Table Of Contents
Release Notes for Cisco Access Registrar, 4.2
New Features In Cisco Access Registrar 4.2
Oracle 10g Client,11g Server Support
LDAP Bind-Based Authentication
Enhancements in Cisco Access Registrar 4.2
Co-Existence With Other Network Management Applications
Cisco Access Registrar 4.2 Licensing
Getting Cisco Access Registrar 4.2 License
Installing Cisco Access Registrar 4.2 Licenses
Adding Additional Cisco Access Registrar 4.2 Licenses
Displaying License Information
Known Anomalies in Cisco Access Registrar 4.2
Anomalies Fixed in Cisco Access Registrar 4.2
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Access Registrar, 4.2
Cisco Access Registrar 4.2 provides RADIUS authentication, authorization, and accounting (AAA) services for service providers and enterprises. Cisco Access Registrar (CAR) supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
CAR is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
CAR supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. CAR supports the latest wireless authentication protocols such as Extensible Authentication Protocol and Protected EAP used in wireless LAN deployments. CAR also is able to make real-time AAA requests to billing systems to support prepaid applications.
These release notes provide information about this release of CAR 4.2.
Note
CAR 4.2 can be used with Solaris 9, Solaris 10, or Red Hat Enterprise Linux 4.0 32-bit operating system using kernel 2.6.9-22.0.2.EL or later, and Glibc version: glibc-2.3.4-2.13 or later.
Releases of CAR from the 4.1.4 version onwards do not support the Solaris 8 operating system.
Contents
This release note contains the following sections:
•
•
New Features
The following sections describe new features in each release:
•
New Features In Cisco Access Registrar 4.2
Note
CAR 4.2 introduces these features.
•
•
•
•
WiMAX Support
WiMAX support is based on the WiMAX forum NWG_R1.1.0_Stage-3 specifications. For CAR to interact with ASN-GW (a.k.a BroadBand Wireless Gateway BWG) and Home Agent, a new WiMAX service is added in CAR 4.2. The type of this service is "wimax". WiMAX service contains—Session Manager (with a session-cache resource manager and HA resource manager), Query Service that is connected to the session manager configured for this service, and Prepaid Service, which are required to connect all the flows appearing in CAR for WiMAX. This service will be used as a container for the new key generation modules and the existing modules such as EAP services.
TPS-Based Licensing
CAR 4.2 follows a new licensing model—based on transactions per second, as opposed to the feature based licensing model in the earlier releases. CAR 4.2 supports the new licensing part numbers that are count based.
While upgrading to CAR 4.2, the licenses of previous versions cannot be used. Backward compatibility support in terms of license will not be available in this version.
Session Scalability
In CAR 4.2 session scalability feature adopts refactoring of current session data structures, as the effort required to build a session manager bottom-up is huge. In this release, the memory capacity to store sessions is enhanced from one million to four millions. The capacity is dependent on the number of attributes that are being captured for each session.
CAR creates sessions in the memory as long as memory is available in the system. When there is no memory in the system, the radius process gets crashed. To avoid crashing, MemoryLimitForRadiusProcess property is added in CAR 4.2.
The default value of MemoryLimitForRadiusProcess is 3500 Megabytes. This property is under /radius/advanced. When the radius process uses more memory than the configured limit, further sessions are not created and CAR rejects further incoming requests.
Dynamic Service Authorization
This feature allows you to access external DBs like LDAP and Oracle first to know which remote servers authenticated services need to be relayed. The requirement is achieved by introducing following three new environment variables:
•
•
•
The service that is selected through scripts, now has an option to set these variables (as appropriate to the phase in which the packet is in) to reauthenticate, reauthorize, or reaccount using another service, thereby the services can be chained using this environment variable.
To put a limit on the count of number of services that can chained, a static value of 10 has been chosen. This limit can be dynamically set (in case required in the field - but not likely) using the Dynamic-Service-Loop-Limit environment variable, which will override the static value of 10.
As part of this feature, the existing LDAP and ODBC service will be opened for look ups for accounting. This means that LDAP and ODBC (Auth service) can be configured as an accounting service. They will essentially look up the database using the attributes in the accounting packet and map necessary information onto environment dictionary (as per the LDAP/ODBCToEnvironment mapping). The other two mappings will not be supported.
Oracle 10g Client,11g Server Support
In this release, CAR has been enhanced to support Oracle 10g Client and 11g Server. CAR 4.2 has been tested and certified with Oracle 9i/10g/11g servers via Oracle 9i/10g clients. CAR 4.2 support for Oracle 8i client/server has been discontinued (Oracle has withdrawn support for 8i client library).
