Properties

Fields Description

Service Name Required; must be unique in the Services list.

Incoming Script Optional; name of script to run when the service starts.

Type Required; must set it to a valid Prime Access Registrar service.

Outgoing Script Name of script to run when the service ends.

Description Optional; description of the service.

Outage Script Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This property

allows you to create a script that notifies you when the RADIUS server

detects a failure.

Outage Policy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS

servers are not available). You must set it to one of the following:

AcceptAll, DropPacket, or RejectAll.

The following properties appear for the job type rex.

Filename Required; must be either a relative or an absolute path to the shared library

containing the Service. When the pathname is relative, it must be relative to

$INSTALL/Scripts/Radius/rex.

3-26

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

EntryPoint Required; must be set to the function’s global symbol.

InitEntryPoint Required; must be the name of the global symbol

Cisco Prime Access Registrar should call when it initializes the shared

library and just before it unloads the shared library.

A rex service must have an InitEntryPoint even if the service only returns

REX_OK.

InitEntryPointArgs Optional; when set, it provides the arguments to be passed to the

InitEntryPoint in the environmental variable Arguments.

The following properties appear for the job type file.

FilenamePrefix Required; a string that specifies where Cisco Prime Access Registrar writes

the account records. It must be either a relative or absolute path. When you

specify a relative path, it must be relative to the $INSTALL/logs directory.

When you specify an absolute path, the server must be able to reach it. The

default is Accounting.

MaxFileAge Optional; stored as a string, but is composed of two parts, a number and a

units indicator (<n> <units>) in which the unit is one of: H, Hour, Hours,

D, Day, Days, W, Week, Weeks. The default is one day.

RolloverSchedule Indicates the exact time including the day of the month or day of the week,

hour and minute to roll over the accounting log file.

MaxFileSize Optional; stored as a string, but is composed of two parts, a number and a

units indicator (<n> <units>) in which the unit is one of: K, kilobyte, or

kilobytes, M, megabyte, or megabytes, or G, gigabyte, or gigabytes. The

default is ten megabytes.

UseLocalTimeZone When set to TRUE, indicates the accounting records' TimeStamp is in local

time. When set to FALSE, the default, accounting records' TimeStamp is in

GMT.

The following properties appear for the job type trusted-id.

UserService Required; name of service that can be used to authenticate.

SessionManager Required; select the required session manager from the available list.

The following properties appear for the job type group.

Result Rule When set to AND (the default), the response from the GroupService is

positive if each of the services referenced return a positive result. The

response is negative if any of the services reference return a negative result.

When set to OR, the response from the GroupService is positive if any of

the services referenced return a positive result. The response is negative if

all the referenced services return a negative result.

The settings parallel-AND or parallel-OR are similar to AND and OR

settings, except that each referenced service processes requests

simultaneously instead of asking each reference service sequentially to save

processing time.

Table 3-11 Simple Service Properties (continued)

Fields Description

3-27

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

GroupServices Optional; use the GroupServices subdirectory to specify the subservices in

an indexed list to provide specific ordering control of which services to

apply first. Each subservice listed must be defined in the Services section

of the RADIUS configuration and cannot be a of type group, eap-leap, or

eap-md5.

To navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more details.

The following properties appear for the job type local.

UserList Required; this object contains all of the individual UserLists, which in turn,

contain the specific users stored within Prime Access Registrar.

Cisco Prime Access Registrar references each specific UserList by name

from a Service whose type is set to local.

When Cisco Prime Access Registrar receives a request, it directs it to a

Service. When the Service has its type property set to local, the Service

looks up the user’s entry in the specific UserList and authenticates and/or

authorizes the user against that entry.

Enable Device Access Check the box to enable TACACS+ command authorization.

Note Device Access Rules are applicable for TACACS+ command

authorization. For more information on TACACS+ command

authorization, see TACACS+ Support for AAA.

Device Access Rule Select a device access rule and click Add. The selected access rule is

displayed in the Device Access Rules list box.

Default Device Access

Action

Select the default action to perform on the commands for all the access rules

in the authorization service. Options are PermitAll and DenyAll.

The following properties appear for the job type java.

Class name Optional; set to the name of a class that implements the Extension interface.

InitializeArg Optional; set to a string to be passed to the Initialize method if the class

implements the optional ExtensionWithInitialization interface.

The following properties appear for the job type wimax.

HARKKey Required; used as the base key to generate random HARKKey for all the

HAs that are configured in Prime Access Registrar.

By default, the value is cisco112.You can change this value.

WimaxAuthenticationS

ervice

Required; a valid EAP service which can be used for WiMAX

authentication. By default, this value is none.

HARKLifeTime Required; used as time (in minutes) to regenerate the HARKKeys based on

its lifetime.

WimaxSessionManager Required; set a valid session manager which has HA and HA Cache as

resource managers. By default, this value is none.

WimaxQueryService Required; set a valid RADIUS query service which is configured with

WiMAX session manager. By default, this value is none.

WimaxPrepaidService Optional; set a valid prepaid service to carry out the prepaid functionality

of WiMAX. Otherwise this value is set to none.

Table 3-11 Simple Service Properties (continued)

Fields Description

3-28

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

AllowAAAToIncludeKe

Optional; If this is set, the HAAA will include the hHA-RK-Key,

hHA-RK-SPI and hHA-RK-Lifetime in the Access-Accept.

Otherwise, those attributes will not be in the Access-Accept. By default this

value is True.

RequiredMSK Optional; If this is set, the MSK will be provided by the AAA server as a

result of successful EAP-Authentication. By default, this value is False.

The following properties appear for the job type radius-query.

Attribute List tab

Attribute type Select either RADIUS or VENDOR. If Vendor is selected, specify the

vendor type from the drop-down list. Select the attributes from the available

list. To navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more details.

Session Manager tab

Session Manager Select the required session manager from the available list. To navigate

between the listed attributes, use the navigation option available adjacent to

the list. See Relocating Records for more details.

The following property appears for the job type dyn-auth.

Session Cache Query

Service

Select the session cache query service to use for dynamic authorization.

The following properties appear for the job type diameter-radius or radius-diameter.

ProxyServiceName Select the Diameter proxy service name.

DiameterApplicationID Select the Diameter service application ID. This field appears only for

radius-diameter service type.

UseFor3GPPReverseAu

thorizationService

Check the box to enable 3GPP authorization service in the translation

framework. This field appears only for radius-diameter service type.

PreRequestTranslationS

cript

Select the scripting point to be called on the original request packet.

PostRequestTranslation

Script

Select the scripting point to be called on the translated request packet.

PreResponseTranslation

Script

Select the scripting point to be called on the response packet.

PostResponseTranslatio

nScript

Select the scripting point to be called on the translated response packet.

ResultCodeMappings This tab allows you to map result codes.

RequestAVPMappings This tab allows you to map request AVPs.

RequestAVPsToBeAdde

This tab allows you to map request AVPs to be added.

RequestEnvironmentMa

ppings

This tab allows you to map request environment variables.

ResponseAVPMappings This tab allows you to map response AVPs.

Table 3-11 Simple Service Properties (continued)

Fields Description

3-29

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Simple Services List page for the following:

•Filtering Records

•Adding Simple Service Details

•Editing Records

•Deleting Records

Adding Simple Service Details

To add new simple service details:

Step 1 Choose Configuration > Services > Simple. The Services List(REX, FILE, LOCAL, GROUP, JAVA...)

page is displayed.

Step 2 Click Add to add new simple service details. The Services Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the Services List(REX, FILE, LOCAL, GROUP, JAVA...)

page. Otherwise click Cancel to return to the Services List(REX, FILE, LOCAL, GROUP, JAVA...) page

without saving the details.

ResponseAVPsToBeAd

ded

This tab allows you to map response AVPs to be added.

ResponseEnvironment

Mappings

This tab allows you to map response environment variables.

The following properties appear for the job type diameter-query.

Attribute List tab

Attribute type Select either RADIUS or VENDOR. If Vendor is selected, specify the

vendor type from the drop-down list. Select the attributes from the available

list. To navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more details.

Session Manager tab

Session Manager Select the required session manager from the available list. To navigate

between the listed attributes, use the navigation option available adjacent to

the list. See Relocating Records for more details.

The following property appears for the job type 3gpp-authorization.

Protocol Required; select RADIUS or Diameter to indicate the protocol to use for

3GPP authorization.

TranslationService Required if the protocol selected is RADIUS; translation service to use

during 3GPP authorization.

DiameterProxyService Required if the protocol selected in Diameter; diameter proxy service to use

during 3GPP authorization.

The following properties appear for the job type 3gpp-reverse-authorization.

TranslationService Required; the translation service to use for 3GPP reverse authorization.

Table 3-11 Simple Service Properties (continued)

Fields Description

3-30

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

On successful creation of the simple service properties, the Services List(REX, FILE, LOCAL, GROUP,

JAVA...) page is displayed else a respective error message is displayed.

ServiceWithRS

The RemoteServers directory lists one or more remote servers to process access requests. The servers

must also be listed in order under /Radius/RemoteServers. The order of the RemoteServers list

determines the sequence for directing access requests when MultipleServersPolicy is set to RoundRobin

mode. The first server in the list receives all access requests when MultipleServersPolicy is set to

Failover mode.

The RemoteServers object can be used to specify the properties of the remote servers to which Services

proxy requests. RemoteServers are referenced by name from the RemoteServers list in either the

RADIUS, LDAP or TACACS-UDP Services.

Table 3-12 lists and describes the fields in the Services Details page.

Table 3-12 Remote Server Service Properties

Fields Description

Service Name Required; name of the remote server service

Incoming Script Optional; name of script to run when the service starts

Type Required; Remote service Type must be set to one of the following: domain-auth,

ldap, ldap-accounting, odbc-accounting, odbc, oci-accounting, oci, prepaid,

radius, radius-session, or m3ua.

Outgoing Script Optional; name of script to run when the service ends.

Outage Script Optional; if you set this property to the name of a script, Prime Access Registrar

runs it when an outage occurs. This property allows you to create a script that

notifies you when the RADIUS server detects a failure.

Outage Policy The default is DropPacket. This property defines how Prime Access Registrar

handles requests if all servers listed in the RemoteServers properties are

unavailable (that is, all remote RADIUS servers are not available). You must set it

to one of the following: AcceptAll, DropPacket, or RejectAll.

Description

(optional)

Optional; description of the remote server service

MultipleServersPo

licy

Required; must be set to either Failover or RoundRobin.

When you set it to Failover, Prime Access Registrar directs requests to the first

server in the list until it determines the server is offline. At which time,

Prime Access Registrar redirects all requests to the next server in the list until it

finds a server that is online.

When you set it to RoundRobin, Prime Access Registrar directs each request to

the next server in the RemoteServers list to share the resource load across all of

the servers listed in the RemoteServers list.

RemoteServers Select the required remote server from the available list. To navigate between the

listed attributes, use the navigation option available adjacent to the list. See

Relocating Records for more details.

3-31

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

AuthorizationInfo

LookUp

Applicable only for the m3ua service type. Choose one of the following from the

drop-down list:

•MSISDN-IMSI—To fetch MSISDN in the request and send IMSI in the

response to the HLR.

•IMSI-MSISDN—To fetch IMSI in the request and send MSISDN in the

response to the HLR.

•MAP-RESTORE—To fetch the profile information of a subscriber from the

HLR. For more information on configuring the M3UA service with Map

Restore Data authorization, see Configuring M3UA Service with Map Restore

Data Authorization, page 23-13.

MapVersion Applicable only for the m3ua service type; select the map version that HLR

supports.

Device Access Rules

This section is applicable for TACACS+ command authorization and is available only for service types

local-user, oci, odbc, and ldap. For more information on TACACS+ command authorization, see

TACACS+ Support for AAA.

Enable Device

Access

Check the box to enable TACACS+ command authorization.

Device Access

Rule

Select a device access rule and click Add. The selected access rule is displayed in

the Device Access Rules list box.

Default Device

Access Action

Select the default action to perform on the commands for all the access rules in the

authorization service. Options are PermitAll and DenyAll.

Restore Data Mappings Section

IMSI IMSI received in the response from HLR.

Naea-Preferred CI North American Equal Access preferred Carrier ID List. A list of the preferred

carrier identity codes that are subscribed to.

Roaming

Restricted In Sgsn

Due To

Unsupported

Feature

Indicates that a subscriber is not allowed to roam in the current Service GPRS

Support Node (SGSN) or Cisco Mobility Management Entity (MME) area.

Network Access

Mode

The Network Access Mode (NAM) defines if the subscriber is registered to get

access to the CS (non-GPRS/EPS network), to the PS (GPRS/EPS) network, or to

both networks. NAM describes the first level of the subscriber data pseudo-tree

below the IMSIroot. It is permanent subscriber data stored in the HSS / HLR and

the SGSN with the Gs interface option, and the MME with the SGs interface

option.

LMU Indicator Indicates the presence of an LMU.

IST Alert Timer Indicates the IST alert timer value that must be used in the Mobile Switching

Center (MSC) to inform the HLR about the call activities that the subscriber

performs.

Super Charger

Supported In HLR

Indicates whether super charger concept is supported in HLR.

Table 3-12 Remote Server Service Properties (continued)

Fields Description

3-32

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

CS Allocation

Retention Priority

Allocation-retention priority for Circuit Switched (CS). This parameter specifies

relative importance to compare with other bearers about allocation and retention

of bearer.

ChargingCharacte

ristics

Subscribed charging characteristics.

Access Restriction

Data

Allowed Recipient Access Table (RAT) according to subscription data.

UE Reachability

Request Indicator

Indicates that the Home Subscriber Server (HSS) is awaiting a notification of user

equipment (UE) reachability.

Category Calling party category

LSA Information These parameters refer to one or more localized service areas (LSAs) a subscriber

may be a member of, together with the priority, the preferential access indicator,

the active mode support indicator and active mode indication of each localized

service area. The access right outside these localized service areas is also

indicated.

Subscriber Data

MSISDN MSISDN value in the subscriber data.

Subscriber Status Barring status of the subscriber, which could be Service Granted or Operator

Determined Barring.

Roaming

Restriction Due To

Unsupported

Feature

Indicates that the subscriber is not allowed to roam in the current MSC area.

Bearer Service

List

List of extensible bearer services subscribed.

Configure the index value to fetch only the required bearer services.

TeleService List List of extensible teleservices subscribed.

Configure the index value to fetch only the required teleservices.

Provisioned SS List of supplementary services provisioned.

Configure the index value to fetch only the required supplementary services.

ODB-Data Operator Determined Barring (ODB) general data and ODB Home Public Land

Mobile Network (HPLMN) specific data.

Regional

Subscription Data

List of regional subscription areas (zones) in which the subscriber is allowed to

roam.

Configure the index value to fetch only the required zones.

VBS Subscription

Data

List of Voice Broadcast Services (VBS) subscribed.

Configure the index value to fetch only the required VBS.

VGCS

Subscription Data

List of Voice Group Call Services (VGCS) subscribed.

Configure the index value to fetch only the required VGCS.

LCS Information

Live Communication Server (LCS) related information for the subscriber.

Table 3-12 Remote Server Service Properties (continued)

Fields Description

3-33

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the ServiceWithRS List page for the following:

•Filtering Records

•Adding Remote Server Service Details

•Editing Records

•Deleting Records

Adding Remote Server Service Details

To add new remote server service details:

Step 1 Choose Configuration > Services > ServiceWithRS. The Services List (..with Remote Servers) page

is displayed.

GMLC-List List of Gateway Mobile Location Centers (GMLCs) that are permitted to issue a

call/session unrelated or call/session related MT-LR request.

Configure the index value to fetch only the required GMLCs.

LCS-Privacy

Exception List

Classes of LCS client that are allowed to locate any target Mobile Station (MS).

Configure the index value to fetch only the required classes.

MOLR-List Code and status of Mobile Originating Location Request (MO-LR) subscribed.

Configure the index value to fetch only the required requests.

MC-SS-Info

Parameters identifying Multicall (MC) supplementary services (SS) that are subscribed.

MC-SS-Code Code of the MC SS.

MC-SS-Status Status of the MC SS.

NbrSB Maximum number of parallel bearers that may be used as defined by the user’s

subscription.

NbrUser Maximum number of parallel bearers that may be used as defined by the user at

registration of the MC SS.

SGSN-CAMEL-Subscription Info

Parameters identifying the subscribers as having Customized Application for Mobile Enhanced Logic

(CAMEL) services that are invoked in the SGSN.

GPRS-CSI Identifies the subscriber as having GPRS originating SMS CAMEL services.

MO-SMS-CSI Identifies the subscriber as having mobile originating SMS CAMEL services.

MT-SMS-CSI Identifies the subscriber as having mobile terminating SMS CAMEL services.

ProfileMappings

Attribute Select an RADIUS attribute to map the fetched profile data.

Value:Profile Enter a value for the attribute.

ProfileList Select one of the profile lists and click Add. The entered profile details are

displayed in the list box in the ProfileMappings section. You can delete a profile

attribute from the list as required.

Table 3-12 Remote Server Service Properties (continued)

Fields Description

3-34

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 2 Click Add to add new remote server service details. The Services Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the Services List (..with Remote Servers) page. Otherwise,

click Cancel to return to the Services List (..with Remote Servers) List page without saving the details.

On successful creation of the properties, the Services List (..with Remote Servers) page is displayed else

a respective error message is displayed.

PEAP Service

Protected EAP (PEAP) is an authentication method designed to mitigate several weaknesses of EAP.

PEAP leverages Industry standard authentication of the server using certificates TLS (RFC 2246) and

creation of a secure session that can then be used to authenticate the client.

The PEAP protocol consists of two phases, an authentication handshake phase and a tunnel phase where

another complete EAP authentication exchange takes place protected by the session keys negotiated by

phase one. Prime Access Registrar supports the tunneling of other EAP methods within the PEAP phase

two exchange.

Prime Access Registrar supports the two major existing variants of PEAP:

•PEAP Version 0 (Microsoft PEAP)

•PEAP Version 1 (Cisco Prime PEAP)

PEAP Version 0

PEAP Version 0 also called as Microsoft PEAP is described in IETF drafts

(draft-kamath-pppext-peapv0-00.txt and draft-josefsson-pppext-eap-tls-eap-02.txt). This version of

PEAP uses either EAP-MSChapV2 or EAP-SIM as an authentication method. The testing method used

for this version of PEAP is radclient.

PEAP Version 1

PEAP Version 1 also called as Cisco Prime PEAP is described by IETF draft

(draft-zhou-pppext-peapv1-00.txt). This version can use either EAP-GTC or EAP-SIM as an

authentication method. The testing method used for this version of PEAP is radclient.

Table 3-13 lists and describes the fields in the PEAP Services Details page. The fields listed below are

the entire list of all the available types. The fields are displayed based on the type selected.

Table 3-13 PEAP Service Properties

Fields Description

Service Name Required; service name

Incoming Script Optional; script Prime Access Registrar server runs when it receives a request

from a client.

Type Required; must set it to a valid Prime Access Registrar service.

Outgoing Script Optional; script Prime Access Registrar server runs before it sends a response to

a client.

3-35

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Maximum

Message Size

Indicates the maximum length in bytes that a PEAP or EAP-TLS message can

have before it is fragmented.

Server

Certificate File

Required; the full pathname of the file containing the server’s certificate or

certificate chain used during the TLS exchange. The pathname can be optionally

prefixed with a special string that indicates the type of encoding used for the

certificate. The two valid encoding prefixes are PEM and DER. If an encoding

prefix is not present, the file is assumed to be in PEM format.

The following example assumes that the subdirectory pki under /cisco-ar

contains the server’s certificate file. The file server-cert.pem is assumed to be in

PEM format; note that the file extension .pem is not significant.

set ServerCertificateFile PEM:/cisco-ar/pki/server-cert.pem

Private Key

Password

Required; the password used to protect the server’s private key.

Server RSA Key

File

Required; the full pathname of the file containing the server’s RSA private key.

CRL

Distribution

URL

Optional; The URL that Prime Access Registrar should use to retrieve the

CRL.You can specify a URL that uses HTTP or LDAP.

The following is an example for an HTTP URL:

<http://crl.verisign.com/pca1.1.1.crl>.

The following is an example for an LDAP URL:

ldap://209.165.200.225:388/CN=development-CA,CN=acs-westcoast2,CN=CD

P,CN=Public Key

Services,CN=Services,CN=Configuration,DC=cisco,DC=com

CA Certificate

File

Optional; the full pathname of the file containing trusted CA certificates used for

client verification. The file can contain more than one certificate, but all

certificates must be in PEM format. DER encoding is not allowed.

Certificate

Veri fica t i on

Mode

Optional; specifies the type of verification used for client certificates. Must be set

to one of RequireCertificate, None, or Optional.

•RequireCertificate causes the server to request a client certificate and

authentication fails if the client refuses to provide one.

•None will not request a client certificate.

Optional causes the server to request a client certificate but the client is allowed

to refuse to provide one.

Table 3-13 PEAP Service Properties (continued)

Fields Description

3-36

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

CA Certificate

Path

Optional; the name of a directory containing trusted CA certificates (in PEM

format) used for client verification. This parameter is optional, and if it is used

there are some special preparations required for the directory it references.

Each certificate file in this directory must contain exactly one certificate in PEM

format. The server looks up the certificate files using the MD5 hash value of the

certificate’s subject name as a key. The directory must therefore also contain a set

of symbolic links each of which points to an actual certificate file. The name of

each symbolic link is the hash of the subject name of the certificate.

For example, if a certificate file name ca-cert.pem is located in the

CACertificatePath directory, and the MD5 hash of the subject name contained in

ca-cert.path.pem is 1b96dd93, then a symbolic link named 1b96dd93 must point

to the ca-cert.pem file.

If there are subject name collisions such as multiple certificates with the same

subject name, each link name must be indexed with a numeric extension as in

1b96dd93.0 and 1b96dd93.1.

Veri fica t i on

Depth

Optional; specifies the maximum length of the certificate chain used for client

verification.

Enable Session

Cache

Optional; specifies whether TLS session caching (fast reconnect) is enabled or

not. Set to True to enable session caching; otherwise set to False.

Tunnel Service Required; must be the name of an existing EAP-MSCHAPv2 or EAP-SIM

service.

Authentication

Timeout

Required; specifies time (in seconds) to wait before an authentication request

times out; defaults to 120.

Description

(optional)

Optional; description of the PEAP service.

Session Timeout Optional; if TLS session caching (fast reconnect) is enabled, SessionTimeout

specifies the maximum lifetime of a TLS session. Expired sessions are removed

from the cache and will require a subsequent full authentication.

SessionTimeout is specified as a string consisting of pairs of numbers and units,

where units might be one of the following: M, Minute, Minutes, H, Hour, Hours,

D, Day, Days, W, Week, Weeks, as in the following:

Set SessionTimeout “1 Hour 45 Minutes”

Enable WPS Optional; When set to TRUE, enables Windows Provisioning Service (WPS) and

provides two other properties, MasterURL and WPSGuestUserProfile. The

default value is FALSE.

Master URL Optional; when using WPS, specifies the URL of the provisioning server which is

modified with the appropriate fragment and sent to the client.

WPS Guest User

Profile

Optional; when using WPS, specifies a profile to be used as a guest user profile;

must be a valid profile under /Radius/Profiles.

This profile is used for guests and users whose account has expired. This profile

normally contains attributes denoting the VLAN-id of the guest network (which

has the provisioning server alone) and might contain IP-Filters that would restrict

the access of the guest (to only the provisioning server).

Table 3-13 PEAP Service Properties (continued)

Fields Description

3-37

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the PEAP Services List page for the following:

•Filtering Records

•Adding PEAP Service Details

•Editing Records

•Deleting Records

Adding PEAP Service Details

To add new PEAP service details:

Step 1 Choose Configuration > Services > PEAP. The PEAP Services List page is displayed.

Step 2 Click Add to add new PEAP service details. The PEAP Services Details page is displayed.

Step 3 Specify the relevant PEAP service details.

Step 4 Click Submit to save the specified details in the PEAP Services List page. Otherwise click Cancel to

return to the PEAP Services List page without saving the details.

On successful creation of the PEAP service properties, the PEAP Services List page is displayed else a

respective error message is displayed.

EAP Service

Prime Access Registrar supports the Extensible Authentication Protocol (EAP) to provide a common

protocol for differing authentication mechanisms. It provides dynamic selection of the authentication

mechanism at the time of authentication based on information transmitted in the Access-Request.

Prime Access Registrar supports the following EAP authentication methods:

•EAP-AKA

•EAP-AKA-Prime

•EAP-FAST

•EAP-GTC

•EAP-LEAP

•EAP-MD5

•EAP-Negotiate

•EAP-MSChapV2

•EAP-SIM

•EAP-Transport Level Security (TLS)

•EAP-TTLS

EAP-AKA

Authentication and Key Agreement (AKA) is an EAP mechanism for authentication and session key

distribution. It is used in the 3rd generation mobile networks Universal Mobile Telecommunications

System (UMTS) and CDMA2000. AKA is based on symmetric keys, and typically runs in a UMTS

3-38

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Subscriber Identity Module (USIM), or a (Removable) User Identity Module ((R) UIM), similar to a

smart card. EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key

Agreement) includes optional identity privacy support, optional result indications, and an optional fast

reauthentication procedure. The EAP-AKA authentication service is extended to generate a Diameter

message Multimedia-Authentication-Request (MAR), with the subscriber identity (IMSI), to the Home

Subscriber Server (HSS) when it requires the authentication vectors. The HSS sends a Diameter

Mutlimedia-Authentication-Answer (MAA) back containing the number of quintuplets.

EAP-AKA-Prime

EAP-AKA-Prime (EAP-AKA') is an EAP authentication method, with a small revision to the existing

EAP-AKA method. EAP- AKA' has a new key derivation function, which binds the keys derived within

the method to the name of the access network. This limits the effects of compromised access network

nodes and keys. EAP-AKA’ supports SHA-256 instead of SHA-1.

EAP-FAST

EAP-FAST is an authentication method which uses the EAP-MSChapV2 method for credential

provisioning and EAP-GTC for authentication. Credential provisioning typically occurs only during the

client’s initial EAP-FAST authentication. Subsequent authentications rely on the provisioned credential

and will usually omit the provisioning step.

This authentication protocol is designed to address the performance shortcomings of prior TLS-based

EAP methods while retaining features such as identity privacy and support for password-based

protocols. The EAP-FAST protocol is described by the IETF draft (draft-cam-winget-eap-fast-00.txt).

EAP-GTC

This method defined in RFC 2284, is used for transmitting a username and password to an authentication

server.

Note It should not be used except as an authentication method for PEAP Version 1 because the password is

not protected.

EAP-LEAP

The new AAA Cisco-proprietary protocol called Light Extensible Authentication Protocol (LEAP)

supported by Prime Access Registrar, is a proprietary Cisco authentication protocol designed for use in

IEEE 802.11 wireless local area network (WLAN) environments. Important features of LEAP include:

•Mutual authentication between the network infrastructure and the user

•Secure derivation of random, user-specific cryptographic session keys

•Compatibility with existing and widespread network authentication mechanisms (e.g., RADIUS)

Note Prime Access Registrar supports a subset of EAP to support LEAP. This is not a general implementation

of EAP for Prime Access Registrar.

The Cisco-Wireless or LEAP is an EAP authentication mechanism where the user password is hashed

based on an MD4 algorithm.

3-39

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

EAP-MD5

This is another EAP authentication exchange. In EAP-MD5 there is a CHAP-like exchange and the

password is hashed by a challenge from both client and server to verify the password. On successful

verification, the connection proceeds, although the connection is periodically rechallenged (per RFC

1994).

EAP-Negotiate

This is a special service used to select at runtime the EAP service to be used to authenticate the client.

It is configured with a list of candidate EAP services that represent the allowable authentication methods

in preference order.

EAP-Negotiate is useful when the client population has deployed a mix of different EAP methods that

must be simultaneously supported by Prime Access Registrar. EAP-Negotiate solves the problem of

distinguishing client requirement by using the method negotiation feature of the EAP protocol.

EAP-MSChapV2

EAP-MSChapv2 encapsulates the MSChapV2 protocol (specified by RFC 2759) and can be used either

as an independent authentication mechanism or as an inner method for PEAP Version 0 (recommended).

This is based on draft-kamath-pppext-eap-mschapv2-00.txt, an informational IETF draft document.

EAP-SIM

An access point uses the Prime Access Registrar RADIUS server to perform EAP-SIM authentication of

mobile clients. Prime Access Registrar must obtain authentication information from the HLR.

