Cisco Access Registrar

Table Of Contents

Release Notes for Cisco Access Registrar 3.0R9

Contents

Copyright Notice

Introduction

What's New in Cisco AR 3.0

New Features in Cisco AR 3.0

HTTP Digest Authentication

Parallel Service Grouping

View-Only Administrator

Oracle 9 Support

MySQL Support

Configuring MySQL

Example Configuration

Changes from Previous Versions of Cisco AR

Changes to Package Name

Changes to Environment Variables

Changes to Subdirectories

Relocation of Executables

Executable Name Changes

Removal of Wrapper Scripts

Changes in aregcmd

Related Documentation

System Requirements

Cisco Access Registrar Full Installation

Cisco Access Registrar Server-only Installation

Cisco Access Registrar Configuration-only Installation

Co-Existence With Other Network Management Applications

Downloading Cisco Access Registrar Software

Upgrading Cisco Access Registrar Software

Preparing to Install Downloaded Cisco Access Registrar Software

Designating the JRE Location

Upgrade Cisco Access Registrar Software and Retain Your Configuration

Back-up Copy of Original Configuration

Removing Old VSA Names

VSA Update Script

Starting the Cisco AR Server

Configuring SNMP

Upgrade Cisco Access Registrar Software and Erase Your Configuration

Restarting Replication

Installing Cisco Access Registrar Software For the First Time

Adding Group Staff

Installing from CD-ROM

Uncompressing the Tarfile and Extracting Files

Preparing to Use SNMP

Installing Software

Modifying Your Environment

Borne, Korn, Bash, or zsh

csh or tcsh

Changing Log Directory

SNMP Configuration

Stopping the Master Agent

Modifying the snmpd.conf File

Access Control

Trap Recipient

System Contact Information

Starting the Master Agent

Enabling SNMP

Cisco Access Registrar Subdirectories

Using the Cisco AR License

Specifying the License Key

Changing the License Key

Testing Cisco Access Registrar

Checking the Servers

Logging into Cisco AR

Testing a Packet

Caveats

Known Anomalies in Cisco Access Registrar 3.0R9

Anomalies Fixed in Cisco Access Registrar 3.0R9

Anomalies Fixed in Cisco Access Registrar 3.0R8

Anomalies Fixed in Cisco Access Registrar 3.0R7

Anomalies Fixed in Cisco Access Registrar 3.0R6

Anomalies Fixed in Cisco Access Registrar 3.0R5

Anomalies Fixed in Cisco Access Registrar 3.0R4

Anomalies Fixed in Cisco Access Registrar 3.0R2

Anomalies Fixed in Cisco Access Registrar 3.0R2

Anomalies Fixed in Cisco Access Registrar 3.0R1

Anomalies Fixed in Cisco Access Registrar 3.0R0

Known Problems in Solaris 8

Buffer Overflow in Multiple DNS Resolver Libraries (CERT Advisory CA-2002-19)

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Release Notes for Cisco Access Registrar 3.0R9

---

This document contains important information about the Cisco Access Registrar 3.0R9 software. All features in previous versions of Cisco Access Registrar are present in Cisco Access Registrar 3.0R9. Cisco AR 3.0R9 is available for Solaris 8 only.

---

Note Releases since Cisco Access Registrar 3.0R1 use a version of aregcmd that is incompatible with Cisco AR 3.0R0 and Cisco AR 1.7R6 (and earlier). You can find more details about aregcmd incompatibility with other versions of Cisco AR software in Changes in aregcmd.

---

CCO Date: May 23, 2002

Revised: October 25, 2004

Contents

This document contains the following sections:

•Copyright Notice

•Introduction

•What's New in Cisco AR 3.0

•Changes from Previous Versions of Cisco AR

•Related Documentation

•System Requirements

•Upgrading Cisco Access Registrar Software

•Installing Cisco Access Registrar Software For the First Time

•Modifying Your Environment

•Changing Log Directory

•SNMP Configuration

•Cisco Access Registrar Subdirectories

•Using the Cisco AR License

•Testing Cisco Access Registrar

•Caveats

•Obtaining Documentation

•Obtaining Technical Assistance

Copyright Notice

This product contains copyrighted programs that are used with permission and are the property of the following respective owners.

