Table Of Contents
Release Notes for Cisco Access Registrar, 4.1
New Features In Cisco AR 4.1.5
Enhanced Logs to Include Milliseconds Field
Support of Binary LDAP Passwords
Suppression of a Specific Log Message
Addressed the Server Freeze Problem
New Properties in Cisco AR 4.1.5
New Features In Cisco AR 4.1.4
Session Memory Consumption Enhancement
XML Query Identity Enhancement
Configurable Worker Threads Enhancement
Session Magic Number Enhancement
Policy Engine Enhancement To ExecRealmRule and ExecSuffixRule
New Properties In Cisco AR 4.1.4
New Features In Cisco AR 4.1.3
New Properties In Cisco AR 4.1.3
New Features In Cisco AR 4.1.2
Support for Red Hat Enterprise Linux, Version 4.0
New Features In Cisco AR 4.1.1
Co-Existence With Other Network Management Applications
Getting Cisco AR 4.1 Feature Licenses
Installing Cisco AR 4.1 Licenses
Upgrading Your Cisco AR 4.1 License File
Displaying License Information
Installing Cisco AR 4.1 Software on Solaris
Installing Cisco AR Software from CD-ROM
Installing Downloaded Software
Common Solaris Installation Steps
Installing Cisco AR 4.1 Software on Linux
Installing Cisco AR Software from CD-ROM
Common Linux Installation Steps
Performance of Proxy Server with Local Database with Pruning
Known Anomalies in Cisco AR 4.1.5
Anomalies Fixed in Cisco AR 4.1.5
Known Anomalies in Cisco AR 4.1.4
Anomalies Fixed in Cisco AR 4.1.4
Anomalies Fixed in Cisco AR 4.1.3
Anomalies Fixed in Cisco AR 4.1.2
Anomalies Fixed in Cisco AR 4.1.1
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Access Registrar, 4.1
Revised: April 6, 2008, OL-8557-07Cisco Access Registrar (AR) 4.1 provides RADIUS authentication, authorization, and accounting (AAA) services for service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco AR is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
Cisco AR supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco AR supports the latest wireless authentication protocols such as Extensible Authentication Protocol and Protected EAP used in wireless LAN deployments. Cisco AR also is able to make real-time AAA requests to billing systems to support prepaid applications.
These release notes provide information about the 4.1.5 release of Cisco AR.
Note
Cisco AR 4.1.5 can be used with Solaris 9, Solaris 10, or Red Hat Enterprise Linux 4.0 32-bit operating system using kernel 2.6.9-22.0.2.EL or later, and Glibc version: glibc-2.3.4-2.13 or later.
Releases of Cisco AR from the 4.1.4 version onwards do not support the Solaris 8 operating system.
Contents
This release note contains the following sections:
•
•
•
New Features
The following sections describe new features in each release:
•
•
•
•
•
New Features In Cisco AR 4.1.5
Cisco AR 4.1.5 introduces these features:
•
•
•
•
•
•
•
Phantom Session Determination
Phantom Session Determination feature enhances the performance of Cisco AR by releasing all phantom sessions and resources associated with those sessions. A new property, PhantomSessionTimeOut, is included under Session Manager configuration. You can enable this feature by configuring the PhantomSessionTimeOut property.
Note
Multiple Source Port Proxy
The Multiple Source Port Proxy feature in Cisco AR 4.1.5 provides a more reliable proxy mechanism that is free of congestion. Releases earlier than Cisco AR 4.1.5 used only one source port to communicate with all remote RADIUS servers. This feature allows remote servers to share and use multiple sockets and ports when making proxy requests. A new property, NumberOfRemoteUDPServerSockets, is included under /Radius/Advanced.
Reader Thread Priority Tuning
This Cisco AR release provides a more robust and reliable proxy mechanism by tuning the reader thread's priority. This increase in reader thread's priority compared to the worker, remote server, and other daemon threads facilitates the reader thread to read data immediately when a response arrives.
