Summary of Contents for Cisco Cisco Access Registrar 3.5
Page 1
Cisco Access Registrar 3.5 Concepts and Reference Guide July 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: Text Part Number: OL-2683-02...
Program Flow Scripting Points Client or NAS Scripting Points Authentication and/or Authorization Scripting Points Session Management Failover by the NAS and Session Management OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide C O N T E N T S...
Page 5
Transaction Data Verification Transaction Order Automatic Resynchronization Full Resynchronization Understanding Hot-Configuration Replication’s Impact on Request Processing Replication Configuration Settings RepType RepTransactionSyncInterval Master Slave RepTransactionArchiveLimit RepIPAddress RepPort RepSecret RepIPMaster RepMasterIPAddress RepMasterPort OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide Contents...
Page 6
Switching Configuration Files in Mid-File Community String Prepaid Billing Solution C H A P T E R Overview Configuring Prepaid Billing Generic Call Flow Call Flow Details Access-Request (Authentication) Access-Accept (Authentication) Access-Request (Authorization) Access-Accept (Authorization) Cisco Access Registrar 3.5 Concepts and Reference Guide OL-2683-02...
Page 7
Contents Accounting Start Data Flow Access-Request (Quota Depleted) Accept-Accept (Quota Depleted) Accounting Stop (Session End) Accounting Response (Final Status) Vendor-Specific Attributes 6-10 L O S S A R Y Cisco Access Registrar 3.5 Concepts and Reference Guide OL-2683-02...
Page 8
Contents Cisco Access Registrar 3.5 Concepts and Reference Guide viii OL-2683-02...
This guide also contains a Glossary and an Index. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: http://www.cisco.com...
In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available. Cisco Access Registrar 3.5 Concepts and Reference Guide About This Guide OL-2683-02...
Page 11
P1—Your production network is down, causing a critical impact to business operations if service is • not restored quickly. No workaround is available. P2—Your production network is severely degraded, affecting significant aspects of your business • operations. No workaround is available. OL-2683-02 Obtaining Technical Assistance Cisco Access Registrar 3.5 Concepts and Reference Guide...
Page 12
About This Guide Obtaining Technical Assistance Cisco Access Registrar 3.5 Concepts and Reference Guide OL-2683-02...
Session and resource management—tracks user sessions and allocates dynamic resources • Using a RADIUS server allows you to better manage the access to your network, as it allows you to store all security information in a single, centralized database instead of distributing the information around the network in many different devices.
In order to ensure network security, the client and server use a shared secret, which is a string they both know, but which is never sent over the network. User passwords are also encrypted between the client and the server to protect the network from unauthorized access.
Access-Challenge—sent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another Access-Request. When you use RADIUS accounting, the client and server can also exchange the following two types of messages: Accounting-Request—sent by the client (NAS) requesting accounting...
Proxying to other servers enables you to delegate some of the RADIUS server’s functions to other servers. You can use Cisco Access Registrar to “proxy” to an LDAP server for access to directory information about users in order to authenticate them.
Access-Request containing attributes such as the user's name, the user's password, the ID of the client, and the Port ID the user is accessing. The Cisco AR server determines which hardware (client NAS) sent the request, parses the packet, and determines whether to accept the request.
Page 18
/Radius/<ResourceManagers>/<Name>/<Type>. The Cisco AR server finally creates and formats an Access-Accept, Access Reject, or Access Challenge response, then sends it to the client (NAS). Cisco Access Registrar 3.5 Concepts and Reference Guide...
Registrar references each of these objects during the processing of client requests. Cisco Access Registrar lets you manipulate configuration objects, which define the properties or behavior of the RADIUS server. Cisco Access Registrar also lets you invoke custom scripts to affect the behavior of the RADIUS server.
For more information about UserLists and UserGroups, refer to Access Registrar Server Objects in the Cisco Access Registrar User’s Guide. Profiles Cisco Access Registrar uses Profiles that allow you to group RADIUS attributes to be included in an Access-Accept packet.
When you want the authentication performed by another server, which may run an independent • application on the same or different host than your RADIUS server, you can specify either a radius, ldap, or tacacs-udp service. In this case, you must list these servers by name.
When a NAS sends a request packet to Cisco Access Registrar with a name and password, Cisco Access Registrar performs the following actions. Note, points. Cisco Access Registrar 3.5 Concepts and Reference Guide Description Contains ELFs, or binary SPARC executables that should not be run directly Contains shell scripts and programs frequently used by a network administrator;...