Copyright 1989, 1991, 1992 by Carnegie Mellon University

Derivative Work - 1996, 1998-2000

Copyright 1996, 1998-2000 The Regents of the University of California

All Rights Reserved

Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

NAI copyright notice (BSD) Copyright © 2001, NAI Labs. All rights reserved.All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

•Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

•Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

•Neither the name of the NAI Labs nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Introduction

Cisco Access Registrar (AR) provides RADIUS authentication, authorization, and accounting (AAA) services for the service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.

Cisco Access Registrar is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.

Cisco Access Registrar supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco Access Registrar 3.0 supports the latest wireless authentication protocols such as Extensible Authentication Protocol—Message Digest 5 (EAP-MD5) used in wireless LAN deployments. Cisco Access Registrar 3.0 also has the ability to make real-time AAA requests to billing systems to support prepaid applications.

What's New in Cisco AR 3.0

Cisco Access Registrar 3.0 includes the following new features:

•Open Database Connectivity (ODBC)

Cisco Access Registrar 3.0 provides Oracle database support using Open Database Connectivity (ODBC). Using ODBC, you can store user information including return attributes and check items in an Oracle database. Cisco AR 3.0 supports authentication and authorization through ODBC.

•Prepaid Billing

Cisco Access Registrar 3.0 provides a generic prepaid billing application-programming interface (API) that allows a real-time interface to billing and rating systems. Cisco Access Registrar 3.0 Prepaid supports Cisco Packet Data Serving Node (PDSN) Code-division Multiple Access (CDMA2000) mobile wireless prepaid services.

Cisco AR 3.0 works with the client NAS and an external billing system (EBS) or billing server. EBS vendors are required to provide a Solaris 8 shared library that is built with gcc version 2.95.3.

•EAP-MD5 Support

Cisco Access Registrar 3.0 supports the EAP standard that provides enhanced security for PPP authentication. EAP support is extended by supporting the EAP-MD5 authentication protocol, an EAP authentication exchange. EAP-MD5 uses a CHAP-like exchange and the password is hashed by challenge from both client and server to verify it is correct.

•Enhanced configuration interface

Cisco AR's configuration utility, aregcmd, has been enhanced for faster and easier service provider AAA provisioning including:

–Automatic command completion

–Context-sensitive list of options

–Recall of values for quick editing

–User return-attribute configuration

–Check-items configuration

–Detailed configuration-error messages

•Prefix Rule in Policy Engine

Cisco Access Registrar 3.0 has an addition rule in its policy engine that allows user-name prefix matching for dynamic processing decisions. Cisco AR 3.0 is able to select a service based on a prefix in the username. Cisco AR can strip the prefix and use it in the policy engine to select a particular service.

•Lightweight Directory Access Protocol (LDAP) Directory Rebind

For environments using smart Domain Name System (DNS), Cisco AR can be configured to requery DNS at fixed intervals and dynamically rebind to any new IP address returned. When configuring to use an LDAP server, you can specify a qualified or unqualified hostname of an LDAP directory server.

•Time-based Accounting File Rollover

Cisco Access Registrar 3.0 provides additional accounting file rollover criteria based on specific times.

•User-password Overriding

The Cisco Access Registrar scripting API now allows easy user-password overriding.

•Optimized Accounting-request Handling

Cisco Access Registrar 3.0 provides improved algorithms for handling duplicate accounting requests containing Acct-Delay-Time.

•Increased Multi-vendor Support

Cisco Access Registrar 3.0 supports an extended vendor type field in vendor-specific attributes.