Enhanced Logs to Include Milliseconds Field
Cisco AR 4.1.5 logs now consist of a new millisecond field for greater accuracy. The log files that reflect this change are:
•
•
•
•
•
Support of Binary LDAP Passwords
This Cisco AR release supports binary password comparison for authentication using an LDAP server. A new property, UseBinaryPasswordComparison, is included under LDAP remoteserver configuration. This property, when set to TRUE, enables binary password comparison. By default, this property is set to FALSE (disabled).
Incoming Traffic Throttling
This release makes Cisco AR more resilient to traffic bursts by placing limits on the incoming traffic. Releases earlier than Cisco AR 4.1.5 had some performance issues caused by heavy incoming traffic. Two new properties, MaximumIncomingRequestRate and MaximumOutstandingRequests, are included under /Radius/Advanced. These properties can be configured to enable the Incoming Traffic Throttling feature and thus enhance performance.
Note
To configure the MaximumIncomingRequestRate or MaximumOutstandingRequests property:
Step 1
Step 2
Step 3
set MaximumIncomingRequestRate nor
set MaximumOutstandingRequests nwhere n is any nonzero value.
Step 4
saveStep 5
reload
Backing Store Parsing Tool
Cisco AR 4.1.5 introduces a new tool, carbs.pl, to parse session backing store files. Using this tool, you can:
•
•
•
Suppression of a Specific Log Message
Cisco AR 4.1.5 now blocks a specific log message from being printed thousands of times, thereby reducing the number of I/O operations involved in logging this message. A log message similar to the one suppressed is given below:
01/30/2008 3:32:26 name/radius/1 Error Server 0 Packet being dropped because Remote Server WAP_Gateway (A.B.C.D) has not responded in 1 tries, but Remote Server seems to still be active
This log message is not considered significant; however, this message is converted to a trace for you to optionally enable it.
Addressed the Server Freeze Problem
This release ensures that Cisco AR does not go into a frozen state when incoming traffic is heavy. Releases earlier than Cisco AR 4.1.5, when faced with heavy incoming traffic, go into a frozen state and take a long time to recover. This release also ensures that latency levels at higher transactions per second (tps) would be the same as or better than previous levels.
New Properties in Cisco AR 4.1.5
Five new properties have been introduced in Cisco AR 4.1.5:
•
PhantomSessionTimeOut
PhantomSessionTimeOut property is found under Session Manager configuration, and when used in conjunction with /Radius/Advanced/SessionPurgeInterval, enables the phantom session timeout feature for Session Manager. The default value for this property is zero (disabled).
You can configure the PhantomSessionTimeOut property under Session Manager to release all phantom sessions and resources associated with those sessions when its timeout occurs.
For example, if the PhantomSessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for receipt of an Accounting-Start packet. Sessions that do not receive an Accounting-Start packet from creation until its timeout will be released.
The PhantomSessionTimeOut value consists of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
NumberOfRemoteUDPServerSockets
NumberOfRemoteUDPServerSockets property is found under /Radius/Advanced. You can configure this property with the number of source ports to be used for making proxy requests to a remote server. The default value for this property is 4.
You can set a value n to the NumberOfRemoteUDPServerSockets property for all remote servers to share and use n sockets.
The value n should be less than or equal to the current process file descriptor limit divided by 2.
MaximumIncomingRequestRate
MaximumIncomingRequestRate property is found under /Radius/Advanced and provides you an option to limit incoming traffic in terms of "allowed requests per second". The default value for this property is zero (disabled).
For example, if you configure MaximumIncomingRequestRate to n, then at any given second, only n requests are accepted for processing. In the next second, another n requests are accepted for processing regardless of the status of the requests accepted earlier. This condition serves as a soft limit.
You can set the MaximumIncomingRequestRate property to any nonzero value.
MaximumOutstandingRequests
MaximumOutstandingRequests property is found under /Radius/Advanced and provides you an option to limit incoming traffic in terms of "requests processed". The default value for this property is zero (disabled).
For example, if you configure the MaximumOutstandingRequests to n, then n requests are accepted for processing. Further requests are accepted only after processing some of these requests and sending replies back. This condition serves as a hard limit.
You can set the MaximumOutstandingRequests property to any nonzero value.