LDAP Bind-Based Authentication
The LDAP client library is enhanced to support LDAPv3. However, no extended features in LDAPv3 are supported. The existing LDAP remote server is enhanced to support bind-based authentication in addition to the existing password-fetch based authentication. A new property, UseBindBasedAuthentication, is added to the existing LDAP remote server to enable or disable bind-based authentication. This is a Boolean value and can be set to TRUE or FALSE.
CRL Support
CAR 4.2 supports CRLs as defined by RFC 3280. HTTP and LDAP-based CRL look ups are supported. CAR 4.2 have provision to support CRL fetching and enforcement. The protocols supported for fetching CRLs would be LDAP and HTTP.
A new property, CRLDistributionURL, is added to the existing TLS-based EAP authentication services. When this property is configured, CAR fetches the CRL from the specified URL at startup. There is a background thread that stores the state of these CRLs and when any of them gets expired it fetches the new version of CRL from the URL again. The expiry information of the CRL will be encoded within it. CAR 4.2 verifies the certificate during the TLS-based authentication. CRL validation is done before accepting a client certificate during the TLS authentication.
Shared Secret Hiding
A new property, HideSharedSecretAndPrivateKeys, is added to /Radius/Advanced configuration section in aregcmd.
The HideSharedSecretAndPrivateKeys property hides:
•
•
When this property is set to TRUE, the following properties are displayed as <encrypted>:
•
–
–
–
–
–
•
–
–
–
–
•
•
•
•
When the value for this property is set to FALSE, all the above properties are displayed in clear text.
Server Virtualization Support
Server virtualization creates virtual machines (VMs) that run separate operating systems. The result is that the VM operates as if it were a separate server with its own operating system. One advantage of server virtualization is its flexibility—server virtualization allows multiple operating systems to be present on a physical machine.
A logical domain(LDoms) is a discrete logical grouping with its own operating system, resources, and identify within a single computer system. Each logical domain can be created, destroyed, reconfigured, and rebooted independently, without requiring a power cycle of the server. Variety of applications software can run in different LDoms and can be kept independent for performance and security purposes.
CAR 4.2 supports deployment on virtual servers over LDoms. A setup involving Sun T 5220 is created and CAR 4.2 is tested by means of running regressions and other tests ensuring CAR 4.2 works fine in LDoms.
Enhancements in Cisco Access Registrar 4.2
Table 1 gives details on the enhancements made in CAR 4.2 over the earlier versions.
Table 1 Enhancements in CAR 4.2
CSCsu49676
CAR bypasses the incoming traffic throttling.
A new property under each Client configuration called EnforceTrafficThrottling is introduced. This property is enabled by default, and you can turn off enforcement for a particular client. Additionally, you are offered more flexibility in choosing whether to enforce throttling by means of scripting. A new environment variable, called Enforce-Traffic-Throttling, has been introduced which can be set to TRUE or FALSE using an extension point script. This environment variable takes precedence over the Client configuration settings, when both are used.
CSCsq53135
CAR supports newer ACS Remote Agent
CAR 4.2 supports the Windows Domain Controller/Active Directory (WDC/AD) and enables you to authenticate users present in a WDC/AD using the CiscoSecure Remote Agent (CSRA).
Note
Note
CSCee44981
CAR sets the sessionkey value for Session Manager.
A new property under each SessionManager configuration called SessionKey is introduced. The SessionManager checks whether the environmental variable Session-Key is set. If the environmental variable is set, the server uses it as the sessionkey. If environmental variable Session-Key is not set then SessionManager gets the value configured in the SessionKey property under SessionManager.
SessionKey can be a combination of attributes separated by colon. The values for those attributes are obtained from the RequestDictionary. If any one of the attributes that is configured for the sessionkey is not present in the RequestDictionary, CAR will drop the request.
However, if Session-Key is not set, SessionManager uses NAS-Identifier and NAS-Port to create the sessionkey.
CSCeh50897
Request to have query-sessions list cache Resource Manager contents.
In CAR 4.2, the query-session is modified to list the contents of the Resource Manager cached attributes in addition to session attributes.
System Requirements
Note
This section describes the system requirements to install and use the CAR software.
Full Installation
Table 2 lists the system requirements for a full installation of CAR.
Client-Only Installation
Table 3 lists the system requirements for installing the client-only component of CAR.
Table 3 Client-Only Requirements
CPU Architecture
SPARC
OS Version
Solaris 9 or Solaris 10
Minimum RAM
32 MB
Recommended RAM
64 MB
Recommended Disk Space
120 MB
Note
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the CAR disk. If CAR runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, CAR should be the only application running on a single machine.