•Support for MS-CHAPv1

Cisco AR 3.0 provides native support for MS-CHAPv1 authentication as defined in Internet RFCs 2433 and 2548. When using MS_CHAPv1 with LDAP or ODBC user storage, the password must be stored in clear text.

•Managing Multi-Valued Attributes

Cisco AR 3.0 provides a mechanism to all easy editing of multi-value attributes that enables you to add new values, change part of the values, and delete any portion of the values without having to enter the entire value.

•HTTP Digest Authentication

Cisco Access Registrar 3.0R6 supports HTTP Digest, an encryption method used by protocols such as HTTP, SIP, and EAP to authenticate RADIUS clients.

•Parallel Service Grouping

Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or, that ask each referenced service to process requests simultaneously instead of sequentially, thereby saving processing time.

•View-Only Administrator and View-only aregcmd Sessions

A view-only administrator or a view-only aregcmd session enables an administrator to view Cisco AR configuration, but not modify it.

•Support for Oracle 9

Cisco AR supports Oracle 9 in addition to Oracle 8.1.6 and 8.1.7 for Open Database Connectivity.

•Support for Java Extensions

Cisco Access Registrar 3.0R9 provides support for Java extensions. In addition to the Tcl/C/C++ extension point scripting capability, Cisco AR 3.0R9 provides support for extensions written in Java. You must have installed JRE 1.4.x.

•Two New Environment Variables

AR 3.0R9 provides two new AR environment variables, Destination-IP-Address and Destination-Port. These variables enable Cisco AR to distinguish between RADIUS requests sent to different IP addresses or UDP ports on the Cisco AR server and make processing decisions based on this information.

•MySQL Support

AR 3.0R9 provides support for MySQL version 4.0.18 and MyODBC 3.51.06 to enable querying user records from a MySQL database.

New Features in Cisco AR 3.0

This section describes the new features included in this release of Cisco Access Registrar 3.0.

HTTP Digest Authentication

HTTP Digest is an encryption method used by protocols such as Hypertext Transport Protocol (HTTP), Session Initiation Protocol (SIP), and Extensible Authentication Protocol (EAP).

Cisco Access Registrar 3.0R6 provides an interface to authenticate RADIUS clients based on HTTP Digest. The client sends an Access-Request packet containing a Digest-Response and associated Digest Attributes. The Cisco AR server computes a value based on the user's profile and compares this with the digest response to return an Access-Accept or Access-Reject.

The Cisco AR server generates a session key based on Internet RFC 2617, the RADIUS Extension for Digest Authentication. The generated session key is delivered to the client using the MS-MPPE-Recv-Key attribute in the Access-Accept packet if the algorithm specified in the Access-Request is MD5-sess.

No special configuration is required for HTTP Digest authentication. The Cisco AR server automatically detects HTTP Digest Access-Requests and processes them accordingly. When using HTTP Digest, the MS-MPPE-Recv-Key attribute requires a session-timeout value. You might need to modify the default session timeout value using aregcmd.

Parallel Service Grouping

Cisco Access Registrar 3.0R6 supports parallel service grouping. In Cisco Access Registrar 3.0, Group Services contain a list of references to other services and specify whether the responses from each of the services should be handled as a logical AND or a logical OR function. You specify AND or OR in the Result-Rule attribute of Group Services. The default value is AND.

If Result-Rule is set to AND, the response from the Group Service is positive if each of the services referenced return a positive result. The response is negative if any of the services reference return a negative result. If Result-Rule is set to OR, the response from the Group Service is positive if any of the services referenced return a positive result. The response is negative if all the referenced services return a negative result.

When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially, and the Group Service waits for a response from the first referenced service before moving on to the next service (if necessary). If a service takes a long time to respond, that causes a delay in sending the request to the next referenced server.

Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or. These new types are similar to the AND and OR settings except that they ask each referenced service to process the request simultaneously instead of asking each referenced server sequentially, thereby saving processing time.