UseBinaryPasswordComparison
UseBinaryPasswordComparison property is found under LDAP remoteserver configuration. This property when set to TRUE, enables binary password comparison for authentication using an LDAP server. By default, this property is set to FALSE.
New Features In Cisco AR 4.1.4
Cisco AR 4.1.4 introduces these enhancements:
•
•
•
•
•
•
Query-Notify Enhancement
The Query-Notify feature has been enhanced in Cisco AR 4.1.4 to update the session cache with the attribute-value pairs of an interim Accounting-Update packet. This enhancement ensures that the most recent information is provided to the WAP gateway during the proxy of interim records or a query of the session cache.
Session Memory Consumption Enhancement
The session memory consumption enhancement significantly reduces the memory consumed per session record with session management including identity caching sessions. This enhancement has enabled the Cisco AR server to accommodate 50-60% more sessions without increasing server memory.
Note
XML Query Identity Enhancement
When deployed as an Identity Cache Engine (ICE), the Cisco AR server supports User-Name lookup based on the Framed IP address of an existing session. The XML Query Identity enhancement enables Framed IP address lookup based on the User-Name in an existing session.
The XML Query Identity enhancement requires changes to the original ICE configuration. The following example shows how to enable the XML Query Identity enhancement.
Configuring Identity Caching
To configure identity caching:
Step 1
Step 2
There should be one client object for each GGSN, one for each CSM and one for each packet simulator (if used in a test environment).
For example, if a packet simulator will be used on the same server where you perform identity caching, add a client object as in the following:
cd /Radius/Clients
add xml-client
cd xml-client
[ //localhost/Radius/Clients/xml-client ]Name = xml-clientDescription =IPAddress =SharedSecret =Type = NASVendor =IncomingScript~ =OutgoingScript~ =EnablePOD = FALSEThis client object is very similar to the localhost object defined in the example configuration. The SharedSecret property will be ignored if the client is an XML client, but still must be set to a non-null value. The Type property is also ignored for XML clients.
Step 3
cd /Radius/Advanced/Ports
add 1645
add 1646
add 8080
Note
Step 4
cd /Radius/Advanced/Ports/1645
set Type Radius-Access
Step 5
cd /Radius/Advanced/Ports/1646
set Type Radius-Accounting
Step 6
cd /Radius/Advanced/Ports/8080
set Type XML
Step 7
An accounting service is required for Cisco AR to cache identity information, even if no accounting service is needed otherwise. If you added the example configuration during installation, a local-file accounting service is already configured.
If you did not add the example configuration during software installation, refer to the following section in the RADIUS Accounting chapter of the User Guide for Cisco Access Registrar, 4.1:
Step 8
cd /Radius/ResourceManagers
add cache
Step 9
cd cache
set type session-cache
The following shows the default properties of a session-cache ResourceManager:
[ //localhost/Radius/ResourceManagers/cache ]Name = cacheDescription =Type = session-cacheOverwriteAttributes = FALSEQueryKey =PendingRemovalDelay = 10AttributesToBeCached/QueryMappings/Step 10
For example, use the following command to set the QueryKey to User-Name:
set QueryKey User-Name
The QueryKey must match the string on the right-hand side of one of the pairs you list in QueryMappings. It is not necessary for the QueryKey to be configured under AttributesToBeCached because the QueryKey will always be cached by default.
Note
Step 11
cd AttributesToBeCached
set 1 Calling-Station-ID
Set 2 User-Name
Set 3 Framed-IP-Address
The attributes a session-cache resource manager caches can be queried through both RADIUS Query and XML Query packets. When you cache attributes Framed-IP-Address or User-Name, or when you use XML-Address-format-IPv4 or XML-UserId-id_type-subscriber_id as the QueryKey, you must map the XML attributes to RADIUS attributes in the QueryMappings subdirectory.