Prime Access Registrar contacts the MAP gateway that performs the MAP protocol over SS7 to the

HLR, or alternately it can contact the HLR (through STP in some cases) using the SIGTRAN-M3UA

interface. The EAP-SIM authentication service is extended to generate a Diameter message

Multimedia-Authentication-Request (MAR), with the subscriber identity(IMSI), to the HSS when it

requires the authentication vectors. The HSS sends a Diameter Mutlimedia-Authentication-Answer

(MAA) back containing the number of triplets.

EAP-Transport Level Security (EAP-TLS)

This is an authentication method (described in RFC 2716) which leverages TLS, described in RFC 2246,

to achieve certificate-based authentication of the server and the client (optionally). It provides many of

the same benefits as PEAP but differs in the lack of support for legacy authentication methods.

EAP-Transport Level Security (TLS)

This is an authentication method (described in RFC 2716) which leverages TLS, described in RFC 2246,

to achieve certificate-based authentication of the server and the client (optionally). It provides many of

the same benefits as PEAP but differs in the lack of support for legacy authentication methods.

EAP-TTLS

The Extensible Authentication Protocol Tunneled TLS (EAP-TTLS) is an EAP protocol that extends

EAP-TLS. EAP- TTLS extends the authentication negotiation EAP-TLS by using the secure connection

established by the TLS handshake to exchange additional information between client and server. It

leverages TLS (RFC 2246) to achieve certificate-based authentication of the server (and optionally the

client) and creation of a secure session that can then be used to authenticate the client using a legacy

mechanism.

EAP-TTLS is a two-phase protocol. Phase 1 conducts a complete TLS session and derives the session

keys used in Phase 2 to securely tunnel attributes between the server and the client. The attributes

tunneled during Phase 2 can be used to perform additional authentication(s) via a number of different

mechanisms.

3-40

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

The authentication mechanisms used during Phase 2 include PAP, CHAP, MS-CHAP, MS-CHAPv2, and

EAP. If the mechanism is EAP, then several different EAP methods are possible.

Table 3-14 lists and describes the fields in the EAP Services Details page. The fields listed below are the

entire list of all the available types. The fields are displayed based on the type selected.

Table 3-14 EAP Service Properties

Fields Description

Service Name Required; service name

Incoming Script Optional script Prime Access Registrar server runs when it receives

a request from a client.

Type Required; must set it to a valid Prime Access Registrar service

Outgoing Script Optional script Prime Access Registrar server runs before it sends

a response to a client

Description (optional) Optional; description of the PEAP service.

Authentication Timeout Mandatory; specifies time (in seconds) to wait before an

authentication request times out; defaults to 120.

UserService Required; name of service that can be used to authenticate using

cleartext passwords.

ServiceList List of preconfigured EAP authentication services. To navigate

between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details.

Maximum Message Size Required; indicates the maximum length in bytes that a PEAP

message can have before it is fragmented.

Server Certificate File Required; the full pathname of the file containing the server’s

certificate or certificate chain used during the TLS exchange. The

pathname can be optionally prefixed with a special string that

indicates the type of encoding used for the certificate. The two valid

encoding prefixes are PEM and DER. If an encoding prefix is not

present, the file is assumed to be in PEM format.

Private Key Password Required; the password used to protect the server’s private key.

Server RSA Key File Required; the full pathname of the file containing the server’s RSA

private key. The pathname can be optionally prefixed with a special

string that indicates the type of encoding used for the certificate.

The two valid encoding prefixes are “PEM” and “DER”. If an

encoding prefix is not present, the file is assumed to be in PEM

format.

The following example assumes that the subdirectory pki under

/cisco-ar contains the server’s certificate file. The file

server-key.pem is assumed to be in PEM format. The file extension

.pem is not significant.

set ServerRSAKeyFile PEM:/cisco-ar/pki/server-key.pem

3-41

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

CRL Distribution URL Optional; enter the URL that Prime Access Registrar should use to

retrieve the CRL.You can specify a URL that uses HTTP or LDAP.

The following is an example for an HTTP URL:

<http://crl.verisign.com/pca1.1.1.crl>.

The following is an example for an LDAP URL:

ldap://209.165.200.225:388/CN=development-CA,CN=acs-west

coast2,CN=CDP,CN=Public Key

Services,CN=Services,CN=Configuration,DC=cisco,DC=com

CA Certificate File Optional; the full pathname of the file containing trusted CA

certificates used for client verification. The file can contain more

than one certificate, but all certificates must be in PEM format.

DER encoding is not allowed.

Certificate Verification Mode The value is set to optional by default. If set to RequireCertificate,

the client certificate will always be verified. If set to optional, client

certificate verification happens optionally.

CA Certificate Path The name of a directory containing trusted CA certificates (in PEM

format) used for client verification. This parameter is optional and

if it is used there are some special preparations required for the

directory it references.

Each certificate file in this directory must contain exactly one

certificate in PEM format. The server looks up the certificate files

using the MD5 hash value of the certificate’s subject name as a key.

The directory must therefore also contain a set of symbolic links

each of which points to an actual certificate file. The name of each

symbolic link is the hash of the subject name of the certificate.

For example, if a certificate file named ca-cert.pem is located in

the CACertificatePath directory, and the MD5 hash of the subject

name contained in ca-cert.path.pem is 1b96dd93, then a symbolic

link named 1b96dd93 must point to ca-cert.pem.

If there are subject name collisions such as multiple certificates

with the same subject name, each link name must be indexed with

a numeric extension as in 1b96dd93.0 and 1b96dd93.1.

Verification Depth Optional; specifies the maximum length of the certificate chain

used for client verification.

Enable Session Cache Optional; specifies whether TLS session caching (fast reconnect) is

enabled or not. Set to True to enable session caching; otherwise set

to False.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-42

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Session Timeout Required; if TLS session caching (fast reconnect) is enabled,

SessionTimeout specifies the maximum lifetime of a TLS session.

Expired sessions are removed from the cache and will require a

subsequent full authentication.

SessionTimeout is specified as a string consisting of pairs of

numbers and units, where units might be one of the following: M,

Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks,

as in the following:

Set SessionTimeout “1 Hour 45 Minutes”

UseECCCertificate Determines the applicability of the authentication mechanism in

SmartGrid Solutions.

When you check this check box, it can use the ECC, RSA, or

combination of both certificate for certificate based verification.

When you uncheck this check box, it can only use the RSA

certificate for certificate based verification. The default location to

fetch the certificate file is /cisco-ar/pki.

Authentication Service Specifies the name of the EAP-GTC service used for

authentication. The named service must have the UseLabels

parameter set to True.

User Prompt Optional string the client might display to the user; default is Enter

password:” Use the set command to change the prompt, as in the

following:

set UserPrompt “Admin Password:”

UseLabels Required; must be set to TRUE for EAP-FAST authentication and

set to FALSE for PEAP authentication. Set to FALSE by default.

SystemID Optional; string that identifies the sender of the MSChapV2

challenge message.

IsWindows7Client Optional; must be set to TRUE for EAP-MSChapV2

authentication. Set to FALSE by default.

Authority Identifier Required; a string that uniquely identifies the credential (PAC)

issuer. The client uses this value to select the correct PAC to use

with a particular server from the set of PACs it might have stored

locally.

Authority Information Required; a string that provides a descriptive text for this credential

issuer. The value can be displayed to the client for identification

purposes and might contain the enterprise or server names.

Credential Life Time Optional; specifies the maximum lifetime of a Protected Access

Credential (PAC). Clients that successfully authenticate with an

expired PAC will be reprovisioned with a new PAC.

CredentialLifetime is specified as a string consisting of pairs of

numbers and units, where units might be one of the following: M,

Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks.

Credentials that never expire should be specified as Forever.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-43

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Provision Service Required; specifies the name of the EAP-MSChapV2 service used

for provisioning.

Provision Mode Required; specifies the TLS mode used for provisioning. Clients

only support the default Anonymous mode.

Always Authenticate Optional; indicates whether provisioning should always

automatically rollover into authentication without relying on a

separate session. Most environments, particularly wireless, will

perform better when this parameter is set to True, the default value.

SubscriberDBLookup Specifies the type of communication with the HLR/HSS server.

Based on the type selected, the communication happens with the

HLR/HSS server using the diameter Wx interface, MAP protocol,

or SIGTRAN-M3UA protocol.

This field is displayed when you select the eap-sim option in the

Type field.

Subscriber_DBLookup Specifies the type of communication with the HLR/HSS server.

Based on the type selected, the communication happens with the

HLR/HSS server using the diameter Wx interface, SIGTRAN

protocol, or SIGTRAN-M3UA protocol.

This field is displayed when you select the eap-sim, eap-aka, or

eap-aka’ option in the Type field.

DestinationRealm Required. Need to configure the Diameter Remote Server for the

Realm. The role of the remote server should be Relay.

PreRequestTranslationScript Optional. Prime Access Registrar server runs before sending the

request to the Diameter remote server. The script can modify the

RADIUS packet dictionaries.

PostRequestTranslationScript Optional. Prime Access Registrar server runs before sending the

request to the Diameter remote server. The script can modify the

Diameter packet dictionaries.

PreResponseTranslationScript Optional. Prime Access Registrar server runs after receiving the

response from the Diameter remote server. The script can modify

the Diameter packet dictionaries.

PostResponseTranslationScript Optional. Prime Access Registrar server runs after receiving the

response from the Diameter remote server. The script can modify

the RADIUS packet dictionaries.

FetchAuthorizationInfo When you check this check box, it fetches MSISDN from HLR.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-44

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

General tab

The details in the tab is displayed based on the eap-sim or eap-aka option you select in the Type field.

MultipleServersPolicy Required. Must be set to either Failover or RoundRobin.

When set to Failover, Prime Access Registrar directs requests to

the first server in the list until it determines the server is offline. At

that time, Prime Access Registrar redirects all requests to the next

server in the list until it finds a server that is online.

When set to RoundRobin, Prime Access Registrar directs each

request to the next server in the RemoteServers list to share the

resource load across all of the servers listed in the RemoteServers

list.

NumberOfTriplets Required; number of triplets (1, 2, or 3) to use for authentication;

default is 2.

PseudonymSecret Required; the secret string that is used as the basis for protecting

identities when identity privacy is enabled. This should be at least

16 characters long and have a value that is impossible for an

outsider to guess. The default value is secret.

Note It is very important to change PseudonymSecret from its

default value to a more secure value when identity privacy

is enabled for the first time.

PseudonymRenewtime Required; specifies the maximum age a pseudonym can have before

it is renewed. When the server receives a valid pseudonym that is

older than this, it generates a new pseudonym for that subscriber.

The value is specified as a string consisting of pairs of numbers and

units, where the units might be of the following: M, Minute,

Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks. The

default value is “24 Hours”.

Examples are: “8 Hours”, “10 Hours 30 Minutes”, “5 D 6 H 10 M”

PseudonymLifetime Required; specifies the maximum age a pseudonym can have before

it is rejected by the server, forcing the subscriber to authenticate

using it’s permanent identity. The value is specified as a string

consisting of pairs of numbers and units, where the units might be

one of the following: M, Minute, Minutes, H, Hour, Hours, D, Day,

Days, W, Week, Weeks. It can also be Forever, in which case,

pseudonyms do not have a maximum age. The default value is

“Forever”.

Examples are: “Forever”, “3 Days 12 Hours 15 Minutes”, “52

Weeks”

ReauthenticationTimeout Required; specifies the time in seconds that reauthentication

identities are cached by the server. Subscribers that attempt to

reauthenticate using identities that are older than this value will be

forced to use full authentication instead. The default value is 3600

(one hour).

EnableReauthentication Optional; when True, the fast reauthentication option is enabled.

The default value is False.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-45

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

UseProtectedResults Optional; enables or disables the use of protected results messages.

Results messages indicate the state of the authentication but are

cryptographically protected.

ReauthenticationRealm Optional; this information will be supplied later.

MaximumReauthentications Required; specifies the maximum number of times a

reauthentication identity might be reused before it must be

renewed. The default value is 16.

TripletCacheTimeout Required for eap-sim service; time in seconds an entry remains in

the triplet cache. A zero (0) indicates that triplets are not cached.

The maximum is 28 days; the default is 0 (no caching).

QuintetCacheTimeout Required for eap-aka or eap-aka’ service; time in seconds an entry

remains in the quintet cache. A zero (0) indicates that quintets are

not cached. The maximum is 28 days; the default is 0 (no caching).

QuintetGenerationScript Available for eap-aka or eap-aka’ service; script required for

quintet generation.

Authentication Timeout Required; time in seconds to wait for authentication to complete.

The default is 2 minutes; range is 10 seconds to 10 minutes.

UseSimDemoTriplets Optional; set to TRUE to enable the use of demo triplets. This must

be disabled for release builds.

AlwaysRequestIdentity Optional; when True, enables the server to obtain the subscriber’s

identity via EAP/SIM messages instead of relying on the EAP

messages alone. This might be useful in cases where intermediate

software layers can modify the identity field of the

EAP-Response/Identity message. The default value is False.

EnableIdentityPrivacy Optional; when True, the identity privacy feature is enabled. The

default value is False.

Generate3GPPCompliantPseudo

nym

Optional; the value is set to False by default. If set to TRUE then

Prime Access Registrar generates a 12 octet 3GPP compliant

pseudonym identity. The Pseudonym username identities are used

to protect the privacy of subscriber identities.

SendReAuthIDInAccept Optional; the value is set to False by default. When set to True,

Prime Access Registrar sends SN-Fast-ReAuth-UserName (Starent

VSA) in access-accept message.

Outage Script Optional; if you set this property to the name of a script,

Prime Access Registrar runs it when an outage occurs. This

property allows you to create a script that notifies you when the

RADIUS server detects a failure.

NetworkName Required for eap-aka-prime service type. Name of the access

network for which the authentication is performed. This attribute is

captured to ensure that the peer and the server know the name of the

access network for performing the EAP authentication.

MapVersion Required for SIGTRAN-M3UA remote server; select the map

version HLR supports.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-46

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the EAP Services List page for the following:

•Filtering Records

•Adding EAP Service Details

•Editing Records

•Deleting Records

Adding EAP Service Details

To add new EAP service details:

Step 1 Choose Configuration > Services > EAP. The EAP Services List page is displayed.

Step 2 Click Add to add new EAP service details. The EAP Services Details page is displayed.

Step 3 Enter the relevant details.

Step 4 Click Submit to save the specified details in the EAP Services List page. Otherwise click Cancel to

return to the EAP Services List page without saving the details.

On successful creation of the EAP Service properties, the EAP Services List page is displayed else a

respective error message is displayed.

Diameter Service

Proxy agents assist in routing Diameter messages using the Diameter routing table. Diameter proxy

service works in tandem with the rule policy engine to perform the routing for multiple realms or

applications. The following are the multiple peer policies supported by the proxy service:

•RoundRobin

•FailOver

•IMSI Range Based.

Table 3-15 lists and describes the fields in the Diameter-Services page. The fields listed below are the

entire list of all the available roles. The fields are displayed based on the role selected.

DiameterInterface Select SWx or Wx to indicate the Diameter protocol to use for the

service.

ProxyService Select the diameter proxy service to use.

Remote Servers tab

Attribute Optional; list of remote RADIUS servers which are map gateways.

The remote server type must be set to map-gateway. To navigate

between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details.

Table 3-14 EAP Service Properties (continued)

Fields Description

3-47

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Table 3-15 Diameter Service Properties

Fields Description

Name Required; name of the Diameter server.

Description Optional; description of the Diameter server.

Realm Required; realm of the route. Must be unique for a route table.

Role Required; specifies the role that the Diameter entity will play in

resolving messages matching the realm.

The role can be any one of the following:

Relay - Application acting as a Relay Agent.

Redirect - Application acting as a Redirect Agent.

Proxy - Application acting as a Proxy Agent. When the role is set

to Proxy, the IncomingScript and OutgoingScript points are

enabled.

Local - Application processes the requests locally. When the role is

set to Local, the AuthenticationService and AccountingService are

enabled.

By default, the Proxy option is selected. However, you can select

another option from the drop-down list.

Incoming Script Optional; enabled when role is set to Proxy or Local. When set,

must be the name of a known incoming script.

Prime Access Registrar runs the IncomingScript before proxying

the Diameter packet to the remote Diameter server.

Outgoing Script Optional; enabled when role is set to Proxy or Local. When set,

must be the name of a known outgoing script.

Prime Access Registrar runs the OutgoingScript after it receives

the response from the remote Diameter server.

Authentication Service Required; used when service is configured to process the Diameter

requests locally. Set to valid service of type (local/ldap/odbc) to

authenticate the user. This field is displayed when you select the

role type as ‘Local’ in the Role field.

AccountingService Required; used when service is configured to process the

accounting requests locally. Set to valid accounting service of

type(file/odbc-accounting) to write the accounting records. This

field is displayed when you select the role type as ‘Local’ in the

Role field.

Type Required; specifies the service type.The service type ‘Diameter’ is

automatically displayed in this field.

PEER Statements

This is displayed when you select the ‘Local’, ‘Relay’, or ‘Redirect’option in the Role field.

Name Required; name of the peer.

Host Name Required; the hostname or IP address of the peer. The hostname

must exist in the client list for the route to be active.

Metric Required; metric value for the peer entry. The higher the value the

lower the preference. The highest value of preference is 0.

3-48

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

VendorSpecific Required; the default is FALSE. If set to FALSE, the application is

ordinary application and user is prompted to enter the

ApplicationID. If set to TRUE, the application is a VendorSpecific

Application. User is prompted to enter

VendorSpecificApplicationID and VendorID.

VendorID Required; specifies the VendorID for the application.

Example:

DIAMETER 3GPP Cx APPLICATION

VendorSpecificApplicationID 16777216

VendorID 10415

VendorSpecificApplicationID Required; specifies the integer value for the vendor specific

application.

ApplicationID Required; application used in the route. The application Id should

be available in /Advanced/Diameter/Applications.

Applications

This is displayed when you select the ‘Proxy’ option in the Role field.

Name Required; name of the application.

Description The description of the application.

ApplicationID Required; specifies the unique integer value for the application. It

represents the application id of the Application used for load

balancing the Diameter messages.

EnableSticky Required; default is FALSE. If set to True, the sticky entries for

load balancing is enabled and the user is prompted to enter the

values for StickySessionKey, StickyCreationCmdList, and

StickyDeletionCmdList.

MultiplePeersPolicy Required; must be set to RoundRobin, FailOver, or

IMSIRangeBased. Policy used by the Prime Access Registrar

server to load balance the peers.

StickySessionKey Required; used as the sticky key for mapping the sticky sessions.

Set the value to a valid attribute-value pair (AVP) in order to use the

sticky key for maintaining Diameter sessions. This ensures that

Prime Access Registrar maps the request to the same server for all

the subsequent messages using the sticky key. For example, set

StickyAVP “Session-Id”.

When the Prime Access Registrar server receives the CCR-I

request, Prime Access Registrar extracts the Session-Id from the

request packet, maps the Session to the peer configured in the list,

and forwards the request to the chosen peer.

Prime Access Registrar chooses the same peer for all the

subsequent messages(CCR-Update/CCR-Terminate) with same

Session-Id.

Table 3-15 Diameter Service Properties (continued)

Fields Description

3-49

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

StickyCreationCmdList Required; specifies the command list to create the sticky entries.

Specify the list of ‘||’ separated command code, AVP name, and its

value to create the sticky sessions.

The following is the StickyCreationCmdList format:

<commandcode1>::<AVPName1=Value1> ||

<commandcode2<::<AVPName2=Value2>||<commandcode3>

For example, if the sticky session entries need to created based on

command code ‘265’or based on command code ‘271’ with

Accounting-Record-Type value as 2, use the format below:

Set StickyCreationCmdList “265||271::

Accounting-Record-Type=2”

StickyDeletionCmdList Required; specifies the command list to delete the sticky

entries.Specify the list of ‘||’ separated command code, AVP name,

and its value to delete the sticky sessions.

The following is the StickyDeletionCmdList format:

<commandcode1>::<AVPName1=Value1> ||

<commandcode2<::<AVPName2=Value2>||<commandcode3>

For example, if the sticky session entries need to deleted based on

command code ‘271’ with Accounting-Record-Type value as 4, use

the format below:

Set StickyDeletionCmdList “271::

Accounting-Record-Type=4”

PEER Definitions Proxy

Name Required; name of the peer.

Host Name Required; hostname or IP address of the peer. The HostName must

exist in the client list for the route to be active.

Metric Required; metric value for this peer entry. The higher the value the

lower the preference. The highest value of preference is 0.

Weight Required; default value is 0. Specifies the weight percentage for

which the service needs to load balance the peer.

Note When you set the weight to a value other than 0, the weight

should be in multiples of 10 and the sum of the weights

configured in the peer list should be equal to 100.

IMSIRanges Required; used for load balancing. The value is set to comma

separated values of IMSI Ranges.

For example, set IMSIRanges

“112156000000001-112156001000000,112156010000001-11215

6011000000”

Note Prime Access Registrar uses the AVP configured in

StickyAVP property to check whether the IMSI is in valid

range.

IsActive Optional; if this is set to true, the new sessions will not go to the

peer server. By default, this is set as false.

Table 3-15 Diameter Service Properties (continued)

Fields Description

3-50

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Diameter Services List page for the following:

•Filtering Records

•Adding Diameter Service Details

•Editing Records

•Deleting Records

Adding Diameter Service Details

To add a new Diameter Service details:

Step 1 Choose Configuration > Services > Diameter. The Diameter Services page is displayed.

Step 2 Click Add to add new Diameter service details. The DIAMETER Services Details page is displayed.

Step 3 Specify the required details in the PEER Statements, Applications, and PEER Definitions Proxy

specific sections.

Step 4 Click Save DIAMETER Service to save the specified details in the Diameter Services page. Otherwise

click Cancel to return to the Diameter Services page without saving the details.

On successful creation of the Diameter Service properties, the Diameter Services page is displayed else

a respective error message is displayed.

Note You may need to enter PEER Statements, Applications, and PEER Definitions Proxy details based on

the Role that you select in the DIAMETER-Services page.

Adding the PEER Statements Details

To add new PEER Statement details:

Step 1 Click Add to add new PEER Statements details section. The fields specific to PEER Statements are

displayed.

Step 2 Specify the required details.

Step 3 Click Save to save the specified details in the PEER Statements section. Otherwise click Cancel to return

to the PEER Statements section without saving the details.

On successful creation of the Diameter Service properties, the Diameter Services page is displayed else

a respective error message is displayed.

Adding the Applications Details

To add new Application details:

Step 1 Click Add to add new Applications details in the Application List section. The fields specific to

Applications are displayed.

Step 2 Specify the required details.

3-51

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 3 Click Save Appln to save the specified details in the Application List section. Otherwise click Cancel

Appln to return to the Application List section without saving the details.

Adding the PEER Definitions Proxy Details

To add PEER Definitions Proxy details:

Step 1 Click Add to add new Proxy PEER Statements in the PEER Definitions Proxy section. The fields

specific to Proxy PEER Statements are displayed.

Step 2 Specify the required details.

Step 3 Click Save to save the specified details in the Proxy PEER Statements section. Otherwise click Cancel

to return to the Proxy PEER Statements section without saving the details.

CommandSets

A command set consists of commands and the action to perform during TACACS+ command

authorization. For more information on TACACS+ command authorization, see TACACS+ Support for

AAA, page 17-50.

Adding a Command Set

To add a new command set:

Step 1 Choose Configuration > Command Sets. Prime Access Registrar lists all the command sets available

in the system. You can edit or delete an existing command set.

Step 2 Click Add to add a new command set.

Step 3 Enter a name and description for the command set.

Step 4 Provide the Command Set parameters. Table 3-16 lists the parameters in the Add Command section.

Table 3-16 Command Set Parameters

Field Field Description

Action Select Permit or Deny to indicate the action to be performed on the command

during TACACS+ command authorization.

Command The command to add in the set. Example:

show

Arguments The arguments for the command. Example:

~/serial*/

Note Prime Access Registrar supports POSIX Extended Regular

Expression (ERE) for command arguments.

3-52

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 5 Click Add to add the new command to the set. The command details are displayed in the Commands

section. You can edit or delete a command from the list as required.

Step 6 Click Submit to save the command set details.

You can use the Command Sets page to perform the following as well:

•Filtering Records

•Editing Records

•Deleting Records

DeviceAccessRules

A device access rule consists of conditions or expressions and the applicable command sets for

TACACS+ command authorization. For more information on TACACS+ command authorization, see

TACACS+ Support for AAA, page 17-50.

Adding a Device Access Rule

To add a new device access rule:

Step 1 Choose Configuration > Device Access Rules. Prime Access Registrar lists all the device access rules

available in the system. You can edit or delete an existing device access rule.

Step 2 Click Add to add a new device access rule.

Step 3 Enter a name and description for the device access rule.

Step 4 Choose the default device access action to perform on all commands in the device access rule. Options

are Permit All or Deny All.

Step 5 In the Conditions field, include the expressions with AND or OR conditional operator.

Step 6 Select a command set from the drop-down list box and click Add. The selected command set is displayed

in the Command Set Names list box available. Click Delete to remove any command set from the list.

Step 7 Provide the expression details for the device access rule. Table 3-17 lists the parameters for adding

expressions.

Table 3-17 Expression Parameters

Field Field Description

Name Name of the expression to include in the device access rule.

Description Description of the expression.

Attribute Parameter to apply the condition on.

Value Value of the parameter.

Note Prime Access Registrar supports POSIX Extended Regular

Expression (ERE) for condition expression value property.

3-53

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 8 Click Add to add the expression to the list-box available in the Condition Expressions section. You can

edit or delete the expression from the list as required.

Step 9 Click Submit to save the device access rule details.

FastRules

FastRules provides a mechanism to easily choose the right authentication, authorization, accounting, and

query service(s), drop, reject, or break flows, run a script, choose a session manager and/or a chain of

fast rules required for processing a packet.

FastRules has the following capabilities:

•Provides maximum flexibility and ease in matching information in the incoming packets for

choosing the appropriate service to apply

•Provides an option to match values in AVPs based on value ranges, exact match, and simple string

comparisons using regex

•Provides easy and efficient alternative to rule/policy engine and scripting points for most common

use cases—reduces the use of external scripts to choose an appropriate service

For more information about FastRules and the workflow, see Chapter 19, “Using FastRules to Process

Packet Flow.”

Adding a Fast Rule

To add a new fast rule:

Step 1 Choose Configuration > FastRules. Prime Access Registrar lists fast rules available for RADIUS,

Diameter, and TACACS in the respective tabs. You can edit or delete an existing fast rule.

Step 2 Click Add to add a new fast rule. Table 3-18 provides the list of parameters in the FastRules Details

page.

Table 3-18 FastRules Details

Field Field Description

Name Required; name of the fast rule.

Description Optional; description of the fast rule.

Protocol Required; select the type of packet that the fast rule is applicable for from one

of the following options:

•Radius

•Diameter

•Tacacs

Condition Condition based on which the fast rule will be run on the incoming packet.

If the condition is success, enter the action to be performed in the Success

field. If the condition is failure, enter the action to be performed in the Failure

field.

3-54

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 3 Add Success and Failure attribute values to the Success Mapping and Failure Mapping fields in the

respective sections.

Step 4 Click Save to save the fast rules details.

Replication

The replication feature of Prime Access Registrar allows you to maintain identical configurations on

multiple machines simultaneously. It eliminates the need to have administrators with multiple Prime

Access Registrar installations, make the same configuration changes at each of their installations.

Instead, only the master's configuration must be changed and the slave is automatically configured

eliminating the need to make repetitive, error-prone configuration changes for each individual

installation. In addition to enhancing server configuration management, using replication eliminates the

need for a hot-standby machine.

Employing Prime Access Registrar's replication feature, both servers can perform RADIUS request

processing simultaneously, eliminating wasted resources. It focuses on configuration maintenance only,

not session information or installation-specific information.

Table 3-19 lists and describes the fields in the Replication Details page.

Attributes

Name Name of the attribute to include in the condition.

Description Description of the attribute.

Dictionary Select type of the dictionary variable as Environment, Request, or Response

to map the attribute to.

Table 3-18 FastRules Details

Field Field Description

Table 3-19 Replication Properties

Fields Description

General Properties tab

Replication Type Indicates the type of replication

Transaction Sync Interval (in

ms)

Duration between periodic transmission of the TransactionSync

message expressed in milliseconds. The default is 60000 or 1

minute.

Transaction Archive Limit The default setting is 100.

The value set for RepTransactionArchiveLimit should be the same

on the master and the slave.

Replication Secret The value of this setting must be identical on both the master and

the slave.

Is Master On the master, set RepIsMaster to TRUE. On the slave, set it to

FALSE.

Master IP Address Specifies the IP Address of the master.

Master Port Specifies the port to be used to send replication messages to the

master.