A parallel-and setting might respond with its own reply as soon as it receives a negative response, but otherwise must wait for all responses before it can respond with a positive reply. Likewise, a parallel-or might respond as soon as it receives a positive response, but otherwise must wait for all responses before it can reply with a negative response.

If a service referenced from a Group Service is of type RADIUS and if Accounting-Requests are being processed by the Group Service, setting the AckAccounting property in the remote server will affect the behavior of the parallel-or Group Service. This is because if AckAccounting is set to FALSE, the RADIUS Remote Server will not wait for the response from the remote server but returns a response immediately. Since the Group Service is set to parallel-or, once it receives the response from the RADIUS service, it is free to send a response itself. This will have the effect that a response is sent very quickly from the Group Service acknowledging the Accounting-Request and responses from the other referenced services are handled as the arrive.

Note that since AckAccounting was set to FALSE, there is no guarantee that the Remote Server successfully processed the request. Since it is a RADIUS Remote Server, the Cisco AR server attempts for MaxTries to send the request to the server and to get back an acknowledgement, but if that fails, there will be no indication to the client about that event. The acknowledgement to the client has been sent long before.

---

Note It is not valid to have Services of type Group, EAP_LEAP, or EAP-MD5 referenced from a Service of type Group.

---

View-Only Administrator

Cisco Access Registrar 3.0R6 introduces the view-only administrator option to aregcmd. When you launch aregcmd with the -V option, an aregcmd session opens in view-only mode, even if the administrator is not a view-only administrator.

You can also create or modify administrative users to be view-only administrators by setting the new View-Only attribute to TRUE. The default setting of the View-Only property for any new administrator is FALSE. When the View-Only property is set to FALSE, an aregcmd session functions as it did previously.

At least one administrator must not be a view-only administrator. When you save your configuration, validation will fail if none of the administrators have the View-Only property set FALSE.

When you upgrade your Cisco Access Registrar 3.0 software to version R6, any existing administrators will have the View-Only property added and set to FALSE.

When you open an aregcmd session in view-only mode, an error occurs if you attempt to issue a command that modifies the configuration. The following commands issued in a view-only session will cause the error: add, delete, set, unset, insert, validate, save, start, stop, reload, reset-stats, release-sessions, and trace. The error is reported as follows:

316 Command failed: session is View-Only

When the session is not view-only, but the server is a slave server, the following commands cause an error message when the object or property being affected is not under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces, or any properties in /Radius/Advanced: add, delete, set, unset, and insert. The error is reported as follows:

317 Command failed: session is a Replication Slave

Oracle 9 Support

Cisco Access Registrar 3.0R6 provides support for Oracle 9. Oracle 9 support is in addition to Oracle 8.1.6 and 8.1.7 when an ODBC type service is used. When using Oracle 9, set ORACLE_HOME to the location where you have installed Oracle software.

The following changes have been made to support Oracle 9:

•The file liboraodbc.so has been renamed to liboraodbc8.so.

•The file liboraodbc9.so has been added.

MySQL Support

Cisco Access Registrar 3.0R7 provides support for MySQL to support querying user records from a MySQL database. Cisco Access Registrar 3.0 has been tested with MySQL 4.0.18 and MyODBC 3.51.06 (reentrant).

For the Cisco AR server to use MySQL, you must create and configure an ODBCDataSource object of type myodbc and a RemoteServer object set to protocol odbc.

Configuring MySQL

To configure the Cisco AR server to query records form a MySQL database, complete the following configuration:

---

Step 1 Log in to the Cisco AR server and launch aregcmd.

Log in as a user with administrative rights such as user admin.

Step 2 Change directory to the /Radius/Advanced/ODBCDataSources and add a new ODBCDataSource.

cd /Radius/Advanced/ODBCDataSources

add mysql

Step 3 Set the new ODBCDatasource type to myodbc.

cd mysql

set type myodbc

Step 4 Set the Driver property to the path of the MyODBC library.