Step 12
set XML-Address-format-IPv4 Framed-IP-Address
set XML-UserId-id_type-subscriber_id User-Name
Step 13
cd /Radius/SessionManagers
add IDcache
Step 14
cd IDcache/ResourceManagers
Step 15
set 1 cache
Step 16
cd /Radius
set DefaultSessionManager IDcache
Step 17
save
reload
exit
Starting Identity Caching
To start identity caching, you must send an Accounting-Request to the specified accounting port (The default accounting port is 1646.) A minimal Accounting-Request will contain the following attributes:
•
•
•
•
•
•
To start identity caching:
Step 1
cd /opt/CSCOar/bin
radclient -C localhost -N admin -P aicuser
Step 2
set p [ acct_request Start joeuser@cisco.com ]
$p set attrib [ attrib Framed-IP-Address 123.123.123.123 ]
$p send
This assumes that you are running radclient on the same server and using 1646 as the accounting port.
Step 3
<?xml version="1.0"?><Request><UserIdRequest><UserId id_type="subscriber_id">bob</UserId></UserIdRequest></Request>To do this using xmlclient, put the XML text into a file, then enter the following command:
cd /opt/CSCOar/bin
./xmlclient -srd <file>
Note
Note
Backing Store Enhancement
In releases earlier than Cisco AR 4.1.3, a latency issue was detected that was caused by backend servers performing backing store log file pruning to reduce the number of log files while also performing regular persisting operations. Cisco AR 4.1.4 has been enhanced to separate these operations, and the pruning operation has been made more efficient.
Two properties have been added under /Radius/Advanced:
•
•
You can use these new properties under /Radius/Advanced to set the number of hours to wait before performing log file pruning and session packet pruning.
Configurable Worker Threads Enhancement
Cisco AR 4.1.4 provides a newly-configurable variable you can use to increase the number of worker threads to handle a greater number of RADIUS packets during peak operating periods. In releases earlier than Cisco AR 4.1.3, a latency issue was detected that was caused by the Cisco AR processing a greater number of RADIUS packets than expected during peak operating periods.
The variable, RADIUS_WORKER_THREAD_COUNT, is found in the arserver file under /cisco-ar/bin/arserver and controls the number of worker threads the Cisco AR server creates. You can increase the number of worker threads to help make more efficient use of the server's CPU.
Before you increase the setting for RADIUS_WORKER_THREAD_COUNT, you should be certain that you are running into a worker thread starvation issue. If you use scripts that consume a lot of processing and memory, you might run out of memory if you create too many worker threads. Increasing the number of worker threads also increases memory utilization.
The default value of RADIUS_WORKER_THREAD_COUNT for servers running a Solaris operating system is 256. The default value for servers running Red Hat Enterprise Linux is 64.
The purpose of this enhancement is to take advantage of spare CPU bandwidth, which was not being used in earlier releases of Cisco AR due to a lower number of worker threads. At times, the worker threads would be stuck doing work that took a long time to complete, like running a script. Having more threads will help mitigate these situations and will help improve on the latency created due to lack of free worker threads.
Note
To modify the RADIUS_WORKER_THREAD_COUNT variable:
Step 1
Step 2
Step 3
#change this to configure number of worker threadsRADIUS_WORKER_THREAD_COUNT=256Step 4
Note
Step 5
Session Magic Number Enhancement
The session magic number is a unique number created for all sessions when the session is created or reused and the DetectOutOfOrderAccountingPacket property is set to TRUE in /Radius/Advanced. The DetectOutOfOrderAccountingPacket property is used to detect out-of-order Accounting-Stop packets in roaming scenarios by comparing the magic number value in the session with the magic number value contained in the Accounting packet.
The DetectOutOfOrderAccountingPacket property is the property used to turn on and turn off the session magic number feature.
When the DetectOutOfOrderAccountingPacket property is enabled, a new Class attribute is included in all outgoing Accept packets. The value for this Class attribute will contain the session magic number. The client will echo this value in the accounting packets, and this will be used for comparison.
The value of 0xffffffff is considered by the Cisco AR server to be a wild card magic number. If any accounting stop packets contain the value of 0xffffffff, it will pass the session magic validation even if the session's magic number is something else.