3-55

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Replication Details page for the following:

•Filtering Records

•Adding Replication Details

•Adding the Replication Member Details

•Editing Records

•Deleting Records

Adding Replication Details

To add new replication details:

Step 1 Choose Configuration > Replication. The Replication Details page is displayed.

Step 2 Specify the replication details.

Step 3 Enter the Replication Member Details, if needed.

Step 4 Click Save to save the new replication details. Otherwise click Reset to restore the default values.

On successful creation of the replication details, a success message is displayed else a respective error

message is displayed.

Adding the Replication Member Details

To add new replication member details:

Step 1 Click the Replication Members tab. The List of Replication Members section is displayed.

Step 2 Enter the required details.

Step 3 Click Submit to save the new replication member details.

Replication IP Address The value is set to the IP Address of the machine containing the

Prime Access Registrar installation.

Replication Port Defaults to port1645.

Replication Members tab

Name Name of the slave. The name must be unique.

IP Address Indicates the IP Address of the slave.

Port Port upon which the master will send replication messages to the

slave.

Table 3-19 Replication Properties (continued)

Fields Description

3-56

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

RADIUSDictionary

The RADIUS dictionary passes information between a script and the RADIUS server, or between scripts

running on a single packet.

Table 3-20 lists and describes the fields in the Add Radius Attributes page. The fields listed below are

the entire list of all the available types. The fields are displayed based on the type selected.

You can use the Radius Attributes page for the following:

•Filtering Records

•Adding RADIUS Dictionary Details

•Editing Records

•Deleting Records

Adding RADIUS Dictionary Details

To add new RADIUS dictionary details:

Step 1 Choose Configuration > Radius Dictionary. The Radius Attributes page is displayed.

Step 2 Click Add to add new RADIUS dictionary details. The Add RADIUS Dictionary page is displayed.

Step 3 Enter the required details.

Table 3-20 RADIUS Dictionary Properties

Fields Description

Name Required; must be unique in the RADIUS dictionary list

Description Optional; description of the attribute

Attribute Required; must be a number between 1-255. It must be unique

within the Attribute dictionary list.

Type Required; type governs how the value is interpreted and printed.

Minimum Set to zero

Maximum Set to 253

Enum Number Enums allow you to specify the mapping between the value and the

strings. After you have established this mapping,

Prime Access Registrar then replaces the number with the

appropriate string. The min/max properties represent the lowest to

highest values of the enumeration.

Enum Equivalent The value can range from 1 through 255. Click the Add button to

save the details and list it in the Enums list. To navigate between the

listed attributes, use the navigation option available adjacent to the

list. See Relocating Records for more details. To delete the available

attributes, select the relevant attribute and click the Delete button

below.

Tag The tag number value can range from 0 through 31. The default

value is zero.

3-57

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 4 Click Submit to save the specified details in the Radius Attributes page. Otherwise click Cancel to

return to the Radius Attributes page without saving the details.

On successful creation of the Radius Attributes, the Radius Attributes page is displayed else a respective

error message is displayed.

VendorDictionary

The vendor dictionary allows the user to maintain the attributes of the vendor with respect to vendor id,

vendor type and the attributes required to support the major NAS.

Table 3-21 lists and describes the fields in the Add Vendor Dictionary page. The fields listed below are

the entire list of all the available types. The fields are displayed based on the type selected.

You can use the Vendor Dictionary page for the following:

•Filtering Records

•Adding Vendor Dictionary Details

Table 3-21 Vendor Dictionary Properties

Fields Description

Name Required; must be unique in the Vendor dictionary list

Description Optional; description of the attribute

Vendor ID Required; must be a valid number and unique within the entire

attribute dictionary

Type Required; type governs how the value is interpreted and printed.

Minimum Optional; set to zero

Maximum Optional; set to 253

Enum Number Optional; enums allow you to specify the mapping between the

value and the strings. After you have established this mapping,

Prime Access Registrar then replaces the number with the

appropriate string. The min/max properties represent the lowest to

highest values of the enumeration.

Enum Equivalent Optional; the value can range from 1 through 255. Click the Add

button to save the details and list it in the Enums list. To navigate

between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To

delete the available attributes, select the relevant attribute and click

the Delete button below.

Tag Optional; the tag number value can range from 0 through 31. The

default value is zero.

Vendor Size Optional; set the vendor size to 8, 16, or 32 bit

HasSubAttributeLengthField Optional; indicates that the value field of the attribute has the length

field for the sub attribute.

3-58

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•Editing Records

•Deleting Records

Adding Vendor Dictionary Details

To add new vendor dictionary details:

Step 1 Choose Configuration > Vendor Dictionary. The Vendor Attributes page is displayed.

Step 2 Click Add to add new Vendor dictionary details. The Add Vendor Dictionary page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the Vendor Attributes page. Otherwise click Cancel to

return to the Vendor Attributes page without saving the details.

On successful creation of the vendor dictionary details, the Vendor Attributes page is displayed else a

respective error message is displayed.

Note After adding new vendor dictionary details, you can add vendor attributes details. Or you can

also add vendor attributes details by clicking the link in the vendor dictionary list, see Adding

Vendor Attributes for details.

Vendor Attributes

Vendor-specific attributes are included in specific RADIUS packets to communicate prepaid user

balance information from the Prime Access Registrar server to the AAA client, and actual usage, either

interim or total, between the NAS and the Prime Access Registrar server.

Table 3-22 lists and describes the fields in the Add Vendor Attributes page.

Table 3-22 Vendor Attribute Properties

Fields Description

Name Required; must be unique in the Vendor attribute list

Description Optional; description of the attribute

Attribute Required; must be a valid number and unique within the entire

attribute dictionary

Type Required; type governs how the value is interpreted and printed.

Minimum Optional; set to zero

Maximum Optional; set to 253

3-59

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Vendor Attributes page for the following:

•Filtering Records

•Adding Vendor Attributes

•Editing Records

•Deleting Records

Adding Vendor Attributes

To add new Vendor attributes:

Step 1 Choose Configuration > Vendor Dictionary. The Vendor Attributes page is displayed.

Step 2 Click the Vendor name link. The Vendor Attributes page is displayed.

Step 3 Click Add to add new Vendor attributes. The Add Vendor Attributes page is displayed.

Step 4 Enter the required details.

Step 5 Click Submit to save the specified details in the Vendor Attributes page. Otherwise click Cancel to

return to the Vendor Attributes page without saving the details.

On successful creation of the vendor attributes, the Vendor Attributes page is displayed else a respective

error message is displayed.

Enum Number Optional; enums allow you to specify the mapping between the

value and the strings. After you have established this mapping,

Prime Access Registrar then replaces the number with the

appropriate string. The min/max properties represent the lowest to

highest values of the enumeration.

Enum Equivalent Optional; the value can range from 1 through 255. Click the Add

button to save the details and list it in the Enums list. To navigate

between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To

delete the available attributes, select the relevant attribute and click

the Delete button below.

Tag Optional; the tag number value can range from 0 through 31. The

default value is zero.

Table 3-22 Vendor Attribute Properties (continued)

Fields Description

3-60

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Vendors

The Vendor object provides a central location for specifying all of the request and response processing

a particular NAS or Proxy vendor requires. Depending on the vendor, it might be necessary to map

attributes in the request from one set to another, or to filter out certain attributes before sending the

response to the client. For more information about standard RADIUS attributes, see Chapter C,

“RADIUS Attributes.”

Note When you have also set /Radius/IncomingScript, Cisco Prime Access Registrar runs that script before

the vendor’s script. Conversely, when you have set a /Radius/Outgoing script,

Cisco Prime Access Registrar runs the vendor’s script before that script.

Table 3-23 lists and describes the fields in the Add Vendor page.

You can use the Vendors page for the following:

•Filtering Records

•Adding Vendor Details

•Editing Records

•Deleting Records

Adding Vendor Details

To add new Vendor details:

Step 1 Choose Configuration > Vendors. The Vendors page is displayed.

Step 2 Click Add to add new Vendor details. The Add Vendor page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the Vendors page. Otherwise click Cancel to return to the

Vendors page without saving the details.

On successful creation of the vendor details, the Vendors page is displayed else a respective error

message is displayed.

Table 3-23 Vendor Properties

Fields Description

Name Required; must be unique in the Vendors list.

IncomingScript Optional; when you specify an IncomingScript,

Cisco Prime Access Registrar runs the script on all requests from clients

that specify that vendor.

Description Optional; description of the vendor.

OutgoingScript Optional; when you specify an OutgoingScript,

Cisco Prime Access Registrar runs the script on all responses to the

Client.

3-61

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Translations

Translations add new attributes to a packet or change an existing attribute from one value to another.

The Translations subdirectory lists all definitions of Translations the RADIUS server can apply to

certain packets.

Under the /Radius/Translations directory, any translation to insert, substitute, or translate attributes can

be added. The following is a sample configuration under the /Radius/Translations directory:

cd /Radius/Translations

Add T1

cd T1

Set DeleAttrs Session-Timeout,Called-Station-Id

cd Attributes

Set Calling-Station-Id 18009998888

DeleAttrs is the set of attributes to be deleted from the packet. Each attribute is comma separated and

no spaces are allowed between attributes. All attribute value pairs under the attributes subdirectory are

the attributes and values that are going to be added or translated to the packet.

Under the /Radius/Translations/T1/Attributes directory, inserted or translated attribute value pairs can

be set. These attribute value pairs are either added to the packet or replaced with the new value.

If a translation applies to an Access-Request packet, by referencing the definition of that translation, the

Prime Access Registrar server modifies the Request dictionary and inserts, filters, and substitutes the

attributes accordingly. You can set many translations for one packet and the Prime Access Registrar

server applies these translations sequentially.

Note Later translations can overwrite previous translations.

Table 3-24 lists and describes the fields in the Add Translations page.

Table 3-24 Translations Properties

Fields Description

General Properties tab

Name Required; must be unique in the Translations list.

Description Optional; description of the Translation

Attribute Type Optional; select either RADIUS or VENDOR. If Vendor is selected, specify

the vendor type from the drop-down list. Select the attributes from the

available list. To navigate between the listed attributes, use the navigation

option available adjacent to the list. See Relocating Records for more details.

Attributes tab

Attribute Type Optional; select either RADIUS or VENDOR. If Vendor is selected, specify

the vendor type from the drop-down list.

3-62

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Translations page for the following:

•Filtering Records

•Adding Translation Details

•Editing Records

•Deleting Records

Adding Translation Details

To add new translation details:

Step 1 Choose Configuration > Translations. The Translations page is displayed.

Step 2 Click Add to add new translations details. The Add Translations page is displayed.

Step 3 Enter the required details.

Step 4 Click Add Translation to save the specified details in the Translations page. Otherwise click Cancel to

return to the Translations page without saving the details.

On successful creation of the translation details, the Translations page is displayed else a respective error

message is displayed.

TranslationGroups

You can add translation groups for different user groups under TranslationGroups. All Translations

under the Translations subdirectory are applied to those packets that fall into the groups. The groups are

integrated with the Prime Access Registrar Rule engine.

The Prime Access Registrar Administrator can use any RADIUS attribute to determine the Translation

Group. The incoming and outgoing translation group can be different translation groups. For example,

you can set one translation group for incoming translations and one for outgoing translations.

Under the /Radius/TranslationGroups directory, translations can be grouped and applied to certain sets

of packets, which are referred to in a rule. The following is a sample configuration under the

/Radius/TranslationGroups directory:

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

Attribute Value Optional; set the value for the selected attribute. Click the Add button to save

the details and list it in Radius and Value list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See

Relocating Records for more details. To delete the available attributes, select

the relevant attribute and click the Delete button below.

Table 3-24 Translations Properties (continued)

Fields Description

3-63

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

cd /Radius/TranslationGroups

Add CiscoIncoming

cd CiscoIncoming

cd Translations

Set 1 T1

The translation group is referenced through the Prime Access Registrar Policy Engine in the

/Radius/Rules/<RuleName>/Attributes directory. Incoming-Translation-Groups are set to a

translation group (for example CiscoIncoming) and Outgoing-Translation-Groups to another

translation group (for example CiscoOutgoing).

Table 3-25 lists and describes the fields in the Add Translation Groups page.

You can use the Translation Groups page for the following:

•Filtering Records

•Adding Translation Group Details

•Editing Records

•Deleting Records

Adding Translation Group Details

To add new translation group details:

Step 1 Choose Configuration > TranslationGroups. The Translation Groups page is displayed.

Step 2 Click Add to add new translation group details. The Add TranslationGroup page is displayed.

Step 3 Enter the required details.

Step 4 Click Add TranslationGroup to save the specified details in the Translation Groups page. Otherwise

click Cancel to return to the Translation Groups page without saving the details.

On successful creation of the translation group details, the Translation Groups page is displayed else a

respective error message is displayed.

Table 3-25 TranslationGroups Properties

Fields Description

Name Required; must be unique in the Translations list.

Description Optional; description of the Translation Group.

Translations Optional; lists of translation. To navigate between the listed attributes, use

the navigation option available adjacent to the list. See Relocating Records

for more details.

3-64

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Diameter

Diameter is a computer networking protocol for Authentication, Authorization and Accounting (AAA).

It is a successor to RADIUS or an enhanced version of the RADIUS protocol. It includes numerous

enhancements in all aspects, such as error handling and message delivery reliability. It extracts the

essence of the AAA protocol from RADIUS and defines a set of messages that are general enough to be

the core of the Diameter Base protocol. The various applications that require AAA functions can define

their own extensions on top of the Diameter base protocol, and can benefit from the general capabilities

provided by the Diameter base protocol.

The following sections can be used to configure Diameter transport management properties, session

management properties, add new application, commands associated with it and application specific

AV P s :

•General

•Session Management

•Applications

•Commands

•DiameterAttributes

General

This section explains how to set Diameter general configuration such as product name, version, and

transport management properties.

Setting General Diameter Parameters

Table 3-26 lists and describes the fields in the General Diameter Properties page.

Table 3-26 General Diameter Properties

Fields Description

General section

Product Optional; name of the product.

AuthApplicationIdList Specifies the list of AuthApplications that the

Prime Access Registrar server registers to Diameter Base

stack during start up. It is a combination of Auth Applica-

tionId's separated by a colon.

Version Optional; version number.

AcctApplicationIdList Specifies the list of AcctApplications that the

Prime Access Registrar server registers to Diameter Base

stack during start up. It is a combination of Acct Applica-

tionId's separated by a colon.

Transport Management section

Identity Required; identity of the system on which Diameter appli-

cation is running. Must be set to a valid resolvable string.

Realm Required; must be set to a valid Realm in the domain.

3-65

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Up the General Diameter Parameters

To set up the general Diameter parameters:

Step 1 Choose Configuration > Diameter > General. The General Diameter page is displayed.

EnableIPV6 Required; if set to TRUE it enables IPV6 for the Diameter

application.

WatchdogTimeout Required; specifies the time interval between watch dog

messages.

TCPListenPort Required; port number on which the

Prime Access Registrar server listens for TCP peer con-

nections.

SCTPListenPort Required; port number on which the

Prime Access Registrar server listens for SCTP peer con-

nections.

ValidateIncomingMessages Check the box to validate incoming messages.

ValidateOutgoingMessages Check the box to validate outgoing messages.

MaximumNumberofDiameterPackets Required; the maximum number of Diameter packets that

can be processed.

DiameterPacketSize Required; the Diameter packet size that can be processed.

ReconnectInterval Required; specifies the time interval between which

Prime Access Registrar server attempts to connect to a dis-

connected peer. If set to 0, then no attempt will be made to

connect to a disconnected peer.

MaxReconnections Required; specifies the number of times

Prime Access Registrar server tries to make a reconnection

attempt. If set to 0, then no attempt will be made to recon-

nect.

RequestRetransmissionInterval Required; the time for which retransmission of pending

requests will be done. If set to 0, then no attempt will be

made to retransmit.

MaxRequestRetransmissionCount Required, maximum number of times

Prime Access Registrar server tries to retransmit a pending

request. If set to 0, then no attempt will be made to retrans-

mit.

Receive BufferSize Required; initial size of buffer that is preallocated for

message reception.

AdvertisedHostName Optional, specifies the local hostname address that will be

advertised by the Prime Access Registrar server to other

peers during CER/CEA exchange.

For example:

AdvertisedHostNames = toby-ar1.cisco.com

Table 3-26 General Diameter Properties (continued)

Fields Description

3-66

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 2 Specify the required details.

Step 3 Click Set to save the specified details.

On successful creation of the general Diameter parameters, a success message is displayed else a

respective error message is displayed.

Session Management

Diameter Base protocol stack provides the functionality of Session Management. Base Stack maintains

sessions separately for authentication and accounting messages. Session-Id AVP is used to identify the

user session.

Table 3-27 lists and describes the fields in the Session Management page.

Table 3-27 Session Management Properties

Fields Description

Session Management section

MaxNumberOfSessions Required; specifies the maximum number of concurrent

Diameter sessions the Prime Access Registrar server will

maintain. These sessions include both Auth and Acct

sessions.

AuthSessions section

EnableStatefulSessions If set to TRUE, the server will enforce stateful sessions and

the client will hint for stateful sessions. Default Value is

TRUE. Set the property to FALSE to disable stateful

sessions.

AuthSessionTimeout Required; specifies the timeout in seconds before a session

requires reauthentication.

LifeTimeTimeout Required; specifies the timeout in seconds before a session

is terminated regardless of whether the session has been re-

authenticated.

GracePeriodTimeout Required; specifies the grace period after the life timeout

and before the full termination of the session.

AbortRetryTimeout Required; specifies the timeout between the subsequent

Abort Session Request (ASR) messages if the initial

attempt fails.

AcctSessions section

AcctSessionTimeout Required; specifies the timeout in seconds before a session

requires reauthentication.

InterimInterval Required; specifies the interim interval dictated to the

client if the entity is a server or hint to the server if the

entity is a client.

RealTime Required; RealTime value dictated to the client.

3-67

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Session Management Properties

To set up the session management properties:

Step 1 Choose Configuration > Diameter>SessionManagement. The Session Management page is displayed.

Step 2 Enter the required details and click Set.

On successful creation of the parameters, a success message is displayed else a respective error message

is displayed.

Applications

A Diameter application is not a software application, but a protocol based on the Diameter base protocol

(defined in RFC 6733). Each application is defined by an application identifier and can add new

command codes and/or new mandatory AVPs.

When you click the Add button in the Applications page, the Application Details page is displayed.

Table 3-28 lists and describes the fields in the Application Details page.

Table 3-28 Diameter Application Properties

Fields Description

Name Required; name of the application.

Description Optional; description of the application.

VendorSpecific Required; the default is FALSE. If set to FALSE, the application is

ordinary application and user is prompted to enter the ApplicationID.

If set to TRUE, the application is a VendorSpecific Application. User

is prompted to enter VendorSpecificApplicationID and VendorID.

AuthApplication Required; if set to TRUE the application represents AuthApplication

else it represents Accounting Application.

Application ID Required; specifies the unique integer value for the application.

The following are examples of Diameter application:

NASREQ 1

Mobile-IP 2

Diameter Base Accounting 3

Note ApplicationId property must be set to 0 for Base Protocol.

VendorSpecificApplicationID Required; specifies the integer value for the vendor specific applica-

tion.

VendorID Required; specifies the VendorID for the application.

Example:

DIAMETER 3GPP Cx APPLICATION

VendorSpecificApplicationID 16777216

VendorID 10415

3-68

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Applications page for the following:

•Filtering Records

•Adding Diameter Application Details

•Commands

•Editing Records

•Deleting Records

Adding Diameter Application Details

To add new Diameter application details:

Step 1 Choose Configuration > Diameter > Applications. The Applications page is displayed.

Step 2 Click Add. The Application Details page is displayed.

Step 3 Enter the relevant details.

Step 4 Click Add Application to save the specified details in the Application Details page. Otherwise click

Cancel to return to the Applications page without saving the details.

On successful creation of the Applications details, a success message is displayed else a respective error

message is displayed.

Commands

Each command in Diameter is associated with a command code. The command can be a request

command or an answer command which is identified by the 'R' bit in the Command Flags field of the

Diameter header.

When you click the Add button in the commands page, the Command Details page is displayed.

Table 3-29 lists and describes the fields in the Command Details page.

ApplicationURI Optional; specifies the URI of the Application.

Eg: "ftp://ftp.ietf.org/internet-drafts/draft-ietf-aaa-diameter-nasreq-

12.txt"

Commands Required; an indexed list from 1 to <n>. Each entry in the list is the

name of the command. It specifies the list of commands associated

with the application.

To navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more

details.

Table 3-28 Diameter Application Properties (continued)

Fields Description

3-69

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can click the Add button in the Command Details page to add the AVP details. Table 3-30 lists and

describes the fields displayed on clicking the Add button.

Adding Diameter Commands

To add the Diameter commands:

Step 1 Choose Configuration > Diameter > Commands. The Commands page is displayed.

Step 2 Click Add. The Add Commands page is displayed.

Step 3 Enter the relevant details.

Step 4 Click the required tab and click Add to enter the AVP details.

Table 3-29 Diameter Commands Properties

Fields Description

Name Required; name of the command.

Description Optional; description of the command.

Command Code Required; specifies the integer code of the command.

EnableProxyBit Required; default is TRUE. When enabled it represents the message

is proxiable.

RequestFixed tab Defines the fixed position of AVP in a request message.

RequestRequired tab The AVP must be present and can appear anywhere in the request

message.

RequestOptional tab The AVP name in optional cannot evaluate to any avp name which is

included in a fixed or required directory. The avp can appear

anywhere in the request message.

AnswerFixed tab Defines the fixed position of AVP in the answer message.

AnswerRequired tab The AVP must present and can appear anywhere in the answer

message.

AnswerOptional tab The AVP name in optional cannot evaluate to any avp name which is

included in a fixed or required directory. The avp can appear

anywhere in the answer message.

Table 3-30 Request/Answer Msg AVP Properties

Fields Description

Name Required; name of the AVP.

Description Optional; description of the AVP.

Min Specifies the minimum number of times AVP element may be present

in a request. The default value is 0.

Max Specifies the maximum number of times the element may present in

a request. A value of zero implies AVP is not present in the request.

3-70

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 5 Click Save to save the AVP details or click Cancel to exit the page without saving the details.

Step 6 Click Add Command to save the specified details in the Add Commands page. Otherwise click Cancel

to return to the Commands page without saving the details.

The Commands page is displayed with the newly added details or a respective error message is

displayed.

DiameterAttributes

You can define the attributes to use in the Diameter EAP application.

Table 3-31 lists and describes the fields in the DiameterAttributes page.

Adding Diameter Attributes

To add the Diameter attributes:

Step 1 Choose Configuration > Diameter > DiameterAttributes. The DiameterAttributes page is displayed.

Step 2 Click Add.

Step 3 Provide the relevant details as explained in Table 3-31.

Step 4 Click Add DiameterAttributes to save the specified details. Otherwise click Cancel to return to the

previous page without saving the details.

The DiameterAttributes page is displayed with the newly added details or a respective error message is

displayed.

Table 3-31 Diameter Attributes Properties

Fields Description

Name Required; name of the attribute.

Description Optional; description of the attribute.

Attribute Required; attribute value.

VendorID Required; Vendor ID of the Diameter application.

Mandatory Indicates whether the attribute is mandatory or not. Options are May,

Must, and MustNot.

May-Encrypt Choose Yes or No to indicate whether the attribute value can be

encrypted or not.

Protected Indicates whether the attribute value is protected or not. Options are

May, Must, and MustNot.

Type Choose the type of the attribute.

Minimum Minimum value for the attribute.

Maximum Maximum value for the attribute.

3-71

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Advanced

Advanced objects allow configuring system-level properties and the Attribute dictionary. Under normal

system operation, the system-level properties should not be changed.

The following list helps you in defining the system-level properties and attribute dictionary:

•Default

•BackingStore/ServerParam

•RemoteSessionServer

•SNMP

•DDNS

•ODBC DataSources

•Log

•Ports

•Interfaces

•Attribute Groups

Default

This feature of GUI allows you in configuring the default values for other functionalists of GUI. The

configurations set in this feature reflects on all the other features.

Table 3-32 lists and describes the fields in the Default Advanced Details page.

Table 3-32 Default Configuration Details

Fields Description

Default section

AAAFileServiceSyncInterval Required; specified in milliseconds, the default is 75. This property

governs how often the file AAA service processes accounting

requests and writes the accounting records to the file. You can lower

the number to reduce the delay in acknowledging the Account-Re-

quest at the expense of more frequent flushing of the accounting file

to disk. You can raise the number to reduce the cost of flushing to

disk, at the expense of increasing the delays in acknowledging the

Accounting-Requests. The default value was determined to provide

a reasonable compromise between the two alternatives.

RemoteRadiusServerInterface When set, specifies the local interface to bind to when creating the

RemoteRadiusServer socket. If not set, the Prime Access Registrar

binds to IPADDR_ANY.

MaximumNumberOfXML-

Packets

Required when using identity caching. Indicates the maximum

number of XML packets to be sent or received. The minimum value

is 1 and the maximum is a 32-bit unsigned integer. The default is

1024.

3-72

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

MaximumODBCResultSize Required; specifies maximum size in bytes for an ODBC mapping.

This parameter affects both ODBC result sizes and the trace log

buffer for tracing script calls that access any of the dictionaries.

(Default value is 256.)

XMLUDPPacketSize Required when using identity caching. Indicates the maximum size

of XML packets to be sent or received. The minimum value is 1 and

the maximum is a 32-bit unsigned integer. The default is 4096.

InitialBackgroundTim-

erSleepTime

Required; the default is 5. This property specifies the amount of time

the time queue should initially sleep before beginning processing.

This property is only used for initial synchronization and should not

be changed.

RemoteLDAPServerThread-

TimerInterval

Required; specified in milliseconds, the default is 10. This property

governs how often the ldap RemoteServer thread checks to see if any

results have arrived from the remote LDAP server. You can modify it

to improve the throughput of the server when it proxies requests to a

remote LDAP server.

AdvancedDuplicateDetec-

tionMemoryInterval

Required when the Advanced Duplicate Detection feature is enabled.

This property specifies how long (in milliseconds)

Cisco Prime Access Registrar should remember a request. You must

specify a number greater than zero. The default is 10,000.

RollingEncryptionKey-

ChangePeriod

Used in conjunction with the session-cache ResourceManager, this

property specifies the length of time a given EncryptionKey will be

used before a new one is created. When the session-cache Resource-

Manager caches User-Password attributes, Prime Access Registrar

encrypts the User-Password so it is not stored in memory or persisted

on disk in clear text. Prime Access Registrar uses up to 255 encryp-

tion keys, using a new one after each RollingEncryptionKeyChange-

Period expires. If RollingEncryptionKeyChangePeriod is set to 2

days, Prime Access Registrar will create and begin using a new En-

cryptionKey every two days. The oldest key will be retired, and

Prime Access Registrar will re-encrypt any User-Passwords that used

the old key with the new key. This way, if the RollingEncryptionKey-

ChangePeriod is set to 1 day, no key will be older than 255 days.

DefaultReturnedSubnetSi-

zeIfNoMatch

Optional; used with the ODAP feature and reflects the returned size

of the subnet if no matched subnet is found. There are three options

to select if an exactly matched subnet does not exist: Bigger, Smaller,

and Exact. The default is Bigger.

ODBCEnvironmentMultiVal-

ueDelimiter

Optional; allows you to specify a character that separates multivalued

attributes in the marker list when using Oracle (or ODBC) accounting

RemoteSigtranServerThread-

TimerInterval

Required; specified in milliseconds, the default is 10. This property

governs how often the sigtran RemoteServer thread checks to see if

any results have arrived from the remote HLR/AuC server. You can

modify it to improve the throughput of the server when it proxies

requests to a remote sigtran server.

AdditionalNativeOracleEr-

rors

Optional; 5 digit Oracle native error in order to disconnect the

ODBC/OCI remote servers.

Table 3-32 Default Configuration Details (continued)

Fields Description

3-73

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

AR Flags section

HideSharedSecretAndPri-

vateKeys

Optional; the default value is TRUE.

The HideSharedSecretAndPrivateKeys property hides:

•The secret that is shared between a RADIUS Client and a

RADIUS Server or between two RADIUS servers in a RADIUS

proxy scenario.

•The PrivateKeyPassword under the certificate-based EAP

services.

When this property is set to TRUE, the following properties are

displayed as <encrypted>:

•PrivateKeyPasswords in:

–

peap-v0 service

–

peap-v1 service

–

eap-tls service

–

eap-ttls service

–

eap-fast service

•SharedSecret in:

–

RemoteServers of type RADIUS

–

RemoteServers of type map-gateway

–

Clients object

–

Resource Manager of type usr-vpn under Gateway subobject

•PseudonymSecret in eap-sim service

•DynamicAuthSecret under DynamicAuthorizationServer subject

in Clients object

•RepSecret under Replication

•Secret in /radius/advanced/DDNS/TSIGKeys

When the value for this property is set to FALSE, all the above prop-

erties are displayed in clear text.