Step 5 Set the UserID property to a valid username for the MyODBC database and provide a valid password for this user.

Step 6 Provide a DataBase name and the name of the Cisco AR RemoteServer object to associate with the ODBCDataSource.

Step 7 Change directory to /Radius/RemoteServers and add a RemoteServer object to associate with the new ODBCDatasource.

cd /Radius/RemoteServers

add mysql

Step 8 Change directory to the new RemoteServer and set its protocol to odbc.

cd mysql

set protocol odbc

Step 9 Set the ODBCDataSource property to the name of the ODBCDataSource to associate with this RemoteServer object.

set ODBCDataSource mysql

---

Example Configuration

The following shows an example configuration for a MySQL ODBC data source.

[ //localhost/Radius/Advanced/ODBCDataSources/mysql ]

Name = mysql

Type = myodbc

Driver = /tmp/libmyodbc3_r.so

UserID = mysql

Password = <encrypted>

DataBase = test

Server = mysql-a

Port = 3306

The following shows an example configuration for a RemoteServer

[ //localhost/Radius/RemoteServers/mysql-a ]

Name = mysql

Description = 

Protocol = odbc

ReactivateTimerInterval = 300000

Timeout = 15

DataSourceConnections = 8

ODBCDataSource = mysql

KeepAliveTimerInterval = 0

SQLDefinition/

ODBCToRadiusMappings/

ODBCToEnvironmentMappings/

ODBCToCheckItemMappings/

Changes from Previous Versions of Cisco AR

Several significant changes were made in Cisco Access Registrar 3.0. This section provides a summary of those changes.

Changes to Package Name

The Cisco Access Registrar software is now in a package named CSCOar. The previous package name was AICar1. The default location for installing the Cisco AR software is now /opt/CSCOar.

Changes to Environment Variables

Table 1 lists four environment variables that have new names in Cisco AR 3.0. If you have been using an earlier version of Cisco AR and have written scripts that use these environment variables, you will have to modify the scripts to use the new names.

Table 1 Environment Variable Name Changes

Old Name	New Name
AIC_CONF	CAR_CONF
AIC_CLUSTER	CAR_CLUSTER
AIC_NAME	CAR_NAME
AIC_PASSWORD	CAR_PASSWORD

Changes to Subdirectories

In Cisco Access Registrar 3.0, the directory structure has been changed to include a new .system directory. Programs in .system should never be run directly. Programs that should be run directly have been moved to the /opt/CSCOar/bin directory, where one would expect to find executable shell scripts.

Executables and shell scripts had previously been located in /opt/AICar1/bin and /opt/AICar1/usrbin. The bin subdirectory is now under /opt/CSCOar. The usrbin subdirectory has been removed, and there is a symbolic link from usrbin to bin.

Relocation of Executables

In previous versions of Cisco AR, executables were divided into the bin and usrbin subdirectories. Executables in the /opt/AICar1/bin were almost all executable link format (ELF) binary SPARC executables not intended to be run directly. Executables in the /opt/AICar1/usrbin were almost all shell scripts that acted as wrappers for the ELFs and were intended to be run directly.

In Cisco AR 3.0, shell scripts have been moved to the bin and the ELFs have been moved to the new .system directory.

Executable Name Changes

Two executable scripts have been renamed. Table 2 lists the two name changes. The new arserver now resides in the /opt/CSCOar/bin directory.

Table 2 Executable Script Name Changes

Old Name	New Name
screen	share-access
/etc/init.d/arservagt	arserver

Removal of Wrapper Scripts

To maintain backward compatibility, a symbolic link in Cisco AR 3.0 ties usrbin to bin. In addition, the wrapper scripts have been removed, meaning that there is only one file in the Cisco AR package named aregcmd, for example.

Changes in aregcmd

aregcmd was changed in the Cisco AR 3.0R1 release to correct a security vulnerability. The changes cause an incompatibility between releases of Cisco AR 3.0R1 and all Cisco AR releases prior to it.