The format of the class attribute is as follows:
<4-byte Magic Prefix><4-byte server IP address><4-byte Magic value>
Policy Engine Enhancement To ExecRealmRule and ExecSuffixRule
Prior to Cisco AR 4.1.4, ExecRealmRule and ExecSuffixRule were interpreted as regular expression patterns and were evaluated accordingly. As of Cisco AR 4.1.4, ExecRealmRule and ExecSuffixRule now do a simple case insensitive comparison by default and optionally perform regular expression matching.
ExecRealmRule
Beginning with the Cisco AR 4.1.4 release, the Cisco AR server does a case-insensitive comparison of the value specified for the realm attribute for the realm of a user name.
With the Cisco AR 4.1.4 release, you can also specify a pattern using the following notation:
~/pattern/
Where pattern is a string of alpha-numeric characters that might include wild card characters, as in "@*cisco.com" to match patterns (realms) that end in cisco.com.
Note
The ExecRealmRule script checks the request packet for the Realm and applies the values set for the following attributes:
•
•
•
ExecSuffixRule
Beginning with the Cisco AR 4.1.4 release, the Cisco AR server does a case-insensitive comparison of the value specified for the suffix attribute for the suffix of a user name.
With the Cisco AR 4.1.4 release, you can also specify a pattern using the following notation:
~/pattern/
Where pattern is a string of alpha-numeric characters that might include wild card characters, as in "@*cisco.com" to match patterns (realms) that end in cisco.com.
Note
WiMax Attribute Support
Cisco AR 4.1.4 provides support for the WiMax vendor-specific attributes (VSAs) listed in Table 1. The vendor ID for WiMax VSAs is 24757.
Table 1 lists the WiMax vendor-specific attributes.
See the following location for information about all VSAs by Cisco AR 4.1.4:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/a_attrib.html
New Properties In Cisco AR 4.1.4
Two new properties have been added to Cisco AR 4.1.4:
•
•
SessionBackingStorePruneInterval
SessionBackingStorePruneInterval is found under /Radius/Advanced and specifies the sleep time interval of the session backing store pruning thread. The recommended and default value is 6 hours, but you can modify this based on the traffic patterns you experience.
With SessionBackingStorePruneInterval set to 6 hours, pruning will occur 6 hours after you restart or reload the Cisco AR server and recur every 6 hours.
You can set a very low value for this property to make pruning continuous, but there might not be enough data accumulated for the pruning to occur and pruning might be less effective compared to the default setting.
PacketBackingStorePruneInterval
PacketBackingStorePruneInterval is found under /Radius/Advanced and specifies the sleep time interval of the packet backing store pruning thread. The recommended value is 6 hours, but you can modify this based on the traffic patterns you experience.
When PacketBackingStorePruneInterval is set to 6 hours, pruning will occur 6 hours after you restart or reload the Cisco AR server and recur every 6 hours.
You can set a very low value for this property to make pruning continuous, but there might not be enough data accumulated for the pruning to occur and pruning might be less effective compared to the default setting.
New Features In Cisco AR 4.1.3
Cisco AR 4.1.3 introduces these enhancements:
•
–
–
Support for Solaris 10
Cisco AR 4.1.3 introduces support for the Solaris 10 operating system.
New Properties In Cisco AR 4.1.3
The following new properties have been added to Cisco AR 4.1.3:
•
•
DetectOutOfOrderAccountingPackets
DetectOutOfOrderAccountingPackets has been added to the /Radius/Advanced directory. DetectOutOfOrderAccountingPackets turns on and off detection of out of order accounting packets by generating unique valued class attributes.
ReuseIPForSameSessionKeyAndUser
ReuseIPForSameSessionKeyAndUser has been added to IP-Dynamic Resource Manager. The default value for this property is TRUE which enables Cisco AR to reuse the resources (IP addresses) of a session when user authentication is performed for an existing session.
SearchScope
SearchScope has been added to specify the LDAP SearchScope under remote LDAP server. Also, a new environment variable Dynamic-Search-Scope has been added to dynamically set SearchScope on a per packet basis. A search scope defines how deep to search within the search path.
BackingStoreDiscThreshold
BackingStoreDiscThreshold property has been added under /Radius/Advanced to ensure that the data log files generated exclusively by each of the backing store instances will not cross the configured BackingStoreDiscThreshold.