ListenForDynamicAuthoriza-

tionRequests

Must be set to TRUE when using the Change of Authorization (CoA)

feature or Packet of Disconnect (POD) feature. Default is FALSE.

RequireNASsBehindProxy-

BeInClientList

Optional; the default is FALSE. If you accept the default,

Cisco Prime Access Registrar only uses the source IP address to

identify the immediate client that sent the request. Leaving it FALSE

is useful when this RADIUS Server should only know about the

proxy server and should treat requests as if they came from the proxy

server. This might be the case with some environments that buy bulk

dial service from a third party and thus do not need to, or are unable

to, list all of the NASs behind the third party’s proxy server. When

you set it to TRUE, you must list all of the NASs behind the Proxy in

the Clients list.

Table 3-32 Default Configuration Details (continued)

Fields Description

3-74

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

UseAdvancedDuplicateDe-

tection

Required; the default is FALSE. Set this property to TRUE when you

want Cisco Prime Access Registrar to use a more robust duplicate

request filtering algorithm.

DetectOutOfOrderAccount-

ingPackets

Optional; used to detect accounting packets that arrive out of sequen-

tial order. The default is FALSE. This property is useful when using

accounting and session management in a RADIUS proxy service.

When the DetectOutOfOrderAccountingPacket property is enabled

(set to TRUE), a new Class attribute is included in all outgoing

Accept packets. The value for this Class attribute will contain the

session magic number. The client will echo this value in the account-

ing packets, and this will be used for comparison.

The session magic number is a unique number created for all sessions

when the session is created or reused and the DetectOutOfOrderAc-

countingPacket property is set to TRUE. The DetectOutOfOrderAc-

countingPacket property is used to detect out-of-order

Accounting-Stop packets in roaming scenarios by comparing the

session magic number value in the session with the session magic

number value contained in the Accounting packet.

The value of 0xffffffff is considered by the Prime Access Registrar

server to be a wild card magic number. If any accounting stop packets

contain the value of 0xffffffff, it will pass the session magic valida-

tion even if the session’s magic number is something else.

The format of the class attribute is as follows:

<4-byte Magic Prefix><4-byte server IP address><4-byte Magic

value>

Java and EAP Parameters section

ClasspathForJavaExtensions A string which is the classpath to be used to locate Java classes and

jar files containing the classes required for loading the Java exten-

sions, either Java extension points or services.

Note The classpath will always contain the directory $INSTALL-

DIR/scripts/radius/java and all of the jar files in that direc-

tory.

JavaVMOptions A string that can contain options to be passed to the JRE upon startup.

JavaVMOptions should be used only when requested by Cisco TAC.

Table 3-32 Default Configuration Details (continued)

Fields Description

3-75

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Default Configuration

To set up the default configuration details:

Step 1 Choose Configuration > Advanced > Default. The Default Advanced Details page is displayed.

Step 2 Enter the relevant details.

Step 3 Click Set to save the specified details in the Default Advanced Details page. Otherwise, click Reset to

restore the default values. On successful creation of the default configurations, a success message is

displayed else a respective error message is displayed.

BackingStore/ServerParam

The Backing Store is a Parsing Tool which helps you in analyzing the session backing store files. It

retrieves the information on RADIUS sessions, clears phantom sessions details manually and processes

the binary log files information to user-readable format.

The Server parameters are set to configure objects to remote server using the relevant aregcmd

commands.

EapBadMessagePolicy Set to one of two values: SilentDiscard (the default) or RejectFailure.

When set to SilentDiscard, the Prime Access Registrar server silently

discards and ignores bad EAP messages unless the protocol specifi-

cation explicitly requires a failure message.

When set to RejectFailure, the Prime Access Registrar server sends

RADIUS Access-Rejects messages with embedded EAP-Failure in

response to bad EAP messages as described in Internet RFC 3579.

CertificateDBPath Required if you are using an LDAP RemoteServer and you want

Prime Access Registrar to use SSL when communicating with that

LDAP RemoteServer. This property specifies the path to the

directory containing the client certificates to be used when establish-

ing an SSL connection to an LDAP RemoteServer. This directory

must contain the cert7.db and cert5.db certificates and the key3.db

and key.db files database used by Netscape Navigator 3.x (and

above) or the ServerCert.db certificate database used by Netscape

2.x servers.

Table 3-32 Default Configuration Details (continued)

Fields Description

3-76

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Table 3-33 lists and describes the fields in the Backing/ServerParam Advanced Details page.

Table 3-33 BackingStore/ServerParameter Properties

Fields Description

Backing Store section

SessionBackingStoreSyncInterval Sessions will be written to the backing store at this interval

PacketBackingStoreSyncInterval The minimum value is 1 and the maximum is a 32-bit

unsigned integer. The default is 75.

SessionBackingStorePruneInterval Required; specifies the sleep time interval of the session

backing store pruning thread. The recommended and

default value is 6 hours, but you can modify this based on

the traffic patterns you experience.

With SessionBackingStorePruneInterval set to 6 hours,

pruning will occur 6 hours after you restart or reload the

Prime Access Registrar server and recur every 6 hours.

You can set a very low value for this property to make

pruning continuous, but there might not be enough data ac-

cumulated for the pruning to occur and pruning might be

less effective compared to the default setting.

PacketBackingStorePruneInterval Required; specifies the sleep time interval of the packet

backing store pruning thread. The recommended value is 6

hours, but you can modify this based on the traffic patterns

you experience.

When PacketBackingStorePruneInterval is set to 6 hours,

pruning will occur 6 hours after you restart or reload the

Prime Access Registrar server and recur every 6 hours.

You can set a very low value for this property to make

pruning continuous, but there might not be enough data ac-

cumulated for the pruning to occur and pruning might be

less effective compared to the default setting.

BackingStoreDiscThreshold Required; the default is 10 gigabytes. The value of Back-

ingStoreDisc-

Threshold is made up of a number of units which can be K,

kilobyte, or kilobytes, M, megabyte, or megabytes, or G,

gigabyte, or gigabytes.

BackingStoreDiscThreshold is used with session manage-

ment and ODBC accounting and ensures that any data log

files generated will not cross the BackingStoreDiscThresh-

old.

3-77

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

SessionPurgeInterval Optional; the SessionPurgeInterval property determines

the time interval at which to check for timed-out sessions.

If no value is set, the session timeout feature is disabled.

The checks are performed in the background when system

resources are available, so checks might not always occur

at the exact time set.

The minimum recommended value for SessionPurgeInter-

val is 60 minutes. The SessionPurgeInterval value is

comprised of a number and a units indicator, as in n units,

where a unit is one of minutes, hours, days, or weeks.

StaleSessionTimeout Required; the default value is “1 hour.” Specifies the time

interval to maintain a session when a client does not

respond to Accounting-Stop notification.

When the Prime Access Registrar server does not receive

an Accounting-Response from a client after sending an Ac-

counting-Stop packet, Prime Access Registrar maintains

the session for the time interval configured in this property

before releasing the session.

This property is stored as a string composed of two parts: a

number and a unit indicator (<n> <units>) similar to the

MaxFileAge property where the unit is one of: M, Minute,

Minutes, H, Hour, Hours, D, Day, Days, W, Week, or

Weeks.

NumberOfRadiusIdentifiersPerSocket This represents the number of RADIUS Identifiers that

Prime Access Registrar can use per source port, while

proxying requests to remote servers.

To use a different source port for every request that is

proxied, you need to set the value of this property to one.

EnableStickySessionCount Required; either True or False and the default value is True.

When set to True, Prime Access Registrar displays the peer

specific stats showing the number of sticky sessions asso-

ciated with a peer for Diameter proxy service in name_ra-

dius_log file.

StickySessionCountInterval Required; specified in milliseconds and the default is

60000. When the EnableStickySessionCount is set to True,

this field specifies how often the Diameter proxy service

will display the number of sticky sessions associated with

a peer.

StickySessionSyncInterval Required; specified in milliseconds and the default value is

500. Specifies how often the Diameter proxy service will

write the sticky sessions to a file located in /cis-

co-ar/temp/__sticky_sessions_store location.

Table 3-33 BackingStore/ServerParameter Properties (continued)

Fields Description

3-78

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Server Parameters section

MaximumNumberOfRadiusPackets Required; the default is 8192. This is a critical property

you should set high enough to allow for the maximum

number of simultaneous requests. When more requests

come in than there are packets allocated,

Cisco Prime Access Registrar will drop those additional

requests.

NumberOfRemoteUDPServerSocket Required; the default value for this property is 4.

The NumberOfRemoteUDPServerSockets property allows

you to configure the number of source ports used while

proxying requests to a remote RADIUS server. If the Num-

berOfRemoteUDPServerSockets property is set to a value

n, all remote servers share and use n sockets.

The NumberOfRemoteUDPServerSockets value comprises

a number, as in n, where n should be less than or equal to

the current process file descriptor limit divided by 4.

Note By default, the RADIUS process supports up to

1024 file descriptors. To increase the file descrip-

tors, stop the arserver; in the arserver script,

specify the required value to "NUMBER_OF_-

FILE_DESCRIPTORS" and restart the server. The

value for "NUMBER_OF_FILE_DESCRIPTORS"

should be in the range between 1024 to 65535.

MemoryLimitForRadiusProcess This property is used to avoid crashing of the RADIUS

process.

UDPPacketSize Required; the default is 4096. RFC 2138 specifies the

maximum packet length can be 4096 bytes. Do not change

this value.

PerPacketHeapSize Required; the default is 6500. This property sets the size of

the initial heap for each packet. The heap is the dynamic

memory a request can use during its lifetime. By preallo-

cating the heap size at the beginning of request processing,

we can minimize the cost of memory allocations. If Per-

PacketHeapSize is too low, Prime Access Registrar will

ask the system for memory more often. If PerPacketHeap-

Size is too high, Prime Access Registrar will allocate too

much memory for the request causing the system to use

more memory than required.

MinimumSocketBufferSize Required; the default is 65536 (64 K). This property

governs how deep the system’s buffer size is for queueing

UDP datagrams until Cisco Prime Access Registrar can

read and process them. The default is probably sufficient

for most sites. You can, however, raise or lower it as neces-

sary.

Table 3-33 BackingStore/ServerParameter Properties (continued)

Fields Description

3-79

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Server Parameters

To set up new server parameters:

Step 1 Choose Configuration > Advanced > Backing/ServerParam. The Backing/ServerParam Advanced

Details page is displayed.

Step 2 Specify the relevant details.

Step 3 Click Set to save the specified details in the Backing/ServerParamAdvanced Details page.

On successful creation of the server parameters, a success message is displayed else a respective error

message is displayed.

RemoteSessionServer

Prime Access Registrar sessions can also be stored on a remote database. This improves the overall

scalability of the number of sessions that Prime Access Registrar can simultaneously handle.

MaximumOutstandingRequests Optional; the default value for this property is 0.

The MaximumOutstandingRequests property is used to

limit the incoming traffic in terms of “requests processed”.

Serves as a hard limit.

The MaximumOutstandingRequests property comprises a

number n, where n can be any nonzero value.

MaximumIncomingRequests Optional; the default value for this property is 0.

ARIsCaseInsensitive When set to FALSE, requires that you provide exact

pathnames with regard to upper and lower case for all

objects, subobjects, and properties. The default setting,

TRUE, allows you to enter paths such as /rad/serv instead

of /Rad/Serv.

Note Prime Access Registrar always authenticates the

RADIUS attribute User-Name with regard to upper

and lower case, regardless of the setting of this

flag.

EnableDiameter Optional; Either TRUE or FALSE; default is TRUE. Set to

True when you want to use the Diameter protocol in

Prime Access Registrar.

KeyStores -> EAP-FAST section

NumberOfKeys Number (from 1-1024) that specifies the maximum number

of keys stored for EAP-FAST.

RolloverPeriod Specifies the amount of time between key updates.

Table 3-33 BackingStore/ServerParameter Properties (continued)

Fields Description

3-80

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

The remote session manager internally uses the following two ODBC remote servers:

•Internal-ODBC-Read-Server

•Internal-ODBC-Write-Server.

Configurations pertaining to these internal remoteservers can be done under the RemoteSessionServer

section.

Note Ensure that the length of fields such as Username, Session/Resource Manager name Session-Key,

Query-Key and so on are limited to the value specified in the schema, while it is configured. Although

the field length of entire session record is 3KB it is limited to 2KB. This is practically sufficient to hold

all the session parameters as well as the cached attributes (if any). For more information about the

schema, see Remote Session Management, page 17-47.

Note Remote session manager will work only with Oracle database.

Table 3-34 lists and describes the fields in the RemoteSessionServer Advanced Details page.

Table 3-34 RemoteSessionServer Properties

Fields Description

RemoteSessionServer section

ReactivateTimerInterval Mandatory time interval (in milliseconds) to activate an inactive

server; defaults to 300000 ms.

Timeout Mandatory time interval (in seconds) to wait for SQL operation to

complete; defaults to 15 seconds

DataSourceConnections Mandatory number of connections to be established; defaults to 8

ODBCDataSource Name of the ODBCDataSource to use and must refer to one entry in

the list of ODBC datasources configured under /Radius/Ad-

vanced/ODBCDataSources. Mandatory; no default.

KeepAliveTimerInterval Mandatory time interval (in milliseconds) to send a keepalive to keep

the idle connection active; defaults to zero (0) meaning the option is

disabled

MaximumBufferFileSize Mandatory if BufferAccountingPackets is set to TRUE, determines

the maximum buffer file size, defaults to 10 Megabyte)

CacheLimit Default is 250000; This represents the overall limit on cache of all

'remote' session managers. This value is interpreted as the maximum

number of packets that can be present in cache. When the number of

sessions hits this limit, sessions will be 'cached out'. This cache out

operation will continue, until the cache is at least 20% free.

3-81

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting RemoteSessionServer Details

To set a new RemoteSessionServer details:

Step 1 Choose Configuration > Advanced > RemoteSessionServer. The RemoteSessionServer Advanced

Details page appears.

Step 2 Specify the relevant details.

Step 3 Click Set to save the specified details in the RemoteSessionServer Advanced Details page.

On successful creation of the RemoteSessionServer details, a success message is displayed else a

respective error message is displayed.

SNMP

Prime Access Registrar provides SNMP MIB for users of network management systems. The supported

MIBs enable the network management station to collect state and statistic information from a

Prime Access Registrar server. It enables a standard SNMP management station to check the current

state of the server as well as the statistics on each client or each proxy remote server. These messages

contain information indicating that either the server was brought up or down or that the proxy remote

server is down or has come back online.

Table 3-35 lists and describes the fields in the SNMP Advanced Details page.

BufferAccountingPackets Mandatory, TRUE or FALSE, determines whether to buffer the ac-

counting packets to local file, defaults to TRUE which means that

packet buffering is enabled.

Note When set to TRUE, a constant flow of incoming accounting

packets can fill the buffer backing store files in /cisco-ar/da-

ta/odbc beyond the size configured in MaximumBufferFile-

Size. Configure BackingStoreDiscThreshold in

/Radius/Advanced when using ODBC accounting.

UseCacheIndex Mandatory; If set to 1, it enables a fast cache based lookup index for

the items in the database. This optimizes the number of queries to the

database hence will improve performance, but limits the number of

sessions that can be scaled.

If set to 0, it disables fast cache based lookup index.

Table 3-34 RemoteSessionServer Properties (continued)

Fields Description

3-82

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Table 3-35 SNMP Properties

Fields Description

SNMP Info section

InputQueueHighThreshold Percentage that indicates the upper limit of the packet input queue

usage. Default is 90.

Prime Access Registrar supports traps to indicate input queue usage.

When the input buffer exceeds the given high threshold value,

Prime Access Registrar generates a carInputQueueFull trap.

InputQueueLowThreshold Percentage that indicates the lower limit of the packet input queue

usage. Default is 60.

After reaching the high threshold, if the buffer usage drops below a

low threshold value, Prime Access Registrar generates a carInput-

QueueNotVeryFull trap.

Enabled Check the box to enable SNMP settings.

TracingEnabled Check the box to enable all possible tracing in SNMP agent. Tracing

is used for debugging purposes.

MasterAgentEnabled To use SNMP, enable the master agent. Prime Access Registrar

responds to SNMP queries through the SNMP master agent.

RFC Compliance Info section

AllowRejectAttrs When AllowRejectAttrs is set to FALSE, Reply-Message attributes

will not be passed in an Access Reject packet. When AllowRejectAt-

trs is set to TRUE, attributes will be allowed to pass in an Access

Reject packet.

AllowEAPRejectAttrs When AllowEAPRejectAttrs is set to FALSE, Reply-Message attri-

butes will not be passed in an Access Reject packet if the packet

contains EAP-Message attribute. When AllowEAPRejectAttrs is set

to TRUE, attributes will be allowed to pass in an Access Reject

packet even if the packet contains EAP-Message attribute.

Reply Messages section

Default Optional; when you set this property, Cisco Prime Access Registrar

sends this value when the property corresponding to the reject reason

is not set.

UnknownUser Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever

Cisco Prime Access Registrar cannot find the user specified by Us-

er-Name.

UserNotEnabled Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever the

user account is disabled.

UserPasswordInvalid Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever the

password in the Access-Request packet did not match the password

in the database.

3-83

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting SNMP Details

To set up new SNMP details:

Step 1 Choose Configuration > Advanced > SNMP. The SNMP Advanced Details page is displayed.

Step 2 Specify the relevant details.

UnableToAcquireResource Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever one

of the Resource Managers was unable to allocate the resource for this

request.

ServiceUnavailable Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever a

service the request needs (such as a RemoteServer) is unavailable.

InternalError Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever an

internal error caused the request to be rejected.

MalformedRequest Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever a

required attribute (such as User-Name) is missing from the request.

ConfigurationError Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever the

request is rejected due to a configuration error. For example, if a

script sets an environment variable to the name of an object such as

Authentication-Service, and that object does not exist in the config-

uration, the reason reported is ConfigurationError.

IncomingScriptFailed Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever one

of the IncomingScripts fails to execute.

OutgoingScriptFailed Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever one

of the OutgoingScripts fails to execute.

IncomingScriptRejectedRe-

quest

Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever one

of the IncomingScripts rejects the Access-Request.

TerminationAction Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever

Cisco Prime Access Registrar processes the Access-Request as a

Termination-Action and is being rejected as a safety precaution.

OutgoingScriptRejectedRe-

quest

Optional; when you set this property, Cisco Prime Access Registrar

sends back this value in the Reply-Message attribute whenever one

of the OutgoingScripts rejects the Access-Request.

Table 3-35 SNMP Properties (continued)

Fields Description

3-84

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 3 Click Set to save the specified details in the SNMP Advanced Details page.

On successful creation of the SNMP details, a success message is displayed else a respective error

message is displayed.

DDNS

Prime Access Registrar supports Dynamic DNS Remote server. It is a method, protocol, or network that

notifies the server to change the active DNS configuration of its configured hostnames, addresses or

other information stored in DNS.

You can click the Add button in the DDNS Details page to enter the TSIGKeys details in the TSIGKeys

Details section.

Table 3-36 lists and describes the fields in the TSIGKeys Details section.

You can use the DDNS Details page for the following:

•Filtering Records

•Setting DDNS Details

•Adding the TSIGKeys for DDNS

•Editing Records

•Deleting Records

Setting DDNS Details

To set up new DDNS details:

Step 1 Choose Configuration > Advanced > DDNS. The DDNS Details page is displayed.

Step 2 Check the SynthesizeReverseZone check box, and click Set DDNS.

Adding the TSIGKeys for DDNS

To add TSIGKeys details for DDNS:

Step 1 Choose Configuration > Advanced > DDNS. The DDNS Details page is displayed.

Step 2 Click Add. The TSIGKeys details section is displayed.

Step 3 Enter the relevant details.

Step 4 Click Add to save the specified details in the TSIGKeys Details section.

Table 3-36 TSIGKeys Properties

Fields Description

Name Name of the TSIG Key.

Secret Set to the same base64-encoded string as defined in the DNS server.

Description Description of the TSIG Key

3-85

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

On successful creation of the TSIGKeys details, a success page is displayed else a respective error

message is displayed.

ODBC DataSources

Prime Access Registrar uses ODBC as the datasource name to be used by the remote server. Multiple

remote servers can use the same ODBCDataSource. Under the ODBCDataSource object definition, a list

defines ODBC.ini filename/value pairs for a connection. The list includes a Type field and a Driver field,

different for each Driver and Data Source, to indicate its Driver and Data Source. Prime Access Registrar

supports only the Easysoft Open Source Oracle Driver.

Table 3-37 lists and describes the fields in the Add ODBC DataSources page.

You can use the ODBC DataSources page for the following:

•Filtering Records

•Adding ODBC Data Source

•Log

•Editing Records

•Deleting Records

Adding ODBC Data Source

To add new ODBC dta source details:

Step 1 Choose Configuration > Advanced > ODBC DataSources. The ODBC DataSources page is displayed.

Step 2 Click Add to add new ODBC data source details. The ODBC DataSources Details page is displayed.

Step 3 Entre the relevant details.

Table 3-37 ODBCDataSource Properties

Fields Description

Name Name of the ODBCDataSource

Description Optional; Description of the ODBC Data Source

Type Required; must be Oracle_es

Driver Required; liboarodbc.so (default value)

Note This attribute is supported only for OBDC.

UserID Required; database username (no default value)

Password Optional; user password; shown encrypted

DataBase Required; Oracle Client configuration database name (no default

value)

Server Set the name of the server

Port Set the port details.

3-86

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 4 Click Submit to save the specified details. Otherwise click Cancel to return to the ODBC DataSources

page without saving the details.

The ODBC DataSources page is displayed with the newly added details and a success message is

displayed else a respective error message is displayed.

Log

The log files defined in Prime Access Registrar assist you in identifying the issues related to it.

Prime Access Registrar holds sets of log files to store information relevant to server agent processes,

monitoring arserver utility, execution of aregcme commands, mcd internal database details, RADIUS

server processes and debug details of RADIUS request process.

Table 3-38 lists and describes the fields in the Log Files page.

Table 3-38 Log Details

Fields Description

GUI Log Settings section

LOG LEVEL Select either debug level or Error.

MaxFileSize Set the maximum size of the log file.

Advance Details section

LogFileSize Required; the default is 1 megabyte. This property specifies the

maximum size of the RADIUS server log file. The value for the Log-

FileSize field is a string composed of two parts; a number, and a units

indicator (<n> <units>) in which the unit is one of: K, kilobyte, kilo-

bytes, M, megabyte, megabytes, G, gigabyte, or gigabytes.

The LogFileSize property does not apply to the config_mcd_1_log

or agent_server_1_log files.

Note This does not apply to the trace log.

LogFileCount Required; the default is 2. This property specifies the number of log

files to be kept on the system. A new log file is created when the log

file size reaches LogFileCount.

The LogFileCount property does not apply to the config_mc-

d_1_log or agent_server_1_log files.

TraceFileSize Required; the default is 1 GB. This property specifies the size of the

trace files to be kept on the system. A new trace file is created when

the trace file size reaches TraceFileSize. The value for the Trace-

FileSize field is a string composed of two parts; a number, and a units

indicator (<n> <units>) in which the unit is one of: K, kilobyte, kilo-

bytes, M, megabyte, megabytes, G, gigabyte, or gigabytes.

TraceFileCount Required; this value can be set from 1–100, and the default is 2. This

property specifies the number of trace files to maintain. A value of 1

indicates that no file rolling occurs.

3-87

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Log Files page for the following:

•Filtering Records

•Viewing Log Details

LogServerActivity Required; the default is FALSE, which means

Cisco Prime Access Registrar logs all responses except Access-Ac-

cepts and Access-Challenges. Accepting the default reduces the load

on the server by reducing that amount of information it must log.

Note, the client is probably sending accounting requests to an ac-

counting server, so the Access-Accept requests are being indirectly

logged. When you set it to TRUE, Cisco Prime Access Registrar logs

all responses to the server log file.

TraceLevel Set the trace level.

LogTPSActivity When set to TRUE, this property enables to log the TPS usage in a

CSV file.The TPS is logged in the following format:

<mm-dd-yyyy>, <hh:mm:ss>, <tps-value>

For example,

04-01-2013, 12:00:01, 102

The default is False.

TPSLogFileCount Required only if you check the LogTPSActivity check box; the

number of TPS Sampling log files to maintain in the repository. The

default value is 2.

TPSLogFileNamePrefix Required only if you check the LogTPSActivity check box; this

represents the prefix of the CSV file which will be available in the

logs directory of Prime Access Registrar. The following represents

the CSV filename format:

<user-prefix>-<mm-dd-yyyy>.csv

tps-04-01-2013.csv

TPSSamplingPeriodInSecs Required only if you check the LogTPSActivity check box; this

represents the TPS sampling period in seconds. The minimum

sampling period is set to 5. The default is 30.

LogSessionActivity When set to TRUE, this property enables Prime Access Registrar to

log the session count in the server.

SessionLogFileCount Required only if you check the LogSessionActivity check box; the

number of session log files to maintain in the repository. The default

value is 2.

SessionLogFileNamePrefix Required only if you check the LogSessionActivity check box; this

represents the prefix of the session log file which will be available in

the logs directory of Prime Access Registrar.

SessionSamplingPeriodIn-

Secs

Required only if you check the LogSessionActivity check box; this

represents the session sampling period in seconds. The minimum

sampling period is set to 5. The default is 30.

Table 3-38 Log Details (continued)

Fields Description

3-88

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•Downloading Log Details

•Setting Log Details

Viewing Log Details

To view the log files:

Step 1 Choose Configuration > Advanced > Log. The Log Files page is displayed.

Step 2 Choose the appropriate radio button and click View to view the file.

Downloading Log Details

To download the log files:

Step 1 Choose Configuration > Advanced > Log. The Log Files page is displayed.

Step 2 Choose the appropriate radio button and click Download to download the file.

Setting Log Details

To set the log details:

Step 1 Choose Configuration > Advanced > Log. The Log Files page is displayed.

Step 2 Enter the relevant details and click Set to save the specified details.

Ports

The Ports list specifies which ports to listen to for requests. When you specify a port,

Prime Access Registrar makes no distinction between the port used to receive Access-Requests and the

port used to receive Accounting-Requests. Either request can come in on either port.

Most NASs send Access-Requests to port 1645 and Accounting-Requests to 1646, however,

Prime Access Registrar does not check.

When you do not specify any ports, Prime Access Registrar reads the /etc/services file for the ports to

use for access and accounting requests. If none are defined, Prime Access Registrar uses the standard

ports (1645 and 1646).

Table 3-39 lists and describes the fields in the Ports page.

3-89

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Ports page for the following:

•Filtering Records

•Adding Port Details

•Interfaces

•Editing Records

•Deleting Records

Adding Port Details

To add new port details:

Step 1 Choose Configuration > Advanced > Port. The Ports page is displayed.

Step 2 Enter the relevant details and click Add. The new port details will be listed in the Ports page.

Interfaces

The Interfaces list specifies the interfaces on which the RADIUS server receives and sends requests. You

specify an interface by its IP address.

•When you list an IP address, Prime Access Registrar uses that interface to send and receive

Access-Requests.

•When no interfaces are listed, the server performs an interface discover and uses all interfaces of the

server, physical and logical (virtual).

Note The IP address format is enhanced to support both IPv4 and IPv6.

You can use the interfaces page for the following:

•Filtering Records

•Adding IP Addressing Interface

•Deleting Records

Table 3-39 Port Properties

Fields Description

Port Required; allows you to use ports other than the default, 1645 and

1646. You can use this option to configure Prime Access Registrar to

use other ports,. If you add additional ports, however,

Prime Access Registrar will use the added ports and no longer use

ports 1645 and 1646. These ports can still be used by adding them to

the list of ports to use.

Type Set the port type.

Description Optional; description of the port.

3-90

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Adding IP Addressing Interface

To add a new IP address interface to define an interface:

Step 1 Choose Configuration > Advanced > Interfaces. The Interfaces page is displayed.

Step 2 Enter the IP Address and click Add.

The Interfaces page is displayed with the newly added details and a success message is displayed else a

respective error message is displayed.

Attribute Groups

The Attributes can be grouped using Prime Access Registrar Profile object. The attributes for a

particular user group can be grouped under a profile and the attributes contained in the profiles will be

returned in their access-accepts.

Table 3-40 lists and describes the fields in the Attribute Groups Details page.

You can use the Attribute Groups page for the following:

•Filtering Records

•Adding Attribute Group Details

•Rules

•Editing Records

•Deleting Records

Adding Attribute Group Details

To add new attribute groups details:

Step 1 Choose Configuration > Advanced > Attributes Groups. The Attribute Groups page is displayed.