Note
You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure CAR to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your CAR server, no other application can be configured to use SNMP on the CAR machine.
Related Documentation
The following is a list of the documentation for CAR 4.2. You can access the URLs listed for each document at www.cisco.com on the World Wide Web. We recommend that you refer to the documentation in the following order:
Cisco Access Registrar 4.2 Documentation Guide (78-18785-01)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.2/roadmap/guide/ardocgd.html
Cisco Access Registrar 4.2 Installation and Configuration Guide (OL-17221-01)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.2/installation/guide/incfg.html
Cisco Access Registrar 4.2 User Guide (OL-17222-01)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.2/user/guide/users.html
Note
Cisco Access Registrar 4.2 Licensing
CAR 4.2 uses a new licensing mechanism that enables you to activate all features in CAR. During system initialization, the CAR server sets up the licensing data model and activates all features.
In CAR 4.2, licensing is based on transactions per second (TPS). Every license will cover all features, but with restrictions enforced on the TPS. TPS is calculated based on the number of packets flowing into CAR irrespective of the feature.
License Slabs
The license slabs available in CAR 4.2 are listed in Table 4.
Getting Cisco Access Registrar 4.2 License
When you order the CAR 4.2 product, a text license file will be sent to you in e-mail. If you are evaluating the software, Cisco will provide you with an evaluation license.
If you decide to upgrade your CAR software, a new text license file will be sent to you in e-mail.
Note
If you receive a Software License Claim Certificate, you can get your CAR license file at one of the two following URLs:
Use this site if you are a registered user of Cisco.com
•
Use this site if you are not a registered user of Cisco.com.
Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in e-mail.
Installing Cisco Access Registrar 4.2 Licenses
You must have a license in a directory on the CAR machine before you attempt to install CAR software. If you have not installed the CAR license file before beginning the software installation, the installation process will fail.
You can store the CAR license file in any directory on the CAR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.
The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the CAR license file, you can copy and paste the text into a file, or you can simply save the file you receive in e-mail to an accessible directory.
Adding Additional Cisco Access Registrar 4.2 Licenses
If you add additional licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix. You must restart the CAR server for the new license to take effect. To restart the CAR server, enter the following on the server command line:
/opt/CSCOar/bin/arserver restart
Sample License File
The following is an example of a CAR 4.2 license file.
INCREMENT AR-BASE-100TPS cisco 4.2 30-Nov-2008 uncountedHOSTID=ANY \NOTICE="<LicFileID>2008090307</LicFileID><LicLineID>0</LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456INCREMENT AR-ADD-TPS cisco 4.2 30-Nov-2008 uncounted \VENDOR_STRING=<count>100</count> HOSTID=ANY \NOTICE="<LicFileID>2008090307</LicFileID><LicLineID>1</LicLineID> \<PAK>dummyPak</PAK>" SIGN=ABCDEF123456Displaying License Information
CAR provides two ways of getting license information using aregcmd:
•
•
aregcmd Command-Line Option
CAR provides a new -l command-line option to aregcmd. The syntax is:
aregcmd -l directory_name
where directory_name is the directory where the CAR license file is stored.
The following is an example of the aregcmd -l command:
aregcmd -l /opt/CSCOar/licenseLicensed Application: Cisco Access Registrar (Standard Version)Following are the licensed components:NAME VERSION EXPIRY_INFO COUNT==== ======= =========== =====AR-Base-100TPS 4.2 30-Nov-2008 100AR-ADD-TPS 4.2 30-Nov-2008 100Launching aregcmd
The CAR server displays license information when you launch aregcmd, as shown in the following:
aregcmd
Cisco Access Registrar 4.2.1 Configuration UtilityCopyright (C) 1995-2008 by Cisco Systems, Inc. All rights reserved.Logging in to localhost[ //localhost ]LicenseInfo = AR-Base-100TPS 4.2 (expires on 30-Nov-2008)AR-ADD-TPS 4.2 (expires on 30-Nov-2008)Radius/Administrators/Server 'Radius' is Running, its health is 10 out of 10Caveats
This section provides information about known anomalies in CAR 4.2 and information about anomalies from previous versions of CAR that have been fixed.
•
•
Known Anomalies in Cisco Access Registrar 4.2
Table 5 lists the known anomalies in CAR 4.2.
Anomalies Fixed in Cisco Access Registrar 4.2
Table 6 lists the anomalies fixed in CAR 4.2.
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.
Guest