When the configured limit is reached for any of the backing stores, the Cisco AR server promotes the log file pruning task for that particular backing store to a greater extent and starts pruning continuously until the accumulated size of the log files falls below 80% (clears 20% of the log files) of BackingStoreDiscThreshold.
TraceFileSize
The TraceFileSize property under /Radius/Advanced specifies the number of trace files to be kept on the system. A new trace file is created when the trace file size reaches TraceFileSize.
TraceFileCount
The value of TraceFileCount must be from 1 to 100, and the default is 2. The TraceFileCount property under /Radius/Advanced specifies the number of trace files to maintain. A value of 1 indicates that no file rolling occurs.
New Options in car.conf File
Two new parameters have been added to the car.conf file with Cisco AR 4.1.3:
•
•
You will find these new parameters at the beginning of the file. When the log file size reaches the value set in AGENT_SERVER_LOG_SIZE, a rollover of the agent_server_log file occurs. The value set in AGENT_SERVER_LOG_FILES specifies the number of log files to be created.
New aregcmd Option
The trace-file-count command has been added to aregcmd. The syntax of this command is:
trace-file-count n
Where n is a number that specifies the number of trace log files. This command changes the trace log file count dynamically without requiring a server reload. This is helpful for debugging situations when you do not want to perform a reload.
New Environment Variables
Three new environment variables have been added to Cisco AR 4.1.3:
•
•
Dynamic-Search-Scope
Dynamic-Search-Scope is used to dynamically set the SearchScope property of an LDAP remote server configuration on a per-packet basis.
Set-Session-Mgr-And-Key-Upon-Lookup
When Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE, a session-cache resource manager sets the session-manager and session-key environment variable during a query-lookup, and the Cisco AR server does not cache the response dictionary attributes. Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE by a query-service IncomingScript.
Skip-Overriding-Username-With-LDAP-UID
Skip-Overriding-Username-With-LDAP-UID is used to decide if the username should be replaced with the UID from the LDAP server. When Skip-Overriding-Username-With-LDAP-UID is set to TRUE, the username is not replaced with the UID from the LDAP server.
You can use Skip-Overriding-Username-With-LDAP-UID to retain case sensitivity in usernames when the username given for logging in to the network is in a different case that the UID in the LDAP server database, such as User1 and user1.
New Features In Cisco AR 4.1.2
Cisco AR 4.1.2 introduces these three enhancements:
•
Support for Red Hat Enterprise Linux, Version 4.0
Cisco AR 4.1.2 supports Red Hat Enterprise Linux, Version 4.0 (RHEL 4.0) 32-bit operating system. However, support for Red Hat Linux 7.3 was discontinued with the release of Cisco AR 4.1.2. Cisco AR 4.1.1 supports Red Hat Linux 7.3, but not RHEL 4.0.
Multiple LDAP Binds
Cisco AR 4.1.2 introduces the multiple LDAP bind feature. The multiple LDAP bind feature enables the Cisco AR server to open multiple connections to the LDAP server and send multiple requests in parallel.
The multiple LDAP bind feature provides a significant increase in performance for sites that use an LDAP server, especially if session management is used. See the section Cisco AR Performance and Table 9, Performance of Cisco AR 4.1.2 with an LDAP Server for detailed performance information.
The LDAP Remote Server object in Cisco AR 4.1.2 has a new mandatory property called DataSourceConnections. The DataSourceConnections property specifies the number of concurrent connections to the LDAP server. The default value is 8.
The following is the default configuration for an LDAP remote server object. Default values are shown in bold font.
[ //localhost/Radius/RemoteServers/LDAPserver ]Name = LDAPserverDescription =Protocol = LDAPPort = 389ReactivateTimerInterval = 300000Timeout = 15HostName =BindName =BindPassword =UseSSL = FALSESearchPath~ =Filter~ = (uid=%s)UserPasswordAttribute = userpasswordLimitOutstandingRequests = FALSEMaxOutstandingRequests = 0MaxReferrals = 0ReferralAttribute =ReferralFilter =PasswordEncryptionStyle = DynamicEscapeSpecialCharInUserName = FALSEDNSLookupAndLDAPRebindInterval =DataSourceConnections = 8LDAPToRadiusMappings/LDAPToEnvironmentMappings/LDAPToCheckItemMappings/See the "Using LDAP" chapter in the Cisco Access Registrar 4.1 User Guide for information about the LDAP Remote Server object properties.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/ldap.html
Enhancements to arbug
The arbug script has been enhanced in Cisco AR 4.1.2. You can use the script arbug to collect information about your Cisco AR server that can be sent through e-mail or ftp to Cisco when requested.