Step 2 Click Add to add new attribute group details. The Attribute Group Details page is displayed.

Table 3-40 AttributeGroups Properties

Fields Description

Name Name of the attribute group.

Description Optional; description of the attribute group.

Attribute type Select either RADIUS or VENDOR. If Vendor is selected, specify

the vendor type from the drop-down list.

Attribute Name Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected. Click

the Add button to save the details and list it in Attribute list. To

navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute

and click the Delete button below.

3-91

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Step 3 Enter the relevant details.

Step 4 Click Submit to save the specified details in the Attribute Groups Details page. Otherwise click Cancel

to return to the Attribute Groups page without saving the details.

The Attribute Groups page is displayed with the newly added details or a respective error message is

displayed.

Rules

A Rule is a function that selects services based on all input information used by the function.

Table 3-41 lists and describes the fields in the Add Rules List page.

You can use the Rules List page for the following:

•Filtering Records

•Setting Rules

•SessionManagers

•Editing Records

•Deleting Records

Table 3-41 Rule Properties

Fields Description

General Properties tab

Name Required; must be unique in the Rule list.

Description Optional; description of the rule.

Type Required; specifies the type of the rule which can be Radius or

Diameter.

Script Name Name of the script.

Attribute Details tab

These fields are displayed based on the type of the rule selected in the Type field.

RADIUS Optional; set Radius, if the attribute and value needs to be defined for

RADIUS.

VENDOR Optional; set Vendor, if the attribute and value needs to be defined for

Vendor.

AttributeName Optional; based on the Attribute Type selected, the attribute name is

automated. Set the relevant name for the attribute type selected.

AttributeValue Optional; set the value for the selected attribute. Click the Add button

to save the details and list it in Name and Value list. To navigate

between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To

delete the available attributes, select the relevant attribute and click

the Delete button below.

3-92

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Setting Rules

To set new rules:

Step 1 Choose Configuration > Rules. The List of Rules page is displayed.

Step 2 Click Add. The Rules Details page is displayed.

Step 3 Enter the relevant details.

Step 4 Click Submit to save the specified details in the Rules Details page. Otherwise click Cancel to return to

the List of Rules page without saving the details.

The List of Rules page is displayed with the newly added details or a respective error message is

displayed.

SessionManagers

You can use Session Managers to track user sessions. The Session Managers monitor the flow of requests

from each NAS and detect the session state. When requests come through to the Session Manager, it

creates sessions, allocates resources from appropriate Resource Managers, and frees and deletes sessions

when users log out.

The Session Manager enables you to allocate dynamic resources to users for the lifetime of their session.

You can define one or more Session Managers and have each one manage the sessions for a particular

group or company.

Note Session record size is limited by the operating system (OS) paging size (8 KB in Solaris and 4 KB in

Linux). If a request triggers creation of a session that exceeds the OS paging size, the request will be

dropped and the session will not be created.

Note In this release of Prime Access Registrar, the memory capacity is enhanced to store more than 4 million

active session's by storing the active session records in database server instead of storing it in the main

memory. The capacity is dependent on the number of attributes that are being captured for each session.

Note If the disk partition where Prime Access Registrar stores session backing store data (usually the disk

partition where Prime Access Registrar is installed, such as /opt/CSCOar) is full, the subsequent

packets that try to create sessions will be dropped and no sessions will be created due to lack of disk

space.

Session Managers use Resource Managers, which in turn, manage a pool of resources of a particular

type.

Table 3-42 lists and describes the fields in the Session Manager Details page.

3-93

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Table 3-42 Session Manager Properties

Fields Description

Name Required; must be unique in the Session Managers list.

Description Optional description of the Session Manager.

Type Required; set to local or remote. Local is the traditional session manager

that maintains sessions in memory and has good performance. The remote

session manager operates on a remote ODBC database, and its perfor-

mance is highly dependent on the performance of the ODBC database.

EnableDiameter Optional; check the box if you want to use the session manager for

Diameter services.

SessionKey SessionKey property is used to set the sessionkey value for the Session

Manager.

The SessionManager checks whether the environmental variable Ses-

sion-Key is set or not. If the environmental variable is set, the server uses

it as the sessionkey. If environmental variable Session-Key is not set then

SessionManager gets the value configured in the SessionKey property

under SessionManager.

SessionKey can be a combination of attributes separated by a colon. The

values for those attributes are obtained from the RequestDictionary. If any

one of the attribute that is configured for the sessionkey is not present in

the RequestDictionary, Prime Access Registrar will drop the request.

However, if Session-Key is not set, SessionManager uses NAS-Identifier

and NAS-Port to create the sessionkey. An example configuration,

--> set SessionKey "User-Name:NAS-Port"

The following shows the sample configuration of sessionkey for Session

Manager:

[ //localhost/Radius/SessionManagers/session-mgr-1 ]

Name = session-mgr-1

Description =

Type = local

EnableDiameter = FALSE

IncomingScript =

OutgoingScript =

AllowAccountingStartToCreateSession = TRUE

SessionTimeOut =

PhantomSessionTimeOut =

SessionKey =

ResourceManagers/

AllowAccountingStartTo-

CreateSession

Set to TRUE by default; start the session when the

Prime Access Registrar server receives an Access Accept or an Account-

ing-Start.

When set to FALSE, start the session when the Prime Access Registrar

server receives an Access Accept.

IncomingScript Optional; name of script to run when the service starts. This script is run

as soon as the session is acquired in Prime Access Registrar.

OutgoingScript Optional; script to be run just before the session is written to backing

store.

3-94

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

SessionTimeOut The SessionTimeOut property is optional; no value for this property

means the session timeout feature is disabled.

Used in conjunction with /Radius/Advanced/SessionPurgeInterval for

the session timeout feature. Enables the session timeout feature for a

Session Manager. If the SessionTimeOut property is set to a value under

a session manager, all sessions that belong to that session manager will

be checked for timeouts at each SessionPurgeInterval. If any sessions

have timed out, they will be released, and all resources associated with

those sessions are also released.

The SessionTimeOut property determines the timeout for a session. If the

time difference between the current time and the last update time is

greater than this property’s value, the session is considered to be stale.

The last update time of the session is the time at which the session was

created or updated.

The SessionTimeOut value is comprised of a number and a units indica-

tor, as in n units, where a unit is one of minutes, hours, days, or weeks.

The default unit is ‘days’.

PhantomSessionTimeOut Optional; no value for this property means the phantom session timeout

feature is disabled.

The PhantomSessionTimeOut property is used in conjunction with /Ra-

dius/Advanced/SessionPurgeInterval to enable the phantom session

timeout feature for Session Manager.

If the PhantomSessionTimeOut property is set to a value under a session

manager, all sessions that belong to that session manager will be checked

for receipt of an Accounting-Start packet. Sessions that do not receive an

Accounting-Start packet from creation until its timeout will be released.

The PhantomSessionTimeOut value comprises a number and a units indi-

cator, as in n units, where a unit is one of minutes, hours, days, or weeks.

The default unit is ‘days’

SessionCreation Available only if you check the EnableDiameter check box; session

created for the configured application, command code, and AVP.

SessionDeletion Available only if you check the EnableDiameter check box; session

deleted for the configured application, command code, and AVP.

Resource Managers List Ordered list of Resource Managers. To navigate between the listed attri-

butes, use the navigation option available adjacent to the list. See Relo-

cating Records for more details.

Table 3-42 Session Manager Properties (continued)

Fields Description

3-95

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

You can use the Session Managers page for the following:

•Filtering Records

•Adding Session Manager Details

•Editing Records

•Deleting Records

Adding Session Manager Details

To add new session manager details:

Step 1 Choose Configuration > Session Managers. The Session Managers page is displayed.

Step 2 Click Add. The Session Manager Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Add to save the specified details in the Session Manager Details page. Otherwise click Cancel to

return to the Session Managers page without saving the details.

The Session Managers page is displayed with the newly added details or a respective error message is

displayed.

ResourceManager

Resource Managers allow you to allocate dynamic resources to user sessions. The following lists the

different types of Resource Managers.

•IP-Dynamic—manages a pool of IP addresses that allows you to dynamically allocate IP addresses

from a pool of addresses

•IP-Per-NAS-Port—allows you to associate ports to specific IP addresses, and thus ensure each NAS

port always gets the same IP address

MemoryLimitForRadius-

Process

This property is used to avoid crashing of the RADIUS process. The

default value is 3500 Megabytes. This property is under /radius/ad-

vanced. When the RADIUS process uses memory more than the config-

ured limit, further sessions are not created and Prime Access Registrar

rejects further incoming requests.

MemorySizeCheckInter-

val

This property is used to avoid crashing of the RADIUS process. This is

used in conjunction with MemoryLimitForRadiusProcess. The default

value is 5 minutes. MemorySizeCheckInterval is a hidden parameter in

mcd database. To modify the default value, you need to export the mcd

database. Typically, a separate thread is created to monitor the RADIUS

process memory usage for every 5 minutes.

Table 3-42 Session Manager Properties (continued)

Fields Description

3-96

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

•IPX-Dynamic—manages a pool of IPX network addresses

•Subnet-Dynamic—manages a pool of subnet addresses

•Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps track of

how many sessions are active and denies new sessions after the configured limit has been reached

•User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how many

sessions each user has and denies the user a new session after the configured limit has been reached

•Home-Agent—manages a pool of on-demand IP addresses

•USR-VPN—manages Virtual Private Networks (VPNs) that use USR NAS Clients.

•Home-Agent-IPv6—manages a pool of on-demand IPv6 addresses

•Remote-IP-Dynamic—manages a pool of IP addresses that allows you to dynamically allocate IP

addresses from a pool of addresses. It internally works with a remote ODBC database.

•Remote-User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how

many sessions each user has and denies the user a new session after the configured limit has been

reached. It internally works with a remote ODBC database.

•Remote-Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps

track of how many sessions are active and denies new sessions after the configured limit has been

reached. It internally works with a remote ODBC database.

•Session Cache—allows you to define the RADIUS attributes to store in cache.

•Dynamic-DNS—manages the DNS server.

•Remote-Session-Cache—allows you to define the RADIUS attributes to store in cache. It should

be used with session manager of type 'remote'.

•3GPP—allows you to define the attribute for 3GPP authorization.

Each Resource Manager is responsible for examining the request and deciding whether to allocate a

resource for the user, do nothing, or cause Cisco Prime Access Registrar to reject the request.

Table 3-43 lists and describes the fields in the Resource Manager Details page.

The fields displayed in the Resource Manager Details page changes based on the option selected in the

Type field. The following tables describe the fields in the Resource Manager Details page.

DYNAMIC-DNS

Table 3-44 lists and describes the fields in the Resource Manager Details page.

Table 3-43 Resource Manager Properties

Fields Description

Resource Manager Name Required; must be unique in the Resource Managers list.

Description (optional) Optional; description of the Resource Manager.

Type Required; must be either Dynamic-DNS, IP-Dynamic,

IP-Per-NAS-Port, IPX-Dynamic, Session Cache, Subnet-Dynam-

ic, Group-Session-Limit, Home-Agent, User-Session-Limit,

USR-VPN, Home-Agent-IPv6, Remote-IP-Dynamic, Remote-Us-

er-Session-Limit, Remote-Group-Session-Limit, Remote-Ses-

sion-Cache, or 3GPP. Based on the option selected, the fields

displayed in the Resource Manager Details page varies.

3-97

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

GROUP-SESSION-LIMIT

Table 3-45 lists and describes the fields in the Resource Manager Details page.

REMOTE-GROUP-SESSION-LIMIT

Table 3-46 lists and describes the fields in the Resource Manager Details page.

HOME-AGENT

Table 3-47 lists and describes the fields in the Resource Manager Details page.

Table 3-44 DYNAMIC-DNS Properties

Fields Description

General tab

Max DNS TTLS Set the maximum TTL of the DNS record.

DNS Host bytes Set the number of bytes to be used to construct the reverse zone entry.

Forward Zone Name Set the name of the forward zone. For a given Resource Manager you

must decide which forward zone you will be updating for sessions the

resource manager will manage.

Reverse Zone Name Set the name of the reverse zone.

Forward Zone Server Set the Server IP of the forward zone

Reverse Zone Server Set the Server IP of the reverse zone

Forward Zone TSIG KeyS Server-wide security key to process all forward zone dynamic DNS

updates. This is used if a ForwardZoneTSIGKey was not specified on

the Resource Manager.

Reverse Zone TSIG Keys Server-wide security key to process all reverse zone dynamic DNS

updates. This is used if a ReverseZoneTSIGKey was not specified on

the Resource Manager

Table 3-45 GROUP-SESSION-LIMIT Properties

Fields Description

Group Session Limit Set the GroupSessionLimit property to the maximum number of con-

current sessions for all users.

Table 3-46 REMOTE-GROUP-SESSION-LIMIT Properties

Fields Description

Group Session Limit Set the GroupSessionLimit property to the maximum number of con-

current sessions for all users.

Table 3-47 HOME-AGENT Properties

Fields Description

HomeAgentIPAddresses tab

3-98

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

HOME-AGENT-IPv6

Table 3-48 lists and describes the fields in the Resource Manager Details page.

Click the Add button to save the details and list it in Start and End IPv6 list. To navigate between the

listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

IP-DYNAMIC

Table 3-49 lists and describes the fields in the Resource Manager Details page.

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

REMOTE-IP-DYNAMIC

Table 3-50 lists and describes the fields in the Resource Manager Details page.

Start Required; must be an IP address.

End Required; must be an IP address.

Table 3-47 HOME-AGENT Properties (continued)

Fields Description

Table 3-48 HOME-AGENT-IPv6 Properties

Fields Description

HomeAgentIPv6Addresses tab

Start Required; must be an IPv6 address.

End Required; must be an IPv6 address.

Table 3-49 IP-DYNAMIC Properties

Fields Description

General tab

Reuse IP for same SessionKey

and User

When set to TRUE, this property supports overlapping IP addresses

between session managers for VPN users. Default value is FALSE.

Net Mask Required; must be set to a valid net mask.

Allow Overlapped IP

Addresses

When set to TRUE, this property supports overlapping IP addresses

between session managers for VPN users. Default value is FALSE.

IP Addresses tab

Start Required; must be an IP address.

End Required; must be an IP address.

3-99

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

IP-PER-NAS-PORT

Table 3-51 lists and describes the fields in the Resource Manager Details page.

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

IPX-DYNAMIC

Table 3-52 lists and describes the fields in the Resource Manager Details page.

Table 3-50 REMOTE-IP-DYNAMIC Properties

Fields Description

General tab

Reuse IP for same SessionKey

and User

When set to TRUE, this property supports overlapping IP addresses

between session managers for VPN users. Default value is FALSE.

Net Mask Required; must be set to a valid net mask.

Allow Overlapped IP

Addresses

When set to TRUE, this property supports overlapping IP addresses

between session managers for VPN users. Default value is FALSE.

IP Addresses tab

Start Required; must be an IP address.

End Required; must be an IP address.

Table 3-51 IP-PER-NAS-PORT Properties

Fields Description

General tab

Net Mask Required; if used, must be set to a valid net mask.

Allow Overlapped IP

Addresses

When set to TRUE, this property supports overlapping IP addresses

between session managers for VPN users. Default value is FALSE.

NAS Required; must be the name of a known Client.This value must be the

same as the NAS-Identifier attribute in the Access-Request packet.

IP Config tab

Start Required; must be an IP address.

End Required; must be an IP address.

Port Config tab

Start Required; set the NAS port

End Required; set the NAS port

3-100

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

SESSION-CACHE

Table 3-53 lists and describes the fields in the Resource Manager Details page.

Table 3-52 IPX-DYNAMIC Properties

Fields Description

Networks tab

Start Required; must be an IP address.

End Required; must be an IP address.

Table 3-53 SESSION-CACHE Properties

Fields Description

General tab

Overwrite Attributes Specifies whether to overwrite the existing attributes if there are any

in the session record.

Query Key Required; set the QueryKey to the a RADIUS attribute you want to

key on, such as Framed-IP-Address.

A change made in Prime Access Registrar requires that this attribute

not be an XML attribute, even if this session-cache resource manager

is being used for an XML query.

Note Any existing session-cache resource managers using an XML

attribute for the Query Key must be changed to a RADIUS

attribute that this XML attribute is mapped to under Query-

Mappings.

Pending Removal Delay Required; length of time information remains in the cache after the

session ends (defaults to 10 seconds)

Query Mapping tab

XML Attribute Set the QueryKey property to the XML attribute you want to key on

such as XML-Address-format-IPv4 and list all attributes to be cached

in the AttributesToBeCached subdirectory.

Radius Attribute Required; list of attribute pairs, mapping the XML attributes on the

left-hand side to the RADIUS attribute on the right-hand side.

AttributeToBeCached tab

RADIUS Optional; set Radius, if the attribute needs to be defined for RADIUS.

VENDOR Optional; set Vendor, if the attribute needs to be defined for Vendor.

If Vendor is selected, specify the vendor type from the drop-down

list.

Attribute Name Required; use this subdirectory to provide a list of RADIUS attri-

butes you want to store in cache

3-101

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

SUBNET-DYNAMIC

Table 3-54 lists and describes the fields in the Resource Manager Details page.

Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed

attributes, use the navigation option available adjacent to the list. See Relocating Records for more

details. To delete the available attributes, select the relevant attribute and click the Delete button below.

USER-SESSION-LIMIT

Table 3-55 lists and describes the fields in the Resource Manager Details page.

REMOTE-USER-SESSION-LIMIT

Table 3-56 lists and describes the fields in the Resource Manager Details page.

USR-VPN

Table 3-57 lists and describes the fields in the Resource Manager Details page.

Table 3-54 SUBNET-DYNAMIC Properties

Fields Description

Subnet Dynamic tab

Net Mask Required; must be set to the size of the managed subnets

Start Required; must be an IP addresses

End Required; must be an IP addresses

Table 3-55 USER-SESSION-LIMIT Properties

Fields Description

User Session Limit Set the user session limit property to the maximum number of con-

current sessions for a particular user

Table 3-56 REMOTE-USER-SESSION-LIMIT Properties

Fields Description

User Session Limit Set the user session limit property to the maximum number of con-

current sessions for a particular user

Table 3-57 USR-VPN Properties

Fields Description

General tab

Identifier Required; must be set to the VPN ID the USR NAS will use to

identify a VPN.

3-102

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

To edit the gateway details, check the appropriate check box and click the Edit button. Enter new

information in the editable fields and click the Save button. You can also delete the record using Delete

button.

REMOTE-SESSION-CACHE

Table 3-58 lists and describes the fields in the Resource Manager Details page.

Neighbor Optional; if set, should be the IP address of the next hop router for

the VPN.

Framed Routing Optional; if set, should be RIP V2 Off or RIP V2 On if the USR

NAS is to run RIP Version 2 for the user.

Gateway tab

Name of Gateway Required; name of the gateway.

Description (optional) Optional; description of the gateway.

IP Address Required; IP address of the gateway

Shared Secret Required; must match the shared secret of the gateway.

Tunnel Refresh Optional; if specified it is the number of seconds the tunnel stays

active before a secure “keepalive” is exchanged between the tunnel

peers in order to maintain the tunnel open.

Location ID Optional; if specified it is a string indicating the physical location of

the gateway. Click the Save button, to save the details.

Table 3-57 USR-VPN Properties (continued)

Fields Description

Table 3-58 REMOTE-SESSION-CACHE Properties

Fields Description

General tab

Overwrite Attributes Specifies whether to overwrite the existing attributes if there are any

in the session record.

Query Key Required; set the QueryKey to the a RADIUS attribute you want to

key on, such as Framed-IP-Address.

A change made in Prime Access Registrar requires that this attribute

not be an XML attribute, even if this session-cache resource manager

is being used for an XML query.

Note Any existing session-cache resource managers using an XML

attribute for the Query Key must be changed to a RADIUS

attribute that this XML attribute is mapped to under Query-

Mappings.

Pending Removal Delay Required; length of time information remains in the cache after the

session ends (defaults to 10 seconds)

Remote Query Mapping tab

XML Attribute Set the QueryKey property to the XML attribute you want to key on

such as XML-Address-format-IPv4 and list all attributes to be cached

in the AttributesToBeCached subdirectory.

3-103

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Configuring Cisco Prime Access Registrar

3GPP

Table 3-59 lists and describes the 3GPP properties in the Resource Manager Details page.

You can use the Resource Manager List page for the following:

•Filtering Records

•Adding Resource Manager Details

•Network Resources

•Editing Records

•Deleting Records

Adding Resource Manager Details

To add new resource manager details:

Step 1 Choose Configuration > Resource Manager. The Resource Manager List page is displayed.

Step 2 Click Add. The Resource Manager Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Submit to save the specified details in the Resource Manager Details page. Otherwise click

Cancel to return to the Resource Manager List page without saving the details.

Radius Attribute Required; list of attribute pairs, mapping the XML attributes on the

left-hand side to the RADIUS attribute on the right-hand side.

RemoteAttributeToBeCached tab

RADIUS Optional; set Radius, if the attribute needs to be defined for RADIUS.

VENDOR Optional; set Vendor, if the attribute needs to be defined for Vendor.

If Vendor is selected, specify the vendor type from the drop-down

list.

Attribute Name Required; use this subdirectory to provide a list of RADIUS attri-

butes you want to store in cache

Table 3-58 REMOTE-SESSION-CACHE Properties (continued)

Fields Description

Table 3-59 3GPP Properties

Fields Description

EnableRegistrationFlow Check the box to enable registration flow during 3GPP authorization.

EnableSessionTermination Check the box to enable session termination during 3GPP

authorization.

ReuseExistingSession Check the box to reuse existing session during 3GPP authorization.

HSSProxyService Required; the HSS proxy service to use in the 3GPP authorization

flow.

3-104

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

The Resource Manager List page is displayed with the newly added details or a respective error message

is displayed.

Note Resource Manager supports the following remote type session managers: remote-ip-dynamic,

remote-session-cache, home-agent, remote-user-session-limit, home-agent-ipv6 and

remote-group-session-limit.

Network Resources

Network Resources constitutes the maintenance and management of the details of the clients and remote

servers. The clients IP address and shared secret details are maintained under clients, The management

of server directory with use of remote server protocols details are maintained in remote server.

This section describes the following:

•Clients

•Remote Servers

Clients

All NASs and proxy clients that communicate directly with Prime Access Registrar must have an entry

in the Clients list. This is required because NAS and proxy clients share a secret with the RADIUS server

which is used to encrypt passwords and to sign responses.

Table 3-60 lists and describes the fields in the Client Details page.

Table 3-60 Client Properties

Fields Description

Name Required and should match the Client identifier specified in the standard RADIUS

attribute, NAS-Identifier. The name must be unique within the Clients list.

IncomingScript Optional; you can use this property to specify a Script you can use to determine the

services to use for authentication, authorization, and/or accounting.

OutgoingScript Optional; you can use this property to specify a Script you can use to make any Cli-

ent-specific modifications when responding to a particular Client.

Protocol Required; set it to Radius, Diameter, or Tacacs-and-Radius.

Description Optional description of the client.

Vendor Optional; displayed when the protocol is set to Diameter. When set, must be the

name of a known Vendor.

Server Identity Optional; displayed when the protocol is set to Diameter. While exchanging the

CER information in the client, Prime Access Registrar sends the configured server

identity value as the origin-host value. When set, it takes precedence over the /Ra-

dius/Advance/Diameter/TransportManagement configuration.

3-105

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

HostName Required; hostname or IP address of the Diameter client.

Port Required; port on which client connects with the Prime Access Registrar server.

SCTP-Enabled Required; displays when the protocol is set to Diameter and indicates whether the

connection will be an SCTP. If set to TRUE, SCTP will be used. If set to FALSE,

TCP will be used.

Server Realm Optional; displays when the protocol is set to Diameter. While exchanging the CER

information in the client, Prime Access Registrar sends the configured server realm

value as the origin-realms value. it takes precedence over the /Radius/Advance/Di-

ameter/TransportManagement configuration.

General Properties tab

The tabs are available if the protocol is set to Radius or Tacacs-and-Radius.

IPAddress Required; must be a valid IP address and unique in the Clients list.

Prime Access Registrar uses this property to identify the Client that sent the

request, either using the source IP address to identify the immediate sender or using

the NAS-IP-Address attribute in the Request dictionary to identify the NAS

sending the request through a proxy.

When a range is configured for a Client’s IPAddress property, any incoming

requests whose source address belongs to the range specified, will be allowed for

further processing by the server. Similarly when a wildcard (an asterisk ‘*’ in this

case) is specified, any incoming requests whose source address matches the

wildcard specification will be allowed. In both the cases, the configured client prop-

erties like SharedSecret, and Vendor are used to process the requests.

You can specify a range of IP addresses using a hyphen as in:

100.1.2.11-20

You can use an asterisk wildcard to match all numbers in an IP address octet as in:

100.1.2.*

You can specify an IPAddress and a subnet mask together using Classless Inter-Do-

main Routing (CIDR) notation as in:

100.1.2.0/24

You can use the IPAddress property to set a base address and use the NetMask

property to specify the number of clients in the subnet range.

Shared Secret Required; must match the secret configured in the Client.

Type Required; accept the default (NAS), or set it to ATM, Proxy, or NAS+Proxy.

Vendor Optional; you can use this property when you need special processing for a specific

vendor’s NAS. To use this property, you must configure a Vendor object and

include a script. Prime Access Registrar provides five Scripts you can use: one for

Ascend, Cisco, Cabletron, Altiga, and one for USR. You can also provide your own

Script.

Table 3-60 Client Properties (continued)

Fields Description

3-106

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

NetMask Specifies the subnet mask used with the network address setting configured for the

IPAdress property when configuring a range of IP addresses.

This property is not used for a single client with an IP address only. The NetMask

property is used to configure multiple clients when you configure a base IP address

in the IPAddress property. You can set the NetMask property for a range of 256

clients using the following example:

set NetMask 255.255.255.0

Note If you set the NetMask property, validation will fail if you attempt to specify

a subnet mask using CIDR notation with the IPAddress property (described

above).

Enforce Traffic

Throttling

By default, the value is set to FALSE. When set to TRUE, the traffic throttling check

for the packet will be executed.

Dynamic Authorization tab

Enable

Dynamic Au-

thorization

Optional; when set to TRUE, this property enables Change of Authorization (CoA)

and Packet of Disconnect (PoD) features.

Shared Secret Located under the DynamicAuthorizationServer subdirectory, this is the shared

secret used for communicating CoA and PoD packets with the client.

Port Located under the DynamicAuthorizationServer subdirectory, the default port is

3799.

InitialTimeout Located under the DynamicAuthorizationServer subdirectory, the default is 5000.

MaxTries Located under the DynamicAuthorizationServer subdirectory, the default is 3.

COA Attribute This property is found under the DynamicAuthorizationServer subdirectory and

points to a group of attributes to be included in a CoA request sent to this client.

These attribute groups are created and configured under the AttributeGroups subdi-

rectory in /Radius/Advanced.

POD Attribute This property is found under the DynamicAuthorizationServer subdirectory and

points to a group of attributes to be included in a POD request sent to this client.

These attribute groups are created and configured under the AttributeGroups subdi-

rectory in /Radius/Advanced.

Notification Properties tab

Enable Notifi-

cations

Required; the default value is FALSE and indicates the client is not capable of

receiving Accounting-Stop notifications from the Prime Access Registrar server.

When set to TRUE, the client can receive Accounting-Stop notifications from the

Prime Access Registrar server and additional properties must be configured under

a new sub-directory named NotificationProperties.

InitialTimeout Located under the NotificationProperties subdirectory, specifies the timeout value

in milliseconds the Prime Access Registrar server waits for an Accounting-Re-

sponse packet before attempting a retry (sending another Accounting-Stop packet

to the client).

Required when EnableNotifications is set to TRUE; the default value is 5000.

Table 3-60 Client Properties (continued)

Fields Description

3-107

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the Clients page for the following:

•Filtering Records

•Adding Client Details

•Editing Records

•Deleting Records

Adding Client Details

To add new Client details:

Step 1 Choose Network Resources > Clients. The Clients page is displayed.

Step 2 Click Add to add new client details. The Client Details page is displayed.

Step 3 Enter the required details in the General Properties, Dynamic Authorization, and Notification Properties

tabs.

Step 4 Click Save to save the specified details in the Client Details page. Otherwise click Cancel to return to

the Client page without saving the details.

The Client page is displayed with the newly added details or a respective error message is displayed.

Remote Servers

You can use the RemoteServers object to specify the properties of the remote servers to which Services

proxy requests.