Receives an Access-Request The Cisco Access Registrar server receives an Access-Request packet from a NAS Determines whether to accept The Cisco Access Registrar server checks to see if the client’s IP address is listed in the request /Radius/Clients/<Name>/<IPAddress> Invokes the policy SelectPolicy...
Performs authentication and/or authorization. *Executes the Service’s outgoing script. Cisco Access Registrar 3.5 Concepts and Reference Guide Explanation /Radius/Advanced/RequireNASsBehindProxyBeInClie ntList set to TRUE. The NAS’s Identifier listed in /Radius/Clients/<Name>, or its NAS-IP-Address listed in /Radius/Clients/<Name>/IPAddress. The vendor listed in /Radius/Clients/Name/Vendor, and is a script referred to in /Radius/Vendors/<Name>/IncomingScript.
The Session Management feature requires the client (NAS or proxy) to send all RADIUS accounting requests to the Cisco Access Registrar server performing session management. (The only exception is if the clients are USR/3Com Network Access Servers configured to use the USR/3Com RADIUS resource management feature.) This information is used to keep track of user sessions, and the resources allocated...
For example, the user-session-limit resource may reject new sessions because the primary server does not know some of the users using the resource logged out while the primary server was off-line. It may be necessary to release sessions manually using the aregcmd command release-session.
All resources that must be shared cross multiple front line Cisco AR servers are configured in the Central Resource Cisco AR server. Resources that are not shared can still be configured at each front line Cisco AR server as done prior to the Cisco AR 1.6 release.
When the front line Cisco AR server receives the access-request, it does the regular AA processing. If the packet is not rejected and a Central Resource Cisco AR server is also configured, the front line Cisco AR server will proxy the packet Cisco AR server returns the requested resources, the process continues to the local session management (if local session manager is configured) for allocating any local resources.
InitialTimeout = 2000 AccountingPort = 1646 Configure Central AR Resources at the Central Resource server are configured the same way as local resources are configured. These resources are local resources from the Central Resource server’s point of view. OL-2683-02 1. central-server Cisco Access Registrar 3.5 Concepts and Reference Guide...
Page 30
Chapter 2 Understanding Cisco Access Registrar Cross Server Session and Resource Management Cisco Access Registrar 3.5 Concepts and Reference Guide 2-12 OL-2683-02...
ACMEOutgoingScript ACMEOutgoingScript is referenced from Vendor ACME for the outgoing script. If the Cisco AR server accepts this Access-Request and the response does not yet contain a Session-Timeout, set it to 3600 seconds. AltigaIncomingScript AltigaIncomingScript maps Altiga-proprietary attributes to Cisco Access Registrar’s global attribute space.
ANAAAOutgoing can be referenced from either the client or vendor outgoing scripting point to be used in HRPD/EV-DO networks where Cisco Access Registrar is the Access Network (AN) AAA server. ANAAAOutgoing checks to see if the response contains the Callback-Id attribute. If the response contains the Callback-Id attribute and the value is less than 253 characters, ANAAAOutgoing prefixes a zero (0) to the value.
Authorization-Service to odap-users and sets the Accounting-Service to odap-accounting. ExecCLIDRule ExecCLIDRule is referenced from the policy engine to determine the authentication and authorization service and policy based on the CLID set in the policy engine. OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide Using Cisco AR Scripts...
Allows access from the first of the month until the thirteenth of the month from 10 AM until 5 PM and all day on the fifteenth of the month. Cisco Access Registrar 3.5 Concepts and Reference Guide Chapter 3 Cisco Access Registrar Scripts...
The Accounting service will be the DefaultAccountingService (as specified in the configuration by the administrator). The Tcl version of this script is named tParseAASRealm. OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide Using Cisco AR Scripts...
AAA services should be used for this request. If @radius is found, a set of AAA services is selected which will proxy the request to a remote radius server. If @tacacs is found, the AuthenticationService is selected that will proxy the request to a tacacs server for authentication.
Registrar’s global attribute space and sets a flag to ignore the signature on Accounting-Request packets. Earlier versions of the USR RADIUS client did not correctly sign Accounting-Request packets. OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide Using Cisco AR Scripts...
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts USROutgoingScript USROutgoingScript maps USR attributes from Cisco Access Registrar’s global attribute space to the appropriate USR-proprietary attributes. Cisco Access Registrar 3.5 Concepts and Reference Guide OL-2683-02...