The arbug script collects all the relevant information needed to report a problem to Cisco AR support. The goal of the arbug script is to efficiently collect all the necessary information.
New Features In Cisco AR 4.1.1
Cisco AR 4.1.1 introduced these three enhancements:
•
EAP-TTLS
Cisco AR supports the Extensible Authentication Protocol Tunneled TLS (EAP-TTLS). EAP-TTLS is an EAP protocol that extends EAP-TLS. In EAP-TLS, a TLS handshake is used to mutually authenticate a client and server. EAP- TTLS extends this authentication negotiation by using the secure connection established by the TLS handshake to exchange additional information between client and server.
EAP-TTLS leverages TLS (RFC 2246) to achieve certificate-based authentication of the server (and optionally the client) and creation of a secure session that can then be used to authenticate the client using a legacy mechanism. EAP-TTLS provides several benefits:
•
•
•
•
•
•
•
EAP-TTLS is a two-phase protocol. Phase 1 conducts a complete TLS session and derives the session keys used in Phase 2 to securely tunnel attributes between the server and the client. The attributes tunneled during Phase 2 can be used to perform additional authentication(s) via a number of different mechanisms.
The authentication mechanisms that might be used during Phase 2 include PAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP. If the mechanism is EAP, then several different EAP methods are possible.
The Phase 2 authentication can be performed by the local AAA server (the same server running EAP-TTLS) or it can be forwarded to another server (known as the home AAA server). In the latter case, the home server has no involvement in the EAP-TTLS protocol and can be any AAA service that understands the authentication mechanism in use and is able to authenticate the user. It is not necessary for the home server to understand EAP-TTLS.
See the EAP-TTLS section in the Extensible Authentication Protocols chapter of the User Guide for Cisco Access Registrar for more detailed information about EAP-TTLS, including configuration information.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/eap.html
Wireless Provisioning Service
Cisco AR 4.1 introduces support for Microsoft's Windows Provisioning Service (WPS). WPS provides hotspot users with seamless service to public WLAN hotspots by using Microsoft Windows-based clients.
WPS provides configuration and service information to a wireless client. The Cisco AR server sends the required information using different fragments within the Master URL. The following list summarizes the different fragments the RADIUS server might send to the AP in the Master URL.
•
http://www.example.com/provisioning/master.xml#sign up
where #sign up is the parameter for this action and a required element of the value.
•
http://www.example.com/provisioning/master.xml#renewal
where #renewal is the parameter for this action and a required element of the value.
•
http://www.example.com/provisioning/master.xml#passwordchange
where #passwordchange is the parameter for this action and a required element of the value.
•
http://www.example.com/provisioning/master.xml#forceupdate
where #forceupdate is the parameter for this action and a required element of the value.
See the section "Support for Windows Provisioning Service" in the chapter "Using Cisco AR Server Features" of the Cisco AR User Guide for more detailed information about WPS, including configuration information:
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/features.html
Query-Notify
The Query-Notify feature, introduced in Cisco AR 4.1, enables you to store information about Wireless Application Protocol (WAP) gateways that have queried for User Identity-IP Address mapping and send appropriate messages to the WAP gateway when the subscriber logs out of the network.
The Query-Notify feature also enables you to quarantine IP addresses for a configurable amount of time if a WAP gateway does not respond to Accounting-Stop sent by the Cisco AR server.
The Cisco AR server stores information about clients (usually the IP address) that queried for particular user information and send RADIUS Accounting-Stop packets to those clients when the Cisco AR server receives the Accounting-Stop packet. There is no intermediate proxy server between the Cisco AR server and the WAP gateway.