Port Located under the NotificationProperties subdirectory, specifies the port used by

the Prime Access Registrar server to receive Accounting-Stop packets. Required

when EnableNotifications is set to TRUE; the default value is 1813.

MaxTries Located under the NotificationProperties subdirectory, specifies the number of

times the Prime Access Registrar server sends an Accounting-Stop packet to a

client.

Required when EnableNotifications is set to TRUE; the default value is 3.

Notification-

Properties

When the EnableNotifications property is set to TRUE, this subdirectory contains

additional properties required to support the Query-Notify feature.

NotificationAt-

tributeGroup

Located under the NotificationProperties subdirectory, specifies the name of an

attribute group under /Radius/Advanced/AttributeGroups that contains the attri-

butes to be included when sending an the Accounting-Stop packet to this client.

Required when EnableNotifications is set to TRUE; there is no default value. You

must provide the name of a valid AttributeGroup and the named AttributeGroup

must contain at least one valid attribute, or validation will fail.

Table 3-60 Client Properties (continued)

Fields Description

3-108

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Prime Access Registrar provides the following RemoteServer protocol types:

•LDAP

•LDAP Accounting

•Domain Authentication

•ODBC/OCI

•ODBC/OCI-Accounting

•Diameter

•Others

Note You must not configure a remote server with an IP address, which is same as that of the client. This is

applicable for all types of remote servers.

LDAP

Specify the ldap service type when you want to use a particular LDAP remote server for authentication

and/or authorization.When using LDAP for authentication and a local database for authorization, ensure

that the usernames in both locations are identical with regard to case-sensitivity.

Table 3-61 lists and describes the fields in the Add LDAP-RemoteServers Details page.

Table 3-61 LDAP Server Properties

Fields Description

LDAP Properties tab

Name Required; name of the LDAP server.

Host Name Required; the LDAP server’s hostname or IP address.

Prime Access Registrar supports IPv4 and IPv6 addresses for the

hostname.

Note To use IPv6 addresses, you must have Next Generation (NG)

license of Prime Access Registrar. For LDAP, IPv6 addresses

must be enclosed in square brackets, as in

[2001:420:27c1:420:250:56ff:fe99:3dfd].

Port Required; defaults to port 389.

Description Description of the LDAP server.

Timeout Required; the default is 15. The timeout property indicates how many

seconds the RADIUS server will wait for a response from the LDAP

server.

Note Use InitialTimeout from above as a template, except this is

timeout is specified in seconds.

Reactivate Time Interval Required; the amount of time (in milliseconds) to wait before retrying a

remote server that was offline. You must specify a number greater than

zero. The default is 300,000 (5 minutes).

3-109

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

MaxReferrals Required; must be a number equal to or greater than zero. This property

indicates how many referrals are allowed when looking up user informa-

tion. When you set this property to zero, no referrals are allowed.

Cisco Prime Access Registrar manages referrals by allowing the

RADIUS server’s administrator to indicate an LDAP “referral attribute,”

which might or might not appear in the user information returned from

an LDAP query. When this information is returned from a query,

Cisco Prime Access Registrar assumes it is a referral and initiates

another query based on the referral. Referrals can also contain referrals.

Note This is an LDAP v2 referral property.

Referral Attribute Required when you have specified a MaxReferrals value. This property

specifies which LDAP attribute, returned from an LDAP search, to check

for referral information.

Note This is an LDAP v2 referral property.

Referral Filter Required when you have specified a MaxReferral value. This is the

filter Cisco Prime Access Registrar uses when processing referrals.

When checking referrals, the information Cisco Prime Access Registrar

finds in the referral itself is considered to be the search path and this

property provides the filter. The syntax is the same as that of the Filter

property.

Note This is an LDAP v2 referral property.

Bind Name Optional; the distinguished name (dn) to use when establishing a connec-

tion between the LDAP and RADIUS servers.

Bind Password Optional; the password associated with the BindName.

Search Path Required; the path that indicates where in the LDAP database to start the

search for user information.

Limit Outstanding

Requests

Required; the default is FALSE. Cisco Prime Access Registrar uses this

property in conjunction with the MaxOutstandingRequests property to

tune the RADIUS server’s use of the LDAP server.

When you set this property to TRUE, the number of outstanding requests

for this RemoteServer is limited to the value you specified in MaxOut-

standingRequests. When the number of requests exceeds this number,

Cisco Prime Access Registrar queues the remaining requests, and sends

them as soon as the number of outstanding requests drops to this number.

User Password Attribute Required; this specifies which LDAP field the RADIUS server should

check for the user’s password.

Escape Spl.Character in

UserName

FALSE by default

Datasource Connections Specifies the number of concurrent connections to the LDAP server. The

default value is 8.

Table 3-61 LDAP Server Properties (continued)

Fields Description

3-110

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Use SSL A boolean field indicating whether you want

Cisco Prime Access Registrar to use SSL (Secure Socket Layer) when

communicating with this RemoteServer. When you set it to TRUE, be

sure to specify the CertificateDBPath field in the Advanced section,

and be sure the port you specified for this RemoteServer is the SSL port

used by the LDAP server.

EnableKeepAlive Default is FALSE. This is enabled to send a TCP keepalive to keep the

idle connection active.

Filter Required; this specifies the search filter Cisco Prime Access Registrar

uses when querying the LDAP server for user information. When you

configure this property, use the notation “%s” to indicate where the user

ID should be inserted. For example, a typical value for this property is

“(uid=%s),” which means that when querying for information about user

joe, use the filter uid=joe.

Max Outstanding Requests Required when you have set the LimitOutstandingRequests to TRUE.

The number you specify, which must be greater than zero, determines the

maximum number of outstanding requests allowed for this remote server.

Password Encryption Style The default is None. You can also specify crypt, dynamic, SHA-1, and

SSHA-1.

DNSLookup and LDAP

RebindInterval

Specifies the timeout period after which the Prime Access Registrar

server will attempt to resolve the LDAP hostname to IP address (DNS

resolution); 0 by default

Search Scope Specifies how deep to search within a search path; default is SubTree

which indicates a search of the base object and the entire subtree of

which the base object distinguished name is the highest object.

Base indicates a search of the base object only.

OneLevel indicates a search of objects immediately subordinate to the

base object, but does not include the base object.

Use Binary Password Com-

parison

A boolean field that enables binary password comparison for authentica-

tion. This property when set to TRUE, enables binary password compar-

ison. By default, this property is set to FALSE.

Use Bind Based Authenti-

cation

A boolean field that enables bind-based authentication with LDAP

server. By default, this property is set to FALSE. When set to FALSE, it

uses existing legacy authentication method.

On setting this property to TRUE, the mappings LDAPToRadius, LDAP-

ToEnvironment, and LDAPToCheckItem will not work.

LDAPToRadiusMappings tab

LDAPAttribute Set the value for the LDAP attribute

Table 3-61 LDAP Server Properties (continued)

Fields Description

3-111

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

RadiusAttribute A list of name/value pairs in which the name is the name of the ldap

attribute to retrieve from the user record, and the value is the name of the

RADIUS attribute to set to the value of the ldap attribute retrieved.

For example, when the LDAPToRadiusMappings has the entry: Fra-

medIPAddress = Framed-IP-Address, the RemoteServer retrieves the

FramedIPAddress attribute from the ldap user entry for the specified

user, uses the value returned, and sets the Response variable

Framed-IP-Address to that value.

Click the Add button to save the details and list it in the attribute list. To

navigate between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To delete

the available attributes, select the relevant attribute and click the Delete

button below.

LDAPToCheckItems Mappings tab

Attribute Type Select either RADIUS or VENDOR. If Vendor is selected, specify the

vendor type from the drop-down list.

LDAPAttribute Set the value for the LDAP attribute

CheckedItems A list of LDAP attribute/value pairs which must be present in the

RADIUS access request and must match, both name and value, for the

check to pass.

For example, when the LDAPToCheckItemMappings has the entry:

group = User-Group, the Access Request must contain the attribute

group, and it must be set to User-Group.

Click the Add button to save the details and list it in the attribute list. To

navigate between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To delete

the available attributes, select the relevant attribute and click the Delete

button below.

LDAPToEnvironmentalMappings tab

LDAPAttribute Set the value for the LDAP attribute

EnvironmentalAttribute A list of name/value pairs in which the name is the name of the ldap

attribute to retrieve from the user record, and the value is the name of the

Environment variable to set to the value of the ldap attribute retrieved.

For example, when the LDAPToEnvironmentMappings has the entry:

group = User-Group, the RemoteServer retrieves the group attribute

from the ldap user entry for the specified user, uses the value returned,

and sets the Environment variable User-Group to that value.

Click the Add button to save the details and list it in the attribute list. To

navigate between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To delete

the available attributes, select the relevant attribute and click the Delete

button below.

Table 3-61 LDAP Server Properties (continued)

Fields Description

3-112

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the LDAP-RemoteServers page for the following:

•Filtering Records

•Adding LDAP Details

•LDAP Accounting

•Editing Records

•Deleting Records

Adding LDAP Details

To add new LDAP details:

Step 1 Choose Network Resources > RemoteServers > LDAP. The LDAP-RemoteServers page is displayed.

Step 2 Click Add to add LDAP details. The LDAP-RemoteServers Details page is displayed.

Step 3 Enter the required details in the tabs.

Step 4 Click Save LDAP Server to save the specified details in the LDAP-RemoteServers Details page. The

LDAP-RemoteServers page is displayed with the newly added details or a respective error message is

displayed. Otherwise click Cancel to return to the LDAP-RemoteServers page without saving the

details.

LDAP Accounting

Previous releases of Prime Access Registrar supported accessing user data from an LDAP server, but this

feature was limited to performing authentication and authorization (AA). You could only write the

accounting records to local file or oracle database or proxy to another RADIUS server.

Prime Access Registrar supports writing accounting records into LDAP server enabling integration

between billing systems and LDAP.

Table 3-62 lists and describes the fields in the LDAPAcct RemoteServer Details page.

Table 3-62 LDAP Accounting Server Properties

Fields Description

LDAP Acct Properties tab

Name Name of the remote server; this property is mandatory, and there is no

default.

Description Optional description of server.

HostName Required; the LDAP server's hostname or IP address.

Port Required; the default value is 389. Port the LDAP server is listening on.

Timeout Mandatory time interval (in seconds) to wait for LADP-write operation

to complete; defaults to 15 seconds.

ReactivateTimerInterval Mandatory time interval (in milliseconds) to activate an inactive server;

defaults to 300000 ms.

3-113

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

BindName Optional; the distinguished name (dn) to use when establishing a connec-

tion between the LDAP and RADIUS servers.

BindPassword Optional; the password associated with the BindName.

EnableKeepAlive Required; default is FALSE. This is enabled to send a TCP keepalive to

keep the idle connection active.

Delimiter Character used to separate the values of the attributes given in Attribute-

List property.

LDAPEnvironmentMul-

tiValueDelimiter

Optional; allows you to specify a character that separates multi-valued

attribute lists when using ldap-accounting.

DnPath Required; the path that indicates where in the LDAP database to start the

write for user information.

EntryName Required; this specifies the write entry name Prime Access Registrar

uses when insetting the LDAP server for user information. When you

configure this property, use the notation "%s" to indicate where the user

ID should be inserted. For example, a typical value for this property is

"(uid=%s)," which means that when insetting for information about user

joe, use the fentry name uid=joe.

LimitOutstandingRequests Required; the default is FALSE. Prime Access Registrar uses this

property in conjunction with the MaxOutstandingRequests property to

tune the RADIUS server's use of the LDAP server.

When you set this property to TRUE, the number of outstanding requests

for this RemoteServer is limited to the value you specified in MaxOut-

standingRequests. When the number of requests exceeds this number,

Prime Access Registrar queues the remaining requests, and sends them

as soon as the number of outstanding requests drops to this number.

MaxOutstandingRequests Required when you have set the LimitOutstandingRequests to TRUE.

The number you specify, which must be greater than zero, determines the

maximum number of outstanding requests allowed for this remote server.

ObjectClass Required; list of object classes which are all schemas defined in LDAP

server. These schemas define required attributes and allowed attributes

for an entry which is inserted from Prime Access Registrar.

DNSLookup and

LDAPAcct RebindInterval

Specifies the timeout period after which the Prime Access Registrar

server will attempt to resolve the LDAP hostname to IP address (DNS

resolution).

Escape Spl.Character in

UserName

FALSE by default.

AttributeList List of comma-separated attribute names.

Datasource Connections Mandatory number of connections to be established; defaults to 8.

UseLocalTimeZone Optional; the default is FALSE. It determines the timezone of accounting

records TimeStamp.

Table 3-62 LDAP Accounting Server Properties (continued)

Fields Description

3-114

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the LDAP Acct-RemoteServers page for the following:

•Filtering Records

•Adding LDAP Accounting Details

•Editing Records

•Deleting Records

Adding LDAP Accounting Details

To add new LDAP accounting details:

Step 1 Choose Network Resources > RemoteServers > LDAP Accounting. The LDAPAcct-RemoteServers

page is displayed.

Step 2 Click Add to add LDAP accounting details. The LDAPAcct RemoteServer Details page is displayed.

Step 3 Enter the required details in the tabs.

Step 4 Click Save LDAP Acct Server to save the specified details in the LDAPAcct RemoteServer Details

page. Otherwise click Cancel to return to the LDAPAcct-RemoteServers page without saving the details.

The LDAPAcct-RemoteServers page is displayed with the newly added details or a respective error

message is displayed.

UseSSL A boolean field indicating whether you want Prime Access Registrar to

use SSL (Secure Socket Layer) when communicating with this Remote-

Server. When you set it to TRUE, be sure to specify the CertificateDB-

Path field in the Advanced section, and be sure the port you specified

for this RemoteServer is the SSL port used by the LDAP server.

AttributestoWrite tab

LDAPAcctAttribute Set the LDAP Accounting attribute.

EnvironmentalAttribute A list of name and value pairs in which the name is the name of the data

store attribute to retrieve from the user record, and the value is the name

of the RADIUS attribute to set to the value of the data store attribute re-

trieved. The data store attributes must match those defined in the external

SQL file.

Click the Add button to save the details and list it in the Attributes list.

To navigate between the listed attributes, use the navigation option

available adjacent to the list. See Relocating Records for more details. To

delete the available attributes, select the relevant attribute and click the

Delete button below.

Table 3-62 LDAP Accounting Server Properties (continued)

Fields Description

3-115

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Domain Authentication

The Domain Authentication service type, domain-auth, is used with a Remote Server of the same type

to provide support for authentication against Windows Domain Controller/Active Directory (WDC/AD).

You can click the Add button in the Domain Authentication-RemoteServers page to add new domain

authentication details in the Domain Authentication-RemoteServers Details page. Table 3-63 lists and

describes the fields in the Domain Authentication-RemoteServers Details page.

Table 3-63 Domain Authentication Server Properties

Fields Description

General Properties tab

Name Required; name of the domain authentication server.

Host Name Required; hostname or IP address of the remote server.

Port Required; port used for communication with WDC/AD; defaults to 2004.

Default Domain Species the default domain for authentication if the user does not include

a domain during log in. Otherwise, authentication is performed on the

local domain.

Agent Connections Required; default is 15. Represents the total number of connections

Prime Access Registrar can open with the CSRA.

Description Optional; description of the domain authentication server.

Timeout Required; defaults to 15.

Reactivate Time Interval Required; default is 300,000 milliseconds. Specifies the length of time to

wait before attempting to reconnect if a thread is not connected to a data

source.

Workstation Optional; if a user has this workstation property set to some value, in

Active Directory, then during authentication, AD will check with the CLI

workstation value of Prime Access Registrar. Only if they match authen-

tication will succeed.

If this workstation value is not set in AD, no comparison with CLI work-

station field happens.

Default Usergroup User group to be used when no mapping is found in the list of maps in

the GroupMap property or when there is no hit in the groups listed in

GroupMaps. The DefaultUserGroup is used to authorize users that are

authenticated by this domain-auth RemoteServer.

GroupMaps tab

3-116

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the Domain Authentication-RemoteServers page for the following:

•Filtering Records

•Adding Domain Authentication Details

•ODBC/OCI

•Editing Records

•Deleting Records

Adding Domain Authentication Details

To add new domain authentication details:

Step 1 Choose Network Resources > RemoteServers > Domain Authentication. The Domain

Authentication-RemoteServers page is displayed.

Step 2 Click Add to add domain authentication details. The Domain Authentication-RemoteServers Details

page is displayed.

Step 3 Enter the required details in the tabs.

Step 4 Click Add Domain-Auth Server to save the specified details in the Domain

Authentication-RemoteServers Details page. Otherwise click Cancel to return to the Domain

Authentication-RemoteServers page without saving the details.

The Domain Authentication-RemoteServers page is displayed with the newly added details or a

respective error message is displayed.

AR UserGroup Select a user group from the drop-down list.

AD UserGroups A list of groups to which the user belongs in the WDC/AD mapped to an

internal group in the Prime Access Registrar server. Entries are of the

form:

1. “InternalGroup1 = ExternalGroup1, ExternalGroup2, ...”

2. “InternalGroup2 = ExternalGroup3, ExternalGroup4, ...”

To configure group mappings, use the following syntax:

set 1 “Group1 = ExternalGroup1,ExternalGroup2, ExternalGroup3”

Click the Add button to save the details and list it in the attribute list. To

navigate between the listed attributes, use the navigation option available

adjacent to the list. See Relocating Records for more details. To delete

the available attributes, select the relevant attribute and click the Delete

button below.

Table 3-63 Domain Authentication Server Properties (continued)

Fields Description

3-117

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

ODBC/OCI

Specify odbc or oci when you want to use an ODBC or OCI service for authentication, authorization and

accounting through an ODBC or OCI data store respectively. Use an ODBC or OCI service to

authenticate and authorize an access requests by querying user information through ODBC or OCI and

to insert accounting records into a data store through ODBC or OCI.

Note The ODBC service supports MYSQL and Oracle database service and OCI supports Oracle with 10.2.0

to 11.2.0 Oracle client.

Table 3-64 lists and describes the fields in the ODBC/OCI-RemoteServers Details page.

Table 3-64 ODBC/OCI Server Properties

Fields Description

Name Required; name of the ODBC/OCI Server.

Protocol The type of remote server. You select the option ODBC or OCI

from the drop-down list.

Datasource Connections Required; default is 8. This represents the total number of connec-

tions Prime Access Registrar can open with the ODBC server;

total number of threads Prime Access Registrar can create for the

ODBC server.

ODBC Datasource Name Required; name of the ODBCDataSource to use and must refer to

one entry in the list of ODBC datasources configured under /Ra-

dius/Advanced/ODBCDataSources.

User Password Attribute Set the user password.

SNMPTrapIP The SNMP trap IP for the remote servers.

Prime Access Registrar supports IPv4 and IPv6 addresses for the

SNMP trap IP.

Note To use IPv6 addresses, you must have Next Generation

(NG) license of Prime Access Registrar.

Description Description of the ODBC Server

Timeout Required; the default is 15. The timeout property indicates how

many seconds the RADIUS server will wait for a response from the

ODBC server.

Note Use InitialTimeout from above as a template, except this is

timeout is specified in seconds.

Reactivate Time Interval Required; default is 300,000 milliseconds. Length of time to wait

before attempting to reconnect if a thread is not connected to a data

source.

Keep Alive Timer Interval Mandatory time interval (in milliseconds) to send a keepalive to

keep the idle connection active; defaults to zero (0) meaning the

option is disabled

SNMPTrapPort The SNMP trap port for the remote server; defaults to 1521.

SQL Definitions tab

Name SQLDefinition properties define the SQL you want to execute.

3-118

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the ODBC/OCI-RemoteServers page for the following:

Description Description of the SQL

Type Prime Access Registrar supports only type query.

SQL SQL query used to add, update or delete a record from a database

Execution SequenceNumber Sequence number for SQLStatement execution, must be greater

than zero (mandatory, no default)

Marker List Defines all markers for the query. MarkerList uses the format Us-

erName/SQL_DATA_TYPE.

RadiusMappings tab

ODBC/OCI Attribute Set the ODBC or OCI attribute

RADIUS Attribute A list of name and value pairs in which the name is the name of the

data store attribute to retrieve from the user record, and the value

is the name of the RADIUS attribute to set to the value of the data

store attribute retrieved. The data store attributes must match those

defined in the external SQL file.

Click the Add button to save the details and list it in the Attributes

list. To navigate between the listed attributes, use the navigation

option available adjacent to the list. See Relocating Records for

more details. To delete the available attributes, select the relevant

attribute and click the Delete button below.

CheckItemsMappings tab

Attribute Type Select either RADIUS or VENDOR. If Vendor is selected, specify

the vendor type from the drop-down list.

ODBC/OCI Attribute Set the ODBC or OCI attribute

CheckItem A list of ODBC attribute/value pairs.

Click the Add button to save the details and list it in the Attributes

list. To navigate between the listed attributes, use the navigation

option available adjacent to the list. See Relocating Records for

more details. To delete the available attributes, select the relevant

attribute and click the Delete button below.

EnvironmentalMappings tab

ODBC/OCI Attribute Set the ODBC or OCI attribute

Environmental Attribute A list of name/value pairs in which the name is the name of the data

store attribute to retrieve from the user record, and the value is the

name of the Environment variable to set to the value of the ODBC

attribute retrieved.

Click the Add button to save the details and list it in the Attributes

list. To navigate between the listed attributes, use the navigation

option available adjacent to the list. See Relocating Records for

more details. To delete the available attributes, select the relevant

attribute and click the Delete button below.

Table 3-64 ODBC/OCI Server Properties (continued)

Fields Description

3-119

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

•Filtering Records

•Adding ODBC/OCI Details

•ODBC/OCI-Accounting

•Editing Records

•Deleting Records

Adding ODBC/OCI Details

To add new ODBC or OCI details:

Step 1 Choose Network Resources > RemoteServers > ODBC/OCI. The ODBC/OCI-RemoteServers page is

displayed.

Step 2 Click Add to add ODBC or OCI details. The ODBC/OCI-RemoteServers Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Add to enter the SQL details in the SQL Definitions tab.

Step 5 Click Save to save the specified details in the SQL Definitions tab or click Cancel to cancel the action.

Step 6 Enter the required details in the tabs.

Step 7 Click Add Server to save the specified details in the ODBC/OCI-RemoteServers Details page.

Otherwise click Cancel to return to the ODBC/OCI-RemoteServers page without saving the details.

The ODBC/OCI-RemoteServers page is displayed with the newly added details or a respective error

message is displayed.

ODBC/OCI-Accounting

If you use the Oracle Accounting feature, you must configure an ODBC/OCI-Accounting RemoteServer

object.

Table 3-65 lists and describes the fields in the Add ODBC/OCI Accounting-RemoteServers page.

Table 3-65 ODBC/OCI Accounting Server Properties

Fields Description

General Properties tab

Name Name of the remote server; this property is mandatory, and there is

no default.

Protocol The type of Accounting remote server. You can select the option

odbc-accounting or oci-accounting from the drop-down list.

Datasource Connections Mandatory number of connections to be established; defaults to 8

ODBC Datasource Name Name of the ODBCDataSource to use and must refer to one entry

in the list of ODBC datasources configured under /Radius/Ad-

vanced/ODBCDataSources. Mandatory; no default

3-120

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Buffer Accounting Packets Mandatory, TRUE or FALSE, determines whether to buffer the ac-

counting packets to local file, defaults to TRUE which means that

packet buffering is enabled.

Note When set to TRUE, a constant flow of incoming account-

ing packets can fill the buffer backing store files in /cis-

co-ar/data/odbc beyond the size configured in

MaximumBufferFileSize. Configure BackingStoreDisc-

Threshold in /Radius/Advanced when using ODBC ac-

counting.

Max. Buffer Filesize Mandatory if BufferAccountingPackets is set to TRUE, determines

the maximum buffer file size, defaults to 10 Megabyte)

Backing Store Environment

Vari a b les

Optional; when BufferAccountingPackets is set to TRUE, contains

a comma-separated list of environment variable names to be stored

into a local file along with buffered packet. No default. BackingS-

toreEnvironmentVariables can also be specified in scripts using the

BackingStoreEnvironmentVariables environment variable.

Attribute List List of comma-separated attribute names.

SNMPTrapIP Optional; when set to a valid IP address, the traps (responding/not

responding traps) for the ODBC/OCI Accounting server will have

this IP address. This is used to identify the server. If the value is

not set, SNMP traps use 255.255.255.255 as the IP address.

Description Optional; description of server.

Timeout Mandatory time interval (in seconds) to wait for SQL operation to

complete; defaults to 15 seconds.

Reactivate Time Interval Mandatory time interval (in milliseconds) to activate an inactive

server; defaults to 300000 ms.

Keep Alive Timer Interval Mandatory time interval (in milliseconds) to send a keepalive to

keep the idle connection active; defaults to zero (0) meaning the

option is disabled.

No. of Retries for Buffered

Packet

Mandatory if BufferAccountingPackets is set to TRUE. A number

greater than zero determines the number of attempts to be made to

insert the buffered packet into Oracle. Defaults to 3.

Use Local Timezone Set to TRUE or FALSE, determines the timezone of accounting

records' TimeStamp (defaults to FALSE).

Delimiter Character used to separate the values of the attributes given in At-

tributeList property.

SNMPTrapPort Optional; when set to a valid port, the traps (responding/not re-

sponding traps) for the ODBC/OCI Accounting server will have

this port. If the value is not set, SNMP traps use 1521 as the IP port.

SQL Definitions tab

Name Required; SQLDefinition properties define the SQL you want to

execute.

Description Description of the SQL

Table 3-65 ODBC/OCI Accounting Server Properties (continued)

Fields Description

3-121

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the ODBC/OCI Accounting-RemoteServers page for the following:

•Filtering Records

•Adding ODBC/OCI Accounting Details

•Others

•Editing Records

•Deleting Records

Adding ODBC/OCI Accounting Details

To add new ODBC or OCI accounting details:

Step 1 Choose Network Resources > RemoteServers > ODBC/OCI Accounting. The ODBC/OCI

Accounting-RemoteServers page is displayed.

Step 2 Click Add to add ODBC or OCI accounting details. The ODBC/OCI Accounting-RemoteServers Details

page is displayed.

Step 3 Enter the required details in the tabs.

Step 4 Click Add Accounting Server to save the specified details in the ODBC/OCI

Accounting-RemoteServers Details page. The ODBC/OCI Accounting-RemoteServers page is displayed

with the newly added details or a respective error message is displayed. Otherwise click Cancel to return

to the ODBC/OCI Accounting-RemoteServers page without saving the details.

Diameter

Diameter is a networking protocol which is derived from RADIUS protocol.

You can click the Add button in the Diameter-RemoteServers page to add a new Diameter remote server.

Table 3-66 lists and describes the Diameter remote server properties.

Type Required; Prime Access Registrar supports insert, update and

delete options.

SQL Required; SQL query used to acquire the password

Execution SequenceNumber Required; sequence number for SQLStatement execution, must be

greater than zero (mandatory, no default)

Marker List Required; defines all markers for the query. MarkerList uses the

format UserName/SQL_DATA_TYPE.

Table 3-65 ODBC/OCI Accounting Server Properties (continued)

Fields Description

3-122

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the Domain Authentication-RemoteServers page for the following:

•Filtering Records

•Adding Domain Authentication Details

•ODBC/OCI

•Editing Records

•Deleting Records

Adding Diameter Remote Server Details

To add new Diameter remote server details:

Table 3-66 Diameter Remote Server Properties

Fields Description

Name Required; name of the Diameter server.

Description Optional; description of the Diameter server.

Protocol Required; protocol used by the Diameter server.

MaxTries Number of retry attempts to be made by the Diameter server for request

and response.

Host Name Host name of the server.

Initial Timeout Specifies the timeout value in milliseconds the Prime Access Registrar

server waits for an Accounting-Response packet before attempting a

retry.

This value must be less than the DWatchDogTimeout value.

Port Port used by the server.

DWatchDogTimeout Time interval between watch dog messages.

IncomingScript Optional; if there is a script, it is the first script Prime Access Registrar

runs when it receives a request from any client and/or for any service.

OutgoingScript Optional; if there is a script, it is the last script Prime Access Registrar

runs before it sends a response to any client.

SCTP-Enabled Indicates whether the connection will be an SCTP. If set to TRUE , SCTP

will be used. If set to FALSE, TCP will be used.

AdvHostName Optional; specifies the local hostname address that will be advertised by

the Prime Access Registrar server to other peers during CER/CEA

exchange.

AdvRealm Advertising realm.

ActivateTimerInterval Mandatory time interval, in milliseconds, to activate an inactive server.

Vendor Select a valid vendor.

SCTPAdvHostName Section

Local SCTP advertising host name of the local server.

Remote SCTP advertising host name of the remote server.