(see Hot Configuration Detailed below for more information) Changes should be made only on the master server. Making changes on a slave server will not be replicated and may result in an unstable configuration on the slave. Any changes made using replication will not be reflected in existing aregcmd sessions.
How Replication Works When there is a configuration change, the master server propagates the change set to all member servers over the network. All member servers have to update their configuration after receiving the change set notifications from master server. Propagating the change set to a member serve involves multiple packet transfer from the master server to the member because the master serve has to convey all the configuration changes to the member.
########## is the unique transaction number assigned by the master server. The replication archive size, that is the number of transaction files it may contain, is configured in the Replication configuration setting of TransactionArchiveLimit. When the TransactionArchive limit is exceeded, the oldest transaction file is deleted.
In this case, the slave must be resynchronized with a full-resynchronization. Cisco Access Registrar 3.5 Concepts and Reference Guide Chapter 4 Understanding Replication...
(when changes are not being made) is virtually unmeasurable. Replication Configuration Settings This section describes each replication configuration setting. In aregcmd, replication settings are found in //localhost/Radius/Replication. OL-2683-02 Replication Configuration Settings Cisco Access Registrar 3.5 Concepts and Reference Guide...
Large values are best. The size of each transaction depends upon how many configuration changes were included in the transaction, so hard disk space usage is difficult to estimate. Cisco Access Registrar 3.5 Concepts and Reference Guide Chapter 4...
RepMasterPort is the port to use to send replication messages to the master. In most cases, the default value (1645) is sufficient; however, if another is to be used, the interfaces must exist in the machine. OL-2683-02 Replication Configuration Settings Cisco Access Registrar 3.5 Concepts and Reference Guide...
This is the name of the slave. The name must be unique. IPAddress This is the IP Address of the slave. Port This is the port upon which the master will send replication messages to the slave. Cisco Access Registrar 3.5 Concepts and Reference Guide Chapter 4 Understanding Replication OL-2683-02...
RADIUS-AUTH-CLIENT-MIB The RADIUS-AUTH-CLIENT-MIB describes the client side of the RADIUS authentication protocol. The information contained in this MIB is useful when an Cisco AR server is used as a proxy server. OL-2683-02 C H A P T E R...
The list of trap recipients is shared by all events and is determined at server initialization time along with other trap configuration information. The list of trap recipients dictates where Cisco AR traps are directed.
The index of these three objects identifies the entry in radiusAuthServerTable and arAccServerExtTable which maintains the characteristics of the concerned server. One should not solely rely on this for server state. Several conditions, including the restart of the Cisco AR server, could result in either multiple carOtherAccServerNotResponding notifications being sent or in a carOtherAccServerResponding notification not being sent.
Understanding SNMP carOtherAccServerResponding carOtherAccServerResponding signifies that an accounting server that had previously sent a not responding message is now responding to requests from the Cisco AR server. This trap has three objects: • radiusAccServerAddress—indicates the identity of the concerned server •...
A community string is used to authenticate the trap message sender (SNMP agent) to the trap recipient (SNMP management station). A community string is required in the list of trap receivers. Cisco Access Registrar 3.5 Concepts and Reference Guide OL-2683-02...
Prepaid Billing Solution This chapter describes the generic call flow between the three components required to support a prepaid billing solution using the RADIUS protocol: the AAA client, the Cisco Access Registrar 3.5 server, and a prepaid billing server. Overview When a subscriber uses a prepaid billing service, each call requires a set of data about the subscriber.
Page 56
This requires network nodes to measure all parameters all the time, but to report values only after receiving a reauthorization request. Cisco Access Registrar 3.5 Concepts and Reference Guide Billing Server Action AAA Server Action...
Under RemoteServers, you must list the RemoteServer object previously configured to support either prepaid-crb or prepaid-is835c. Detailed information about configuring prepaid billing is located in the Cisco Access Registrar Installation and Configuration Guide. OL-2683-02 Configuring Prepaid Billing Cisco Access Registrar 3.5 Concepts and Reference Guide...
This section describes the generic call flow for the Cisco AR 3.5 prepaid billing solution. The call flow is controlled by the AAA client. The Cisco AR 3.5 server converts VSAs into calls to the billing server. The packet flows presented in The headlines in the packet flows are general and do represent all data transferred.
26, 9 CRB_SESSION_ID In Flow 1s, the Cisco AR 3.5 server sends a call to the billing server to authenticate the prepaid user and possibly determine more information about the subscriber’s account. The Cisco AR 3.5 server can be configured to generate this packet flow, using a subscriber profile parameter, if the request is from a prepaid subscriber.