To support the Query-Notify feature, the Cisco AR server's radius-query service has been modified to also store information like the IP address about the clients queried for cached information. The information is stored in the user session record along with the cached information so it is available after a server reload.
See section "Query Notify" in the chapter "Using Cisco AR Server Features" of the Cisco AR User Guide for more detailed information about WPS, including configuration information:
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/features.html
System Requirements
Note
This section describes the system requirements to install and use the Cisco AR software.
Full Installation
Table 2 lists the system requirements for a full installation of Cisco AR.
Client-Only Installation
Table 3 lists the system requirements for installing the client-only component of Cisco AR.
Table 3 Client-Only Requirements
CPU Architecture
SPARC
OS Version
Solaris 9, or Solaris 10
Minimum RAM
32 MB
Recommended RAM
64 MB
Recommended Disk Space
120 MB
Note
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco AR disk. If Cisco AR runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Cisco AR should be the only application running on a single machine.
Note
You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure Cisco AR to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no other application can be configured to use SNMP on the Cisco AR machine.
Solaris 8 Patch Requirement
Cisco AR 4.1 uses OpenSSL software to generate certificates for 'https' communication. OpenSSL software uses Solaris internal devices /dev/urandom and /dev/random devices while generating certificates, but these devices are not in Solaris 8.
You can add /dev/urandom and /dev/random devices to Solaris 8 by installing patch 112438 (sparc) available at the following URL:
Note
Note
Related Documentation
The following is a list of the documentation for Cisco AR 4.1. You can access the URLs listed for each document at www.cisco.com on the World Wide Web. Cisco recommends that you refer to the documentation in the following order:
Cisco Access Registrar 4.1 Documentation Guide (78-17299-01)
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/roadmap/ardocgd.html
Cisco Access Registrar 4.1 Installation and Configuration Guide (OL-8559-03)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/release/notes/41relnot.html
Cisco Access Registrar 4.1 User Guide (OL-8558-03)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/users.html
Cisco AR 4.1 Licensing
Cisco AR uses a licensing mechanism that enables you to activate different features in Cisco AR using a combination of different license keys. During system initialization, the Cisco AR server sets up the licensing data model and activates any features that are properly licensed.
Licensed Features
Table 4 lists the Cisco AR names of the features that require licenses. As new licensed features are added to Cisco AR, new license files will also be required.
Getting Cisco AR 4.1 Feature Licenses
When you order the Cisco AR 4.1 product, a text license file will be sent to you through e-mail. If you are evaluating the software, Cisco will provide you with an evaluation license.
If you decide to upgrade your Cisco AR software and add a feature, a new text license file will be sent to you through e-mail when you order the upgrade.
If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs:
Use this site if you are a registered user of Cisco Connection Online.
•
Use this site if you are not a registered user of Cisco Connection Online.
Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in email.
Installing Cisco AR 4.1 Licenses
You must have a license in a directory on the Cisco AR machine before you attempt to install Cisco AR software. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.
You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.
The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Cisco AR license file, you can copy and paste the text into a file, or you can simply save the file you receive through e-mail to an accessible directory.
Upgrading Your Cisco AR 4.1 License File
If you add additional features that require licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix.
If you upgrade your Cisco AR license for additional features, you must restart the Cisco AR server for the new license to take effect. To restart the Cisco AR server, enter the following on the server command line:
/opt/CSCOar/bin/arserver restart
Sample License File
The following is an example of a Cisco AR 4.1 license file.
INCREMENT AR-STANDARD cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456INCREMENT AR-CACHE cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456INCREMENT AR-PREPAID cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456INCREMENT AR-HLR cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456INCREMENT AR-CPU cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456Displaying License Information
Cisco AR provides two ways of getting license information using aregcmd:
•
•
aregcmd Command-Line Option
Cisco AR provides a new -l command-line option to aregcmd. The syntax is:
aregcmd -l directory_name
where directory_name is the directory where the Cisco AR license file is stored. The following is an example of the aregcmd -l command:
aregcmd -l /opt/CSCOar/license
</Licensed Application: Cisco Access Registrar (Standard Version)
Guest