3-123

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Step 1 Choose Network Resources > RemoteServers > Diameter. The Diameter-Remote Servers page is

displayed.

Step 2 Click Add to add Diameter remote server details.

Step 3 Enter the required details as described in Table 3-66.

Step 4 Click Add Diameter Server to save the details. Click Cancel to return to the previous page without

saving the details.

The Diameter-Remote Servers page is displayed with the newly added details or a respective error

message is displayed.

Others

This feature of GUI allows you to set other specifications. The various types of protocols are:

•Radius

•Dynamic DNS

•Map-Gateway

•Prepaid-CRB

•Prepaid IS 835C

•Sigtran

•Sigtran-m3ua

Table 3-67 lists and describes the fields in the Remote Server Details page. The fields listed below are

the entire list of all the available protocols. The fields are displayed based on the type of protocol

selected.

Table 3-67 Other Server Properties

Fields Description

Remote Server Details

Name Required; name of the server.

Description Optional; description of the server.

Protocol Required; type of the remote server. Choose from one of the

following options:

•Radius

•Dynamic DNS

•Map-Gateway

•Prepaid-CRB

•Prepa-IS835C

•Sigtran

•Sigtran-m3ua

3-124

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

IP Address Required; this property specifies where to send the proxy request.

It is the address of the remote server. You must set it to a valid IP

address.

Port By default, Prime Access Registrar listens on ports 1645.

ReactivateTimerInterval Mandatory time interval (in milliseconds) to activate an inactive

server; defaults to 300000 ms.

MaxTries Number of times the server tries to send dynamic updates to a

server.

Initial Timeout Time, in milliseconds, that the server waits for a response before

retrying a request.

SharedSecret Required; the secret shared between the remote server and the

RADIUS server.

Vendor Optional; when set, must be the name of a known Vendor.

IncomingScript Optional; when set, must be the name of a known incoming script.

Prime Access Registrar runs the IncomingScript after it receives

the response.

OutGoingScript Optional; when set, must be the name of a known outgoing script.

Prime Access Registrar runs the OutgoingScript just before it

sends the proxy request to the remote server.

AccountingPort Port where the RADIUS server sends accounting packets.

AcknowledgeAccounting When ACKAccounting is TRUE, the Prime Access Registrar

server waits for the Accounting-Response from the remote

RADIUS server before sending the corresponding Accounting-Re-

sponse to the client.

When ACKAccounting is FALSE, the Prime Access Registrar

server does not wait for the Accounting-Response and immediate-

ly returns an Accounting-Response to the client.

Accept Dynamic Authorization

Requests

The value is set to False, by default.

MaxRename Retries Number of times that the resource managers can try to add a host

even if it detects that the host's name is already present. This

controls the number of times Prime Access Registrar tries to

modify a host's name to resolve a conflict on each failed update.

Trim HostName Controls whether Prime Access Registrar trims the hostname

string to the first period character. If this attribute is enabled, the

hostname is truncated before the period. If disabled, the server

retains the period characters in the hostname.

FwdZoneTSIG Server-wide security key to process all forward zone dynamic

DNS updates. This is used if a ForwardZoneTSIGKey was not

specified on the Resource Manager.

ReverseZoneTSIG Server-wide security key to process all reverse zone dynamic DNS

updates. This is used if a ReverseZoneTSIGKey was not specified

on the Resource Manager.

Table 3-67 Other Server Properties (continued)

Fields Description

3-125

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

File Name Name of the shared library provided by the billing server vendor,

such as libprepaid.so

Connections Number of threads the prepaid service and billing server can each

use (default is 8).

HostName Required; hostname of the remote server.

Local Sub System Number Required; the default value for this property is 0. This represents

the subsystem number used by SUA user.

CgPA Global Title Address Required; represents the Global Title Address of CallingPartyAd-

dress.

Set OPC In CgPA Required; if it is set to TRUE, OPC will be used in CallingPar-

tyAddress.

CdPANumberingPlan Required; used to specify the numbering plan of the called party.

The default value is 7.

CgPANumberingPlan Required; used to specify the numbering plan of the calling party.

The default value is 7.

Global Title Translation Script This is used to specify the name of script which is responsible for

translating IMSI to GTA.

SUA Configuration Filename Required; used to specify the name of configuration file for SUA

stack initialization.

Max Outstanding Requests This represents the maximum outstanding request to HLR.

Timeout Required; represents the how long the remote server should wait

before marking the request as timedout.

Limit Outstanding Requests Limits the outstanding request to HLR when it is set to TRUE.

SourceIPAddress Required; name of the local IP address.

SourcePort Required; specify the port number in which

Prime Access Registrar is installed for M3UA transactions.

LocalSubSystemNumber Required; the local sub system number is set as 149 by default.

DestinationPort Required; specify the destination port number to which

Prime Access Registrar connects.

IMSITranslationScript Specify the scripting point that is used to modify the IMSI based

on the requirement before sending the request to STP/HLR.

Timeout Required; specify the time (in seconds) to wait before an authenti-

cation request times out; defaults to 120.

ReactivateTimerInterval Required; specify the time interval (in milliseconds) to activate an

inactive server; defaults to 300000 ms (which is 5 minutes).

Table 3-67 Other Server Properties (continued)

Fields Description

3-126

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

Limit Outstanding Requests Prime Access Registrar uses this property in conjunction with the

MaxOutstandingRequests property to tune the RADIUS server's

use of the HLR. The default is FALSE.

When you set this property to TRUE, the number of outstanding

requests for this RemoteServer is limited to the value you specified

in MaxOutstandingRequests. When the number of requests

exceeds this number, Prime Access Registrar queues the

remaining requests, and sends them as soon as the number of out-

standing requests drops to this number.

MaxOutstandingRequests Required; specify the maximum number of outstanding requests

allowed for this remote server.

MAP-Version Required; specify the MAP version as 2 or 3 that HLR supports.

NetworkVariant Required; select the network variant switch.

Note Prime Access Registrar supports only ITU value.

SubServiceField Required; specify the type of network to which this SAP belongs.

The possible options are INT and NAT which represents interna-

tional network and national network respectively.

TCAPVariant Required; specify the name of the tcap network variant switch. The

possible options are ITU88, ITU92, or ITU96.

NetworkAppearance Required; specify the network appearance code which ranges from

0-2147483647.

This field is optional for SIGTRAN-M3UA remote servers as per

the RFC 4666 (http://tools.ietf.org/html/rfc4666.) You can set the

value to 0 to remove network appearance from the data packet.

NetworkIndicator Required; specify the network indicator used in SCCP address.

The possible options are NAT and INT which represents interna-

tional network and national network respectively.

RoutingIndicator Required; specify the routing indicator. The possible options are

RTE_GT or RTE_SSN which is used to route the packets for HLR.

MLCNumber Required; specify the MLC number which is required for M3UA

service for fetching the MSISDN from the HLR. This is the map

layer network node number by which the HLR identifies the

Prime Access Registrar in the network. The MLC number is con-

figured in E.164 format.

Note MLC is a max-15 digit number.

TrafficMode Required; specify the traffic mode values for the HLR.

LoadShareMode Required; specify the load share mode for the HLR.

When there is more than one associations with HLR, then the load

sharing is set as Signaling Link Selection (SLS). SLS is done based

on a simple round-robin basis.

Table 3-67 Other Server Properties (continued)

Fields Description

3-127

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Network Resources

You can use the RemoteServers page allows for the following:

•Filtering Records

•Setting Other Specifications

•Editing Records

•Deleting Records

Setting Other Specifications

To set up other specifications:

Step 1 Select Network Resources > RemoteServers > Others. The RemoteServers page is displayed.

Step 2 Click Add to add other specifications. The Remote Server Details page is displayed.

Step 3 Enter the required details.

Step 4 Click Add Radius Server to save the specified details in the Remote Server Details page. Otherwise

click Cancel to return to the RemoteServers page without saving the details.

RoutingParameters

OriginPointCode Required; specify the originating point of a message in a signalling

network. The value ranges from 0 - 16777215.

DestinationPointCode Required; specify the destination address of a signalling point in a

SS7 network.

RemoteSubSystemNumber Required; specify the sub system number of the remote server. The

RemoteSubSystemNumber is set as 6 by default.

OPCMask Required; specify the wild card mask for the origin point code. The

value ranges from 0 - 16777215.

DPCMask Specify the wild card mask for the destination point code. The

value ranges from 0 - 16777215.

ServiceIndicatorOctet Specify the service identifier octet. The value ranges from 0 - 255.

RoutingContext Required; specify the routing context which ranges from 0 -

16777215.

Source & Destination IP Addresses

SourceIPAddresses Applicable only for Sigtran-m3ua protocol type. Enter the source

IP address to be configured on the remote server and then click

Add. The entered IP address is displayed in the SourceIPAddresses

list box. Click Delete to remote the IP address from the list.

DestinationIPAddresses Applicable only for Sigtran-m3ua protocol type. Enter the destina-

tion IP address to be configured on the remote server and then click

Add. The entered IP address is displayed in the DestinationIPAd-

dresses list box. Click Delete to remote the IP address from the list.

Table 3-67 Other Server Properties (continued)

Fields Description

3-128

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

The RemoteServers page is displayed with the newly added details or a respective error message is

displayed.

Administration

Administration constitutes the maintenance and management of details specific administrator, various

statistical data respective to the administrators, backing up and restoring server details, and license

management of the server.

This section describes the following:

•Administrators

•Statistics

•DiameterStatistics

•TACACSStatistics

•Back Up and Restore

•LicenseUpload

Administrators

Prime Access Registrar provided super-user administrative access in which administrator can perform

all tasks including starting and stopping the system and changing the configuration.

Prime Access Registrar also provides view-only administrative access. View-only access restricts an

administrator to only being able to observe the system and prevents that user from making changes.

Table 3-68 lists and describes the fields in the Administrator Details page.

You can use the Administrators page for the following:

•Filtering Records

•Adding Administrator Details

Table 3-68 Administrator Properties

Fields Description

Name Required; administrator’s user ID.

Description Optional; description of the administrator.

New Password Required; encrypted password of the administrator.

Confirm New Password Required; encrypted password of the administrator and must

match Password.

View Only Default value (FALSE) indicates that the administrator is able to

modify the configuration. When set to TRUE, the administrator

can only view the server configuration and set the change the

server trace level.

3-129

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

•Statistics

•Editing Records

•Deleting Records

Adding Administrator Details

To add new Administrator details:

Step 1 Choose Administration > Administrators. The Administrators page is displayed.

Step 2 Click Add to add administrator details. The Administrator Details page is displayed.

Step 3 Specify the required details.

Step 4 Click Submit to save the specified details in the Administrator Details page. Otherwise click Cancel to

return to the Administrators page without saving the details.

The Administrators page is displayed with the newly added details or a respective error message is

displayed.

Statistics

This feature provides statistical information on the specified server.

Table 3-69 lists the statistics information and the meaning of the values.

Table 3-69 aregcmd stats Information

Stats Value Meaning

serverStartTime Indicates the start time of the server.

serverResetTime Indicates the time when the server was

reloaded.

serverStat Indicates if the server is running or stopped.

totalPacketsInPool Number of packets that can be accommodated

in the pool.

totalPacketsReceived Number of packets that are received by

RADIUS server.

totalPacketsSent Number of packets that are sent by RADIUS

server.

totalRequests Number of requests received by RADIUS

server. This includes access requests and ac-

counting requests.

totalResponses Number of responses sent by RADIUS server.

This includes access accepts/rejects and ac-

counting responses.

3-130

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

totalAccessRequests Number of access requests received/pro-

cessed by RADIUS server.

totalAccessAccepts Number of access accepts sent by RADIUS

server.

totalAccessChallenges Number of access challenges sent by

RADIUS server.

totalAccessRejects Number of access rejects sent by RADIUS

server.

totalAccessResponses Number of access responses sent by RADIUS

server.

totalAccountingRequests Number of accounting requests received by

RADIUS server.

totalAccountingResponses Number of accounting responses sent by

RADIUS server.

totalStatusServerRequests Number of status server request received by

RADIUS server.

totalAscendIPAAllocateRequests Number of requests received related to

Ascend IP address allocation.

totalAscendIPAAllocateResponses Number of responses sent related to Ascend

IP Address Allocation.

totalAscendIPAReleaseRequests Number of requests received related to

Ascend IP Address release.

totalAscendIPAReleaseResponses Number of responses sent related to Ascend

IP Address release.

totalUSRNASRebootRequests Number of user NAS reboot request received

by RADIUS server.

totalUSRNASRebootResponses Number of user NAS reboot response sent by

RADIUS server.

totalUSRResourceFreeRequests Number of user resource free request received

by RADIUS server.

totalUSRResourceFreeResponses Number of user resource free response sent by

RADIUS server.

totalUSRQueryResourceRequests Number of user query resource request

received by RADIUS server.

totalUSRQueryResourceResponses Number of user query resource response sent

by RADIUS server.

totalUSRQueryReclaimRequests Number of user query reclaim request

received by RADIUS server.

totalUSRQueryReclaimResponses Number of user query reclaim response sent

by RADIUS server.

totalPacketsInUse Number of packets that are being used.

totalPacketsDrained Number of packets that are drained.

Table 3-69 aregcmd stats Information (continued)

Stats Value Meaning

3-131

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

totalPacketsDropped Number of packets that are dropped.

totalPayloadDecryptionFailures Number of failures due to payloads decryp-

tion.

RemoteServer statistics for: Provides server’s type, name, IP address, and

port used.

active Indicates whether the server was active (not in

a down state).

maxTries Number of retry attempts to be made by the

RemoteServer Object based on the Remote-

Server’s maxTries property setting.

RTTAverage Average round trip time since the last server

restart.

RTTDeviation Indicates a standard deviation of the RTTAv-

erage.

TimeoutPenalty Indicates any change made to the initial

timeout default value.

totalRequestsPending Number of requests currently queued.

totalRequestsSent Number of requests sent since the last server

restart.

Note totalRequestsSent should equal the

sum of totalRequestsOutstanding and

totalRequestsAcknowledged.

totalRequestsOutstanding Number of requests currently proxied that

have not yet returned

totalRequestsTimedOut Number of requests that have timed out since

last server restart or number requests not

returned from proxy server within the [config-

ured] initial timeout interval.

totalRequestsAcknowledged Number of responses received since last

server restart

totalResponsesDroppedForNotInCache Number of responses dropped because their

ID did not match the ID of any Pending

requests.

totalResponsesDroppedForSignatureMismatch Number of responses dropped because their

response authenticator did not decode to the

correct shared secret.

Table 3-69 aregcmd stats Information (continued)

Stats Value Meaning

3-132

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

Resetting Server Statistics

To reset server statistics:

Step 1 Choose Administration > Statistics. The Radius Server Statistics page is displayed.

Step 2 Click Reset to reset all the RADIUS server statistics.

DiameterStatistics

Prime Access Registrar supports statistic of Diameter messages through the CLI/GUI and SNMP. The

existing ‘stats’ module has been extended to include additional counters related to Diameter. The

Diameter statistics includes peer statistics and global summary statistics details on the specified server.

Table 3-70 and Table 3-71 lists the statistics information and the meaning of the values. The statistical

information in Table 3-71 is displayed based on the peer selected.

totalRequestsDroppedAfterMaxTries Number of requests dropped because no

response was received after retrying the con-

figured number of times. This value is

different from totalRequestsTimedOut

because using the default configuration

values, no response within 2000 ms bumps the

TimedOut counter, but it waits 14000 ms

(2000 + 4000 + 8000) to bump this counter.

lastRequestTime Date and time of last proxy request.

lastAcceptTime Date and time of last ACCEPT response to a

client.

Table 3-69 aregcmd stats Information (continued)

Stats Value Meaning

Table 3-70 Diameter stats Information

Metric Value

Diameter Statistics

serverStartTime The start time of the server.

serverResetTime The reset time of the server.

serverState The state of the server.

cdbpLocalStatsTotalUpTime The total time for which the Diameter server

is up.

cdbpLocalResetTime The time elapsed since a server was reset.

cdbpLocalStatsTotalPacketsIn The total number of packets received by a

Diameter Base protocol.

3-133

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

cdbpLocalStatsTotalPacketsOut The total number of packets transmitted by a

Diameter Base protocol.

Peer The name of the peer. You can select a peer

from the drop-down list.

Table 3-71 Diameter peer stats Information

Metric Value

Diameter Peers

Stats for the Remote Server The name of the selected peer.

ipaddress The IP address of the peer.

port The port of the peer.

cdbpPeerStatsState Indicates the connection state in the Peer State

Machine of the peer with which the Diameter

server is communicating.

cdbpPeerStatsASAsOut Number of Abort-Session-Answer messages

that are sent to the peer.

cdbpPeerStatsACRsIn Number of Accounting-Request messages

that are received from the peer

cdbpPeerStatsACRsOut Number of Accounting-Request messages

that are sent to the peer.

cdbpPeerStatsACAsIn Number of Accounting-Answer messages that

are received from the peer.

cdbpPeerStatsACAsOut Number of Accounting-Answer messages that

are sent to the peer.

cdbpPeerStatsCERsIn Number of Capabilities-Exchange-Request

messages received from the peer.

cdbpPeerStatsCERsOut Number of Capabilities-Exchange-Request

messages sent to the peer.

cdbpPeerStatsCEAsIn Number of Capabilities-Exchange-Answer

messages received from the peer.

cdbpPeerStatsCEAsOut Number of Capabilities-Exchange-Answer

messages sent to the peer.

cdbpPeerStatsDWRsIn Number of Device-Watchdog-Request

messages received from the peer.

cdbpPeerStatsStateDuration Represents the Peer state duration.

cdbpPeerStatsDWRsOut Number of Device-Watchdog-Request

messages sent to the peer.

cdbpPeerStatsDWAsIn Number of Device-Watchdog-Answer

messages received from the peer.

Table 3-70 Diameter stats Information (continued)

Metric Value

3-134

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

cdbpPeerStatsDWAsOut Number of Device-Watchdog-Answer

messages sent to the peer.

cdbpPeerStatsDPRsIn Number of Disconnect-Peer-Request

messages received from the peer.

cdbpPeerStatsDPRsOut Number of Disconnect-Peer-Request

messages sent to the peer.

cdbpPeerStatsDPAsIn Number of Disconnect-Peer-Answer

messages received from the peer.

cdbpPeerStatsDPAsOut Number of Disconnect-Peer-Answer

messages sent to the peer.

cdbpPeerStatsRARsIn Number of Re-Auth-Request messages that

are received from the peer.

cdbpPeerStatsRARsOut Number of Re-Auth-Request messages that

are sent to the peer.

cdbpPeerStatsRAAsIn Number of Re-Auth-Answer messages that

are received from the peer.

cdbpPeerStatsRAAsOut Number of Re-Auth-Answer messages that

are sent to the peer.

cdbpPeerStatsSTRsIn Number of Session-Termination-Request

messages that are received from the peer.

cdbpPeerStatsSTRsOut Number of Session-Termination-Request

messages that are sent to the peer.

cdbpPeerStatsSTAsIn Number of Session-Termination-Answer

messages that are received from the peer.

cdbpPeerStatsSTAsOut Number of Session-Termination-Answer

messages that are sent to the peer.

cdbpPeerStatsDWReqTimer The interval between the packets that are sent

to the peers.

cdbpPeerstatsRedirectEvents Number of redirects that are sent from a peer.

cdbpPeerStatsAccDupRequests Number of duplicate Diameter Account-

ing-Request packets.

cdbpPeerStatsMalformedReqsts Number of malformed Diameter packets that

are received.

cdbpPeerStatsAccsNotRecorded Number of Diameter Accounting-Request

packets that are received and responded but

not recorded.

cdbpPeerStatsWhoInitDisconnect Indicates whether the host or peer initiated the

disconnect.

cdbpPeerStatsAccRetrans Number of Diameter Accounting-Request

packets that are retransmitted to the Diameter

server.

Table 3-71 Diameter peer stats Information (continued)

Metric Value

3-135

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

Select the required peer from the Client drop-down list and click the Show Peer Stats button to view the

Diameter statistics of the peer. Click the Reset button, to reset all the Diameter statistics of the peer.

cdbpPeerStatsTotalRetrans Number of Diameter packets that are retrans-

mitted to the Diameter server. This does not

include the Diameter Accounting-Request

packets that are retransmitted.

cdbpPeerStatsAccPendReqstsOut Number of Diameter Accounting-Request

packets that are sent to the peer which have

not yet timed out or received a response. This

variable is incremented when an Account-

ing-Request is sent to the server and decre-

mented due to receipt of an

Accounting-Response, a timeout or a retrans-

mission.

cdbpPeerStatsAccReqstsDropped Number of Accounting-Requests to the server

that are dropped.

cdbpPeerStatsHByHDropMessages An answer message that is received with an

unknown hop-by-hop identifier. This does not

include the accounting requests that are

dropped.

cdbpPeerStatsEToEDupMessages The duplicate answer messages that are

locally consumed. This does not include

duplicate accounting requests that are

received.

cdbpPeerStatsUnknownTypes Number of Diameter packets of unknown type

that are received from the peer.

cdbpPeerStatsProtocolErrors Number of protocol errors that are returned to

peer, but not including the redirects.

cdbpPeerStatsTransientFailures Indicates the transient failure count.

cdbpPeerStatsDWCurrentStatus Indicates the connection status of the peer.

cdbpPeerStatsTransportDown Number of unexpected transport failures.

cdbpPeerStatsTimeoutConnAtmpts Number of times the server attempts to

connect to a peer when there is no transport

connection with the peer. This is reset on dis-

connection.

cdbpPeerStatsASRsIn Number of Abort-Session-Request messages

that are received from the peer.

cdbpPeerStatsASRsOut Number Abort-Session-Request messages

that are sent to the peer.

cdbpPeerStatsASAsIn Number of Abort-Session-Answer messages

that are received from the peer.

Table 3-71 Diameter peer stats Information (continued)

Metric Value

3-136

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

TACACSStatistics

Prime Access Registrar supports CISCO-AAA-SERVER-MIB to describe the statistics of TACACS+

protocol. This is supported through CLI/GUI and SNMP.

Table 3-72 lists the statistics information and the meaning of the values.

Table 3-72 TACACS stats Information

Metric Value

TACACS Statistics

serverStartTime The start time of the server.

serverResetTime The reset time of the server.

serverState The state of the server.

totalPacketsReceived Number of packets that are received by a

TACACS+ protocol irrespective of the type of

Authentication and Accounting.

totalPacketsSent Number of packets that are sent by a

TACACS+ protocol irrespective of the type of

Authentication and Accounting.

totalRequests Number of packet requests that are received

by a TACACS+ protocol irrespective of the

type of Authentication and Accounting.

totalResponses Number of packet responses that are sent by a

TACACS+ protocol irrespective of the type of

Authentication and Accounting.

totalAuthenticationRequests Number of authentication requests that are

received by Prime Access Registrar.

totalAuthenticationAccepts Number of authentication requests that are

accepted by Prime Access Registrar.

totalAuthenticationRejects Number of authentication requests that are

rejected by Prime Access Registrar.

totalAuthenticationChallenges Number of authentication challenges that are

faced by Prime Access Registrar.

totalAuthenticationResponses Number of authentication responses that are

sent by Prime Access Registrar.

totalAuthorizationRequests Number of authorization requests that are

received by Prime Access Registrar.

totalAuthorizationAccepts Number of authorization requests that are

accepted by Prime Access Registrar.

totalAuthorizationRejects Number of authorization requests that are

rejected by Prime Access Registrar.

totalAuthorizationResponses Number of authorization responses that are

sent by Prime Access Registrar.

totalAccountingRequests Number of accounting requests that are

received by Prime Access Registrar.

3-137

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Administration

Back Up and Restore

To back up and restore the server details, Choose Administration > Backup&Restore. The Backup

page is displayed with the list of recently backed up details of the server with the date and time. This

option allows you to take a backup of the database, sessions, and scripts, and stores it in

/cisco-ar/backup directory.

Backup Server Details

To back up the server details:

Step 1 Choose Administration > Backup & Restore. The Backup page is displayed.

Step 2 Click Backup to take a backup of the database, sessions, and scripts, and stores it in /cisco-ar/backup

directory. The details will be backed up and appended to the backup list and displayed in the Backup

page.

Restoring Server Details

To restore the backed-up server details:

Step 1 Choose Administration > Backup & Restore. The Backup page is displayed.

Step 2 Choose the record from the backup list.

Step 3 Click Restore. The details of the selected back up file will be restored successfully.

LicenseUpload

Prime Access Registrar license information are uploaded using the Upload feature. To upload the license

file,

totalAccountingAccepts Number of accounting requests that are

accepted by Prime Access Registrar.

totalAccountingRejects Number of accounting requests that are

rejected by Prime Access Registrar.

totalAccountingResponses Number of accounting requests that are sent

by Prime Access Registrar.

totalPayloadDecryptionFailures Number of packets that are not decrypted by

Prime Access Registrar.

totalPacketsDropped Number of packets that are dropped by

Prime Access Registrar. The packets are

dropped, which are invalid and do not fulfill

the parsing conditions.

Table 3-72 TACACS stats Information (continued)

Metric Value

3-138

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 3 Using the Graphical User Interface

Read-Only GUI

Uploading License File

To upload the Prime Access Registrar license file:

Step 1 Choose Administration > LicenseUpload. The Prime Access Registrar License-Upload page is

displayed.

Step 2 Click Browse to locate the license file. The File Upload dialog box is displayed.

Step 3 Choose the required file.

Step 4 Click Upload. The selected file will be uploaded in /cisco-ar/license directory.

Note You need to ensure that the license file that you want to upload should be in .lic format.

Step 5 Click Reset to clear the text in the Select the File field, if you want to clear the selected path.

Read-Only GUI

Prime Access Registrar provides a read-only GUI that enables an administrator to observe the system

but prevents that administrator from making changes.

When you configure a user to be an administrator, check the View-Only check box to limit the

administrator to view-only operation. You can also use the CLI by setting the View-Only property to

TRUE under /Administrator/admin_name.

When using the Read-Only GUI, the Configuration, Network Resources and Administration sections are

displayed as same as a fully-enabled administrator. The details of these sections are displayed in text

format and cannot be edited.

CHAPTER

4-1

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Cisco Prime Access Registrar Server Objects

This chapter describes the objects you use to configure and operate your Cisco Prime Access Registrar

(Prime Access Registrar) RADIUS server.

Prime Access Registrar is configured and operated through a set of objects. These objects are arranged

in a hierarchy, with some of the objects containing subobjects; just as in a UNIX file system, in which

directories can contain subdirectories. All of the objects, except those that are merely lists, contain

properties that define the attributes or behavior of the object.

This chapter describes the following Prime Access Registrar objects:

•Radius— root of the configuration hierarchy

•UserLists—contains individual UserLists, which in turn contain users

•UserGroups—contains individual UserGroups

•Policies—contains individual Policies

•Clients—contains individual Clients

•Vendors—contains individual Vendors

•Scripts—contains individual Scripts

•Services—contains individual Services

•Session Managers—contains individual Session Managers

•Resource Managers—contains individual Resource Managers

•Profiles—contains individual Profiles

•Rules—contains individual Rules

•FastRules—contains attributes to add, modify, and delete in the request, response, and environment

dictionaries.

•Translations—contains individual Translations

•TranslationGroups—contains individual Translation Groups

•Remote Servers—contains individual RemoteServers

•Advanced—contains advanced properties, Ports, Interfaces, Reply Messages, and the Attribute

dictionary

4-2

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Radius

The Radius object is the root of the hierarchy. For each installation of the Cisco Prime Access Registrar

server, there is one instance of the Radius object. You reach all other objects in the hierarchy from the

Radius.

The following is a listing of the RADIUS server object:

[ //localhost/Radius ]

Name = Radius

Description =

Version = 6.1.0.0

IncomingScript~ = uery

OutgoingScript~ =

DefaultAuthenticationService~ = local-users

DefaultAuthorizationService~ = local-users

DefaultAccountingService~ = local-file

DefaultSessionService~ =

DefaultSessionManager~ = mgr-rad

UserLists/

UserGroups/

Policies/

Clients/

Vendors/

Scripts/

Services/

SessionManagers/

ResourceManagers/

Profiles/

Rules/

Translations/

TranslationGroups/

RemoteServers/

CommandSets/

DeviceAccessRules/

FastRules/

Advanced/

Replication/

Table 4-1 lists the Radius properties. You you can set or change Radius properties using the

Cisco Prime Access Registrar aregcmd commands.

Note When a field is listed as required, it means a value must be supplied; that is, the value must be set. You

can use the default (if it is supplied) or you can change it to something else, but you cannot unset it. You

must supply values for the required fields and for which no defaults exist.