After installing Cisco Access Registrar 3.0R1 (or later) software, you will be unable to remotely configure other Cisco AR servers if the software on the remote server is running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier). Conversely, you will also be unable to modify a Cisco AR server running release 3.0R1 (or later) from a remote server running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier).

Attempts to log in to use aregcmd where this incompatibility exists will result in command line responses like the following:

Logging in to hostname

400 Login failed

Login to cluster 'hostname' failed

and:

402 Login failed: version of aregcmd is incompatible with server

Attempts to use aregcmd to remotely configure Cisco AR servers affected by this incompatibility will result in log entries like the following:

07/21/2003 11:38:49 config/mcd/1 Info Protocol 0 new connection 0x981d0 from 
[10.1.9.104]

07/21/2003 11:38:49 config/mcd/1 Warning Protocol 0 got bad program-number/version, 
closing connection 0x981d0

If this problem occurs, you can log in to the affected server locally to modify its configuration. If the server is remote, you can use telnet or rlogin to log in remotely, then launch aregcmd.

Related Documentation

The following documents describe Cisco Access Registrar and are available online via CCO and on the Cisco Documentation CD-ROM:

•Cisco Access Registrar User's Guide (part number OL-2681-02)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/users/index.htm

The Cisco Access Registrar User's Guide describes Cisco Access Registrar components and how to use them.

•Cisco Access Registrar Installation and Configuration Guide (part number OL-2682-03)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/install/index.htm

The Cisco Access Registrar Installation and Configuration Guide describes how to install and configure the Cisco Access Registrar 3.0 software, and how to customize your site.

•Cisco Access Registrar Concepts and Reference Guide (part number OL-2683-01)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/concepts/index.htm

The Cisco Access Registrar Concepts and Reference Guide provides information to help you gain a better understanding of Cisco Access Registrar features and concepts.

System Requirements

This section describes the system requirements for installing theCisco Access Registrar 3.0 software.

Cisco Access Registrar Full Installation

Table 3 lists the system requirements for a full installation of Cisco Access Registrar3.0.

Table 3 Cisco Access Registrar Full Installation Requirements

Component	Requirement
CPU Architecture	SPARC
OS Version	Solaris 8
Minimum RAM	64 MB
Recommended RAM	128 MB
Recommended Disk Space	175 MB

Cisco Access Registrar Server-only Installation

Table 4 lists the system requirements for installing the server-only component of Cisco Access Registrar 3.0.

Table 4 Cisco Access Registrar Server-only Requirements 

Component	Requirement
CPU Architecture	SPARC
OS Version	Solaris 8
Minimum RAM	64 MB
Recommended RAM	128 MB
Recommended Disk Space	130 MB

Cisco Access Registrar Configuration-only Installation

Table 5 lists the system requirements for installing the configuration-only component of Cisco Access Registrar 3.0.

Table 5 Cisco Access Registrar Configuration-only Requirements

Component	Requirement
CPU Architecture	SPARC
OS Version	Solaris 8
Minimum RAM	32 MB
Recommended RAM	64 MB
Recommended Disk Space	50 MB

The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco Access Registrar disk. If Cisco Access Registrar runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.

Co-Existence With Other Network Management Applications

To achieve optimal performance, Cisco Access Registrar should be the only application running on a single machine. You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.

You can configure Cisco Access Registrar to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no another application can be configured to use SNMP on the Cisco AR machine.

---

Note Cisco Network Registrar and Cisco Access Registrar cannot co-exist on the same workstation.

---

Downloading Cisco Access Registrar Software

You can download the Cisco Access Registrar software from Cisco Connection Online (CCO) at the following URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar

You will need your active CCO username and password to achieve access. All current versions of Cisco Access Registrar software including the most recent maintenance releases are available for download. The link for Cisco Access Registrar 3.0R9 software is ar-3.0r9-sunos58.tar.gz. You might also need the zcat program file to unpack the software file (.tar.gz suffix).