CRB_SERVICE_ID 26, 9 CRB_SESSION_ID .In Flow 3s, the Cisco AR 3.5 server sends the Prepaid billing server to obtain a quota. The quota might contain several values depending on the number of measurement parameters chosen. Access-Accept (Authorization) Flow 4b shows the billing server returning the quota array for the subscriber.
26, 9 CRB_TERMINATE_CAUSE Identifies why a Accounting Start In Flow 5c, the AAA client sends the Accounting Start. In Flow 6s, the Cisco AR 3.5 server replies with the Accounting-Response. Data Flow At this point, the data transfer begins. The AAA client monitors the subscriber’s allocated quotas for metering parameters.
The billing server sends an updated quota array for the next period to the Cisco AR 3.5 server. In Flow 8s, the Cisco AR 3.5 server converts the quota array into VSAs and sends them to the AAA client.
CRB_DOWNLINK_PACKETS Accounting Stop (Session End) In Flow 9c, the client sends an Accounting-Stop to the Cisco AR 3.5 server to end the session. The Accounting-Stop message includes an updated quota array with the usage adjustments since the previous authorization in the VSA form.
Vendor-specific attributes are included in specific RADIUS packets to communicate prepaid user balance information from the Cisco AR 3.5 server to the AAA client, and actual usage, either interim or total, between the NAS and the Cisco AR 3.5 Server.
Page 65
ID. If this VSA is not present, then RADIUS attribute 44 is used instead. If this is a string AV Pair-type attribute, the name is the string attribute name. Cisco Access Registrar 3.5 Concepts and Reference Guide Generic Call Flow 6-11...
Page 66
Generic Call Flow Table 6-10 Vendor-Specific Attributes for the Cisco Prepaid Billing Solution VSA Name CRB_TERMINATE_CAUSE crb-terminate-cause CRB_PRIVATE crb-private Cisco Access Registrar 3.5 Concepts and Reference Guide 6-12 Source Type (Call Flow) Description Int8 Identifies why a subscriber failed authentication: 1.
Page 67
Cable Systems Group is a billing systems company. Customer Service Representative—the person you call to activate or obtain service for your account. OL-2683-02 G L O S S A R Y Cisco Access Registrar 3.5 Concepts and Reference Guide GL-1...
Page 68
The IOS DHCP client used to generate requests for host addresses and subnets for non-PPP clients. DHCP Client The IOS DHCP client used to request an address for a PPP user from a DHCP server. DHCP Proxy Client Dial Use is an end-system or router attached to an on-demand PSTN or ISDN, which is either the Dial Use initiator or recipient of a call.
Page 69
(for example, IP) and the networks they ride upon (for example, Ethernet, Token Ring, and others). An LNS operates on any platform capable of PPP termination. The LNS handles the server side of the L2TP Network L2TP protocol. Since L2TP relies only on the single media over which L2TP tunnels arrive, the LNS...
Page 70
Network Access Identifier (NAI), may contain structure. This structure provides a means by which the RADIUS proxy locates the RADIUS server that is to receive the request. This same structure may also be used to locate the tunnel end point when domain-based tunneling is used.
Page 71
RADIUS multiple dial-in Network Access Server (NAS) devices to share a common authentication database. A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing RADIUS Client user information to designated RADIUS servers, and then acting on the response that is returned. A RADIUS server can act as a proxy client to other RADIUS servers.
Page 72
A server that has been registered with the user interface, which can later be referenced as a proxy client Remote Server or as the method to perform a service; for example, a remote RADIUS server can be specified to act as a proxy client.
Page 73
Secure Hash Algorithm; a hashing algorithm that produces a 160-bit digest based upon the input. The SHA-1 algorithm produces SHA passwords that are irreversible or prohibitively expensive to reverse. Used to authenticate transactions between the client and the RADIUS server. The shared secret is never Shared Secret sent over the network.
Page 74
LNS; many sessions can be multiplexed over a single tunnel. A control connection operating in band over the same tunnel controls the establishment, release, and maintenance of sessions and of the tunnel itself. A server that terminates a tunnel. In PPTP terminology, this is known as the PPTP Network Server Tunnel Network Server (PNS).
Page 75
Defines the Directory Access Protocol (DAP) for clients to use when contacting directory servers. DAP X.500 is a heavyweight protocol that runs over a full OSI stack and requires a significant amount of computing resources to run. OL-2683-02 Cisco Access Registrar 3.5 Concepts and Reference Guide Glossary GL-9...