.Table 4-1 Radius Properties

Property Description

Name Required; must be unique in the list of servers in the cluster

Description Optional description of the server

Version Required; the currently installed version of Prime Access Registrar

IncomingScript Optional; if there is a script, it is the first script

Cisco Prime Access Registrar runs when it receives a request from

any client and/or for any service

4-3

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

UserLists

The remaining Cisco Prime Access Registrar objects are sub-objects of the Radius object.

UserLists

The UserLists object contains all of the individual UserLists, which in turn, contain the specific users

stored within Cisco Prime Access Registrar. Cisco Prime Access Registrar references each specific

UserList by name from a Service whose type is set to local. When Cisco Prime Access Registrar

receives a request, it directs it to a Service. When the Service has its type property set to local, the

Service looks up the user’s entry in the specific UserList and authenticates and/or authorizes the user

against that entry.

Note Usernames might not include the forward slash (/) character. If the Cisco Prime Access Registrar server

receives an access request packet with a User-Name attribute containing a forward slash character and

the Prime Access Registrar server uses an internal UserList to look up users, the server produces an error

(AX_EINVAL) and might fail. If usernames require a forward slash, use a script to translate the slash to

an acceptable, unused character.

You can have more than one UserList in the UserLists object. Therefore, use the UserLists object to

divide your user community by organization. For example, you might have separate UserLists objects

for Company A and B, or you might have separate UserLists objects for different departments within a

company.

Using separate UserLists objects allows you to have the same name in different lists. For example, if

your company has three people named Bob and they work in different departments, you could create a

UserList for each department, and each Bob could use his own name. Using UserLists lets you avoid the

problem of Bob1, Bob2, and so on.

OutgoingScript Optional; if there is a script, it is the last script

Cisco Prime Access Registrar runs before it sends a response to any

client

DefaultAuthenticationService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Authentication-Service

DefaultAuthorizationService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Authorization-Service

DefaultAccountingService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Accounting-Service

DefaultSessionService Optional; Cisco Prime Access Registrar uses this property when

none of the incoming scripts sets the environment dictionary

variable Session-Service.

DefaultSessionManager Optional; Cisco Prime Access Registrar uses this property if none

of the incoming scripts sets the environment dictionary variable

Session-Manager.

Table 4-1 Radius Properties (continued)

Property Description

4-4

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

UserLists

If you have more than one UserList, you can have a script Cisco Prime Access Registrar can run in

response to requests. The script chooses the Service, and the Service specifies the actual UserList which

contains the user. The alternative is dynamic properties.

The subobjects are the Users listed by name. Table 4-2 lists the UserLists object properties.

Users

The Users object contains all of the information necessary to authenticate a user or authorize a user.

Users in local UserLists can have multiple profiles. Table 4-3 lists the Users object properties.

HiddenAttributes Property

The HiddenAttributes property in the user object provides a concatenation of all user-level reply

attributes. The Prime Access Registrar server uses the HiddenAttributes property to construct and

populate a virtual attributes directory.

Table 4-2 UserLists Properties

Property Description

Name Required; must be unique in UserLists.

Description Optional description of the UserList.

Table 4-3 Users Properties

Property Description

Name Required; must be unique in the specific UserList.

Description Optional description of the user.

Password Required; length must be between 0-253 characters.

Enabled Required; default is TRUE, which means the user is allowed access. Set to

FALSE to cause Cisco Prime Access Registrar to deny the user access.

Group

(Overridden by

User-Group)

Optional; when you set this to the name of a UserGroup,

Cisco Prime Access Registrar uses the properties specified in that UserGroup

to authenticate and/or authorize the user.

BaseProfile

(Overridden by

User-Profile)

Optional; when you set this to the name of a Profile and the service-Type is

not equal to Authenticate Only, Cisco Prime Access Registrar adds the

properties in the Profile to the Response dictionary as part of the authorization.

AuthenticationScript Optional; when you set this property to the name of a script, you can use the

script to perform additional authentication checks to determine whether to

accept or reject the user.

AuthorizationScript Optional; when you set this property to the name of a script, you can use the

script to add, delete, or modify the attributes of the Response dictionary.

UserDefined1 Optional; you can use this property to store notational information which you

can then use to filter the UserList. This property also sets the environment

variable for UserDefined1.

4-5

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

UserGroups

The HiddenAttributes property is, in fact, hidden. It is not displayed and cannot be set or modified using

aregcmd, but when an administrator issues a save, all values from the user’s Attributes directory go into

the HiddenAttributes property and the persistent storage.

The attributes are added in a replace-if-present-add-if-not manner as used in the UserGroup-Base-Profile

and User-Base-Profile.

The order of application of the attributes is as follows:

•UserGroup Base Profile

•UserGroup Attributes

•User Base Profile

•User Attributes

UserGroups

The UserGroups objects allow you to maintain common authentication and authorization attributes in

one location, and then have many users reference them. By having a central location for attributes, you

can make modifications in one place instead of having to make individual changes throughout your user

community.

For example, you can use several UserGroups to separate users by the services they use, such as a group

specifying PPP and another for Telnet.

Table 4-4 lists the UserGroups properties.

Policies

A Policy is a set of rules applied to an Access-Request. If you are using Policies, the first one that must

be created is SelectPolicy.

Table 4-5 lists the properties required for a given Policy.

Table 4-4 UserGroups Properties

Property Description

Name Required; must be unique in the UserGroup list.

Description Optional description of the group.

BaseProfile Optional; when you set this to the name of a Profile,

Cisco Prime Access Registrar adds the properties in the Profile to the

response dictionary as part of the authorization.

AuthenticationScript Optional; when you set this property to the name of a Script, you can use

the Script to perform additional authentication checks to determine

whether to accept or reject the user.

AuthorizationScript Optional; when you set this property to the name of a Script, you can use

the Script to add, delete, or modify the attributes of the Response

dictionary.

4-6

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Clients

All NASs and proxy clients that communicate directly with Cisco Prime Access Registrar must have an

entry in the Clients list. This is required because NAS and proxy clients share a secret with the RADIUS

server which is used to encrypt passwords and to sign responses. Table 4-6 lists the Client object

properties.

Table 4-5 Policies Properties

Property Description

Name Required; must be unique in the Policies list

Description Optional description of the Policy

Grouping Optional grouping of rules

Table 4-6 RADIUS Client Properties

Property Description

Name Required and should match the Client identifier specified in the

standard RADIUS attribute, NAS-Identifier. The name must be

unique within the Clients list.

Description Optional description of the client.

Protocol Required; specifies the client protocol which can be Radius,

Diameter, or Tacacs-and-Radius.

4-7

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Clients

IPAddress Required; must be a valid IP address and unique in the Clients list.

Cisco Prime Access Registrar uses this property to identify the

Client that sent the request, either using the source IP address to

identify the immediate sender or using the NAS-IP-Address or

NAS-IPv6-Address attribute in the Request dictionary to identify the

NAS sending the request through a proxy.

When a range is configured for a Client’s IPAddress property, any

incoming requests whose source address belongs to the range

specified, will be allowed for further processing by the server.

Similarly when a wildcard (an asterisk ‘*’ in this case) is specified,

any incoming requests whose source address matches the wildcard

specification will be allowed. In both the cases, the configured client

properties like SharedSecret, and Vendor are used to process the

requests.

You can specify a range of IP addresses using a hyphen as in:

100.1.2.11-20

You can use an asterisk wildcard to match all numbers in an IP

address octet as in:

100.1.2.*

You can specify an IPAddress and a subnet mask together using

Classless Inter-Domain Routing (CIDR) notation as in:

100.1.2.0/24

You can use the IPAddress property to set a base address and use the

NetMask property to specify the number of clients in the subnet

range.

The IP address format is enhanced to support IPv6 apart from IPv4.

You can use an asterisk wildcard to match all numbers in an IP

address octet as in:

1124:1124:1124:1124:*:*:*:*

Note The IPv6 address must be in standard notation.

SharedSecret Required; must match the secret configured in the Client.

Type Required; accept the default (NAS), or set it to ATM, Proxy, or

NAS+Proxy.

Vendor Optional; you can use this property when you need special processing

for a specific vendor’s NAS. To use this property, you must configure

a Vendor object and include a Script. Cisco Prime Access Registrar

provides five Scripts you can use: one for Ascend, Cisco, Cabletron,

Altiga, and one for USR. You can also provide your own Script.

IncomingScript Optional; you can use this property to specify a Script you can use to

determine the services to use for authentication, authorization, and/or

accounting.

Table 4-6 RADIUS Client Properties (continued)

Property Description

4-8

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Clients

OutgoingScript Optional; you can use this property to specify a Script you can use to

make any Client-specific modifications when responding to a

particular Client.

EnableDynamicAuthorization Optional; when set to TRUE, this property enables Change of

Authorization and Packet of Disconnect features.

DynamicAuthorizationServer This subdirectory is only present in a client with

EnableDynamicAuthorization set to TRUE and contains properties

required for CoA and PoD requests.

Port Located under the DynamicAuthorizationServer subdirectory, the

default port is 3799.

InitialTimeout Located under the DynamicAuthorizationServer subdirectory, the

default is 5000.

MaxTries Located under the DynamicAuthorizationServer subdirectory, the

default is 3.

DynamicAuthSharedSecret Located under the DynamicAuthorizationServer subdirectory, this is

the shared secret used for communicating CoA and PoD packets with

the client.

PODAttributeGroup This property is found under the DynamicAuthorizationServer

subdirectory and points to a group of attributes to be included in a

POD request sent to this client. These attribute groups are created and

configured under the AttributeGroups subdirectory in

/Radius/Advanced.

COAAttributeGroup This property is found under the DynamicAuthorizationServer

subdirectory and points to a group of attributes to be included in a

CoA request sent to this client. These attribute groups are created and

configured under the AttributeGroups subdirectory in

/Radius/Advanced.

NetMask Specifies the subnet mask used with the network address setting

configured for the IPAdress property when configuring a range of IP

addresses.

This property is not used for a single client with an IP address only.

The NetMask property is used to configure multiple clients when you

configure a base IP address in the IPAddress property. You can set the

NetMask property for a range of 256 clients using the following

example:

set NetMask 255.255.255.0

When the NetMask property indicates a pool of 256 address

(255.255.255.0), the range of addresses reserved for clients is 0-255,

as in 100.1.1.0-100.1.1.255.

Note If you set the NetMask property, validation will fail if you

attempt to specify a subnet mask using CIDR notation with

the IPAddress property (described above).

Table 4-6 RADIUS Client Properties (continued)

Property Description

4-9

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Clients

Table 4-7 describes the Diameter client properties.

EnableNotifications Required; the default value is FALSE and indicates the client is not

capable of receiving Accounting-Stop notifications from the

Prime Access Registrar server.

When set to TRUE, the client can receive Accounting-Stop

notifications from the Prime Access Registrar server and additional

properties must be configured under a new sub-directory named

NotificationProperties.

NotificationProperties When the EnableNotifications property is set to TRUE, this

subdirectory contains additional properties required to support the

Query-Notify feature.

Port Located under the NotificationProperties subdirectory, specifies the

port used by the Prime Access Registrar server to receive

Accounting-Stop packets. Required when EnableNotifications is set

to TRUE; the default value is 1813.

InitialTimeout Located under the NotificationProperties subdirectory, specifies the

timeout value in milliseconds the Prime Access Registrar server

waits for an Accounting-Response packet before attempting a retry

(sending another Accounting-Stop packet to the client).

Required when EnableNotifications is set to TRUE; the default value

is 5000.

MaxTries Located under the NotificationProperties subdirectory, specifies the

number of times the Prime Access Registrar server sends an

Accounting-Stop packet to a client.

Required when EnableNotifications is set to TRUE; the default value

is 3.

NotificationAttributeGroup Located under the NotificationProperties subdirectory, specifies the

name of an attribute group under

/Radius/Advanced/AttributeGroups that contains the attributes to

be included when sending an the Accounting-Stop packet to this

client.

Required when EnableNotifications is set to TRUE; there is no

default value. You must provide the name of a valid AttributeGroup

and the named AttributeGroup must contain at least one valid

attribute, or validation will fail.

EnforceTrafficThrottling Required; the default value is TRUE and indicates enforce traffic

throttling for this client. This property is under /Radius/Advanced/

MaximumOutstanding/IncomingRequests.

When set to FALSE, the traffic throttling for the packet coming from

this client is bypassed.

Table 4-6 RADIUS Client Properties (continued)

Property Description

4-10

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Vendors

The Vendor object provides a central location for specifying all of the request and response processing

a particular NAS or Proxy vendor requires. Depending on the vendor, it might be necessary to map

attributes in the request from one set to another, or to filter out certain attributes before sending the

response to the client. For more information about standard RADIUS attributes, see Appendix C,

“RADIUS Attributes.”

Note When you have also set /Radius/IncomingScript, Cisco Prime Access Registrar runs that script before

the vendor’s script. Conversely, when you have set a /Radius/Outgoing script,

Cisco Prime Access Registrar runs the vendor’s script before that script.

Table 4-8 lists the Vendor object properties.

Table 4-7 Diameter Client Properties

Property Description

Name Required; must be unique in the client list.

Description Optional; description of the client.

Protocol Required; specifies the client protocol which can be Radius or Diameter.

HostName Required; hostname or IP address of the Diameter client.

Vendor Optional; you can use this property when you need special processing for

a specific vendor’s peer.

IncomingScript Optional; specifies a script that you can use to make client-specific

modifications when a request is received from a client.

OutgoingScript Optional; specifies a script that you can use to make any client-specific

modifications when responding to a particular client.

Port Required; port on which the client connects with Prime Access Registrar

server.

SCTP-Enabled Required, default value is False. If set to TRUE, SCTP will be used to

establish the connection with the peer else TCP will be used.

Table 4-8 Vendor Properties

Property Description

Name Required; must be unique in the Vendors list.

Description Optional description of the vendor.

IncomingScript Optional; when you specify an IncomingScript, Cisco Prime Access Registrar

runs the script on all requests from clients that specify that vendor.

OutgoingScript Optional; when you specify an OutgoingScript, Cisco Prime Access Registrar

runs the script on all responses to the Client.

4-11

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Scripts

The Script objects define the function Cisco Prime Access Registrar invokes whenever the Script is

referenced by name from other objects in the configuration.

You can write three types of scripts:

•REX (RADIUS EXtension) scripts are written in C or C++, and thus are compiled functions that

reside in shared libraries

•Tcl scripts are written in Tcl, and are interpreted functions defined in source files.

•Java scripts

Note For more information about how to write scripts and how to incorporate them into

Cisco Prime Access Registrar, see Chapter 11, “Using Extension Points.”

Note Cisco is not liable for scripts developed by clients. See Client Scripting in Chapter 1, “Overview.”

Table 4-9 lists the Script object properties.

The InitEntryPoint properties allow you to perform initialization before processing and then cleanup

before stopping the server. For example, when Prime Access Registrar unloads the script (when it stops

the RADIUS server) it calls the InitEntryPoint again to allow it to perform any clean-up operations as

a result of its initialization. One use of the function might be to allow the script to close an open

Accounting log file before stopping the RADIUS server.

Table 4-9 Script Object Properties

Property Description

Name Required; must be unique in the Scripts list.

Description Optional description of the script.

Language Required; specify either REX, Tcl, or Java.

Filename Required; specifies either a relative or absolute path. When you specify a relative

path, the path must be relative to the $INSTALL/scripts/radius/$Language

directory. When you specify an absolute path, the server must be able to reach it.

EntryPoint Optional; when not set, Prime Access Registrar uses the value specified in the

Name property.

InitEntryPoint Optional; if set, it must be the name of the global symbol Prime Access Registrar

should call when it initializes the shared library at system start up, and just before

it unloads the shared library.

InitEntryPointArg Optional; when set, it provides the arguments to be passed to the InitEntryPoint

in the environmental variable Arguments.

ClassName For Java language scripts, the name of the class that implements the extension

interface; the .class file should be placed in /cisco-ar/scripts/radius/java

InitializeArg Optional for Java language scripts; set to a string to be passed to the Initialize

method if the class implements the optional ExtensionWithInitialization

interface.

4-12

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Note When you use a Prime Access Registrar file service, Prime Access Registrar automatically closes any

opened files. However, if you write scripts that manipulate files, you are responsible for closing them.

Note If you have more than one extension point script (defined under /Radius/Scripts) using the same Java

class, only one instance of the class is created and used for all the extension point scripts.

Services

Cisco Prime Access Registrar supports authentication, authorization, and accounting (AAA) services. In

addition to the variety of built-in AAA services (specified in the Type property),

Cisco Prime Access Registrar also enables you to add new AAA services through custom shared

libraries.

Table 4-10 lists the common Services properties. There are additional properties depending on the type

of service.

Note OutagePolicy also applies to Accounting-Requests. If an Accounting-Request is directed to an

unavailable Service, then the values in Table 4-11 apply.

Table 4-10 Common Service Properties

Property Description

Name Required; must be unique in the Services list.

Description Optional description of the service.

Type Required, must set it to a valid Prime Access Registrar service.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS servers

are not available). You must set it to one of the following: AcceptAll,

DropPacket, or RejectAll.

OutageScript Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This property allows

you to create a script that notifies you when the RADIUS server detects a failure.

4-13

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Types of Services

This section lists the types of services available in Prime Access Registrar with their required and

optional properties. The service you specify determines what additional information you must provide.

This section contains the following topics:

•Domain Authentication

•EAP Services

•File

•Group

•Java

•LDAP

•Local

•ODBC

•ODBC-Accounting

•Prepaid Services

•RADIUS

•Radius Query

•RADIUS-Session

•Rex

•WiMAX

•Diameter

•M3UA

Table 4-11 OutagePolicy Request Packets

Property Description Accounting-Request Description

AcceptAll Continues processing the packet

as if the Service was successful.

The Accounting-Request will

continue through the server and a

response will be sent.

DropPacket Immediately drops the packet,

no further processing, and does

not send any response to the

client for this packet.

The packet will be discarded and

it will not be processed any

further.

RejectAll Rejects the packet, but continues

processing it and sends the client

a reject response.

The request will be dropped and

no more processing will be done.

4-14

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Domain Authentication

The Domain Authentication service type, domain-auth, is used with a Remote Server of the same type

to provide support for authentication against Windows Domain Controller/Active Directory (WDC/AD).

The following example lists the default configuration for a domain-auth service which are all common

service properties described in Table 4-10:

[ //localhost/Radius/Services/wdc ]

Name = wdc

Description =

Type = domain-auth

IncomingScript~ =

OutgoingScript~ =

OutagePolicy~ = RejectAll

OutageScript~ =

MultipleServersPolicy = Failover

RemoteServers/

EAP Services

Prime Access Registrar supports Extensible Authentication Protocol (EAP) and Protected EAP (PEAP)

to provide a common protocol for differing authentication mechanisms. EAP enables the dynamic

selection of the authentication mechanism at authentication time based on information transmitted in the

Access-Request. Prime Access Registrar provides the following EAP services:

•EAP-FAST

•EAP-GTC

•EAP-LEAP

•EAP-MD5

•EAP-MSChapV2

•EAP-Negotiate

•EAP-SIM

•EAP-Transport Level Security (TLS)

•EAP-Tunneled TLS (TTLS)

•PEAP Version 0 (Microsoft PEAP)

•PEAP Version 1 (Cisco PEAP)

See Chapter 9, “Extensible Authentication Protocols,” for detailed information about properties used in

EAP-type services.

File

Specify the file service when you want Cisco Prime Access Registrar’s RADIUS Server to perform local

accounting using a specific file. Every file Service in your configuration will cause a file with the

configured name to be created when the server is started, even if the service is not being invoked by any

request packets. Table 4-12 lists the properties used for a file service.

4-15

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Cisco Prime Access Registrar opens the file when it starts the RADIUS server and closes the file when

you stop the server. Prime Access Registrar flushes the accounting record to disk before it acknowledges

the request.

Based on the maximum file size and age you have specified, Prime Access Registrar closes the

accounting file, moves it to a new name, and reopens the file as a new file. The name

Prime Access Registrar gives this accounting file depends on its creation and modification dates.

•If the file was created and modified on the same date, the filename is

FileNamePrefix-<yyyymmdd>-<n>.log. The date is displayed as year, month, day, number.

•If the file was created on one day and modified on another, the filename is

FileNamePrefix-<yyyymmdd>-<yyyymmdd>-<n>.log. The dates are creation, modification, and

number.

Table 4-12 File Service Properties

Property Description

Type Required; must be set to group for a group service.

IncomingScript Name of script to run when the service starts.

OutgoingScript Name of script to run when the service ends.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS

servers are not available). You must set it to one of the following: AcceptAll,

DropPacket, or RejectAll.

OutageScript Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This property

allows you to create a script that notifies you when the RADIUS server

detects a failure.

FilenamePrefix Required; a string that specifies where Cisco Prime Access Registrar writes

the account records. It must be either a relative or absolute path. When you

specify a relative path, it must be relative to the $INSTALL/logs directory.

When you specify an absolute path, the server must be able to reach it. The

default is Accounting.

MaxFileSize Optional; stored as a string, but is composed of two parts, a number and a

units indicator (<n> <units>) in which the unit is one of: K, Kilobyte,

Kilobytes, M, Megabyte, Megabytes, G, Gigabyte, Gigabytes. The default is

ten megabytes.

MaxFileAge Optional; stored as a string, but is composed of two parts, a number and a

units indicator (<n> <units>) in which the unit is one of: H, Hour, Hours,

D, Day, Days, W, Week, Weeks. The default is one day.

RolloverSchedule Indicates the exact time including the day of the month or day of the week,

hour and minute to roll over the accounting log file.

UseLocalTimeZone When set to TRUE, indicates the accounting records' TimeStamp is in local

time. When set to FALSE, the default, accounting records' TimeStamp is in

GMT.

4-16

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Group

A group service contains a list of references to other services and specifies whether the responses from

each of the services should be handled as a logical AND or a logical OR function. You specify AND or

OR in the Result-Rule attribute of Group Services. The default value is AND.

Table 4-13 lists the properties used to configure a group service.

If Result-Rule is set to AND, the response from the Group Service is positive if each of the services

referenced return a positive result. The response is negative if any of the services reference return a

negative result. If Result-Rule is set to OR, the response from the Group Service is positive if any of the

services referenced return a positive result. The response is negative if all the referenced services return

a negative result.

When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially,

and the Group Service waits for a response from the first referenced service before moving on to the next

service (if necessary). If a service takes a long time to respond, that causes a delay in sending the request

to the next referenced server.

The ResultRule settings parallel-and and parallel-or are similar to the AND and OR settings except that

they ask each referenced service to process the request simultaneously instead of asking each referenced

server sequentially, thereby saving processing time.

A parallel-and setting might respond with its own reply as soon as it receives a negative response, but

otherwise must wait for all responses before it can respond with a positive reply. Likewise, a parallel-or

might respond as soon as it receives a positive response, but otherwise must wait for all responses before

it can reply with a negative response.

If a service referenced from a Group Service is of type RADIUS and if Accounting-Requests are being

processed by the Group Service, setting the AckAccounting property in the remote server will affect the

behavior of the parallel-or Group Service. This is because if AckAccounting is set to FALSE, the

RADIUS Remote Server will not wait for the response from the remote server but returns a response

immediately. Since the Group Service is set to parallel-or, after it receives the response from the

Table 4-13 Group Service Properties

Property Description

Type Required; must set it to group.

IncomingScript Optional; name of script to run when the service starts.

OutgoingScript Optional; name of script to run when the service ends.

ResultRule When set to AND (the default), the response from the GroupService is positive

if each of the services referenced return a positive result. The response is

negative if any of the services reference return a negative result.

When set to OR, the response from the GroupService is positive if any of the

services referenced return a positive result. The response is negative if all the

referenced services return a negative result.

The settings parallel-AND or parallel-OR are similar to AND and OR settings,

except that each referenced service processes requests simultaneously instead

of asking each reference service sequentially to save processing time.

GroupServices Use the GroupServices subdirectory to specify the subservices in an indexed

list to provide specific ordering control of which services to apply first. Each

subservice listed must be defined in the Services section of the RADIUS

configuration and cannot be a of type group, eap-leap, or eap-md5.

4-17

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

RADIUS service, it is free to send a response itself. This will have the effect that a response is sent very

quickly from the Group Service acknowledging the Accounting-Request and responses from the other

referenced services are handled as the arrive.

Note that since AckAccounting was set to FALSE, there is no guarantee that the Remote Server

successfully processed the request. Since it is a RADIUS Remote Server, the Prime Access Registrar

server attempts for MaxTries to send the request to the server and to get back an acknowledgement, but

if that fails, there will be no indication to the client about that event. The acknowledgement to the client

has been sent long before.

Java

Specify the java service type when you want to create a custom service and use a script for

authentication, authorization, or accounting. Table 4-14 lists the properties required to configure a java

service.

A java service uses an extension point script to provide the service’s functionality and handles both

RADIUS and TACACS requests for authentication, authorization, and accounting.

LDAP

Specify the ldap service type when you want to use a particular LDAP remote server for authentication

and/or authorization. Table 4-15 lists the properties used to configure an LDAP service.

When using LDAP for authentication and a local database for authorization, ensure that the usernames

in both locations are identical with regard to case sensitivity.

Table 4-14 Java Service Properties

Property Description

Type Required; must set it to java.

IncomingScript Name of script to run when the service starts.

OutgoingScript Name of script to run when the service ends.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS

servers are not available). You must set it to one of the following: AcceptAll,

DropPacket, or RejectAll.

OutageScript Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This property

allows you to create a script that notifies you when the RADIUS server detects

a failure.

ClassName Set to the name of a class that implements the Extension interface.

InitializeArg Optional; set to a string to be passed to the Initialize method if the class

implements the optional ExtensionWithInitialization interface.

4-18

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

Local

Specify local when you want the Cisco Prime Access Registrar server to perform the authentication and

authorization using a specific UserList. For more information, see the “UserLists” section on page 4-3.

Table 4-16 lists the properties used to configure a local service.

Table 4-15 LDAP Service Properties

Property Description

Type Required, must set it to ldap

IncomingScript Name of script to run when the service starts.

OutgoingScript Name of script to run when the service ends.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS

servers are not available). You must set it to one of the following:

AcceptAll, DropPacket, or RejectAll.

OutageScript Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This

property allows you to create a script that notifies you when the RADIUS

server detects a failure.

MultipleServersPolicy Required; must be set to either Failover or RoundRobin.

When you set it to Failover, Cisco Prime Access Registrar directs

requests to the first server in the list until it determines the server is

offline. At which time, Cisco Prime Access Registrar redirects all

requests to the next server in the list until it finds a server that is online.

When you set it to RoundRobin, Cisco Prime Access Registrar directs

each request to the next server in the RemoteServers list to share the

resource load across all of the servers listed in the RemoteServers list.

RemoteServers Required; an indexed list from 1 to <n>. Each entry in the list is the name

of a RemoteServer.

Table 4-16 Local Service Properties

Property Description

Type Required, must set it to local.

IncomingScript Optional; name of script to run when the service starts.

OutgoingScript Optional; name of script to run when the service ends.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in the

RemoteServers properties are unavailable (that is, all remote RADIUS

servers are not available). You must set it to one of the following: AcceptAll,

DropPacket, or RejectAll.

4-19

Cisco Prime Access Registrar 6.1 User Guide

OL-29756-01

Chapter 4 Cisco Prime Access Registrar Server Objects

Services

ODBC

Specify odbc when you want to use an ODBC service for authentication, authorization and accounting

through an ODBC data store. Use an ODBC service to authenticate and authorize an access requests by

querying user information through ODBC and to insert accounting records into a data store through

ODBC. Table 4-17 lists the properties used to configure an ODBC service.

OutageScript Optional; if you set this property to the name of a script,

Cisco Prime Access Registrar runs it when an outage occurs. This property

allows you to create a script that notifies you when the RADIUS server

detects a failure.

UserLists Required; this object contains all of the individual UserLists, which in turn,

contain the specific users stored within Prime Access Registrar.

Cisco Prime Access Registrar references each specific UserList by name

from a Service whose type is set to local.

When Cisco Prime Access Registrar receives a request, it directs it to a

Service. When the Service has its type property set to local, the Service looks

up the user’s entry in the specific UserList and authenticates and/or authorizes

the user against that entry.

Table 4-16 Local Service Properties (continued)

Property Description

Table 4-17 ODBC Service Properties

Property Description

Type Required; must set it to odbc.

IncomingScript Optional; name of script to run when the service starts.

OutgoingScript Optional; name of script to run when the service ends.

OutagePolicy Required; the default is DropPacket. This property defines how

Cisco Prime Access Registrar handles requests if all servers listed in

the RemoteServers properties are unavailable (that is, all remote

RADIUS servers are not available). You must set it to one of the

following: AcceptAll, DropPacket, or RejectAll.