Cisco AR provides extensions that can be written in Java. If you intend to write Java extensions, the Java Runtime Environment (JRE) is required. You can download a current version of the JRE from http://java.sun.com.

Upgrading Cisco Access Registrar Software

The software upgrade procedure has been changed in Cisco Access Registrar 3.0. If you are upgrading from a previous release, you are no longer required to export your existing database to retain it.

The installation process provides the following options to consider before you begin to upgrade your software:

•Upgrade from an earlier version of Cisco AR and erase your previous configuration

•Upgrade from an earlier version of Cisco AR and retain your previous configuration

•Install Cisco AR on a system for the first time

Before you install the software, the following tasks must be done:

•Ensure that replication is disabled

---

Note If you are using Cisco Access Registrar's replication feature, you must disable it during the upgrade process or the upgrade will fail. When completed, refer to "Restarting Replication" section for the correct way to restart replication.

---

•Use pkgrm to remove the earlier version of Cisco Access Registrar executables

•If you plan to use Cisco Access Registrar's SNMP features:

–Disable the current Sun SNMP daemon

–Prevent the Sun SNMP daemon from restarting after a reboot

To upgrade your software to Cisco AR 3.0, login as user root and complete the following steps:

---

Step 1 Login as administrator and use aregcmd to ensure that replication is disabled.

cd /radius/replication

[ //localhost/Radius/Replication ]
RepType = None
RepTransactionSyncInterval = 60000
RepTransactionArchiveLimit = 100
RepIPAddress = 0.0.0.0
RepPort = 1645
RepSecret = NotSet
RepIsMaster = FALSE
RepMasterIPAddress = 0.0.0.0
RepMasterPort = 1645
Rep Members/

Make sure that RepType is set to None.

Step 2 If you made changes, save them and exit the aregcmd command interface.

Step 3 Remove the existing Cisco Access Registrar software package.

To remove Cisco AR 1.7 (or earlier) software, enter the following:

pkgrm AICar1

To remove Cisco AR 3.0 software, enter the following:

pkgrm CSCOar

Step 4 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 5 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled

---

Preparing to Install Downloaded Cisco Access Registrar Software

This section provides you with information to help you prepare to install downloaded software. The current version is named ar-3.0r9-sunos58.tar.gz.

You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in chmod 555 zcat.

Complete the following steps to prepare for software installation.

---

Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.

Step 2 Become root user by entering su and the root password.

Step 3 Change directory to the location where you have stored the downloaded software package.

host# cd /tmp/AR

Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.

host# ./zcat ar-3.0r9-sunos58.tar.gz | tar xvf -

---

Designating the JRE Location

If you plan to use Java extensions, you must indicate during the software installation process the directory location where the JRE is installed. If you reply that you plan to use Java extensions, the installation process requests the directory where the JRE is installed.

If you already have JRE installed, please enter the directory

where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

Step 5 Enter the directory where the JRE is installed, as shown above.

If you do not enter a directory and simply press Enter, the following message will display:

You can download the JRE from:

    http://java.sun.com/products/archive

pkgadd: ERROR: request script did not complete successfully

Installation of <CSCOar> failed.

No changes were made to the system.

If you enter an invalid directory, the following message will display:

Where is the current JRE installed?  [?,q] /foo 

The directory specified does not contain java, please

download a compatible one from:

    http://java.sun.com/products/archive

pkgadd: ERROR: request script did not complete successfully

Installation of <CSCOar> failed.

No changes were made to the system.

---

In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.

Upgrade Cisco Access Registrar Software and Retain Your Configuration

This section describes how to upgrade your Cisco Access Registrar software and retain your existing configuration database.

---

Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.

You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.

Step 4 Select the default for a Full installation.

The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:

The AR local database contains:"

  * session information"

  * all server object definitions"

  * local UserLists"

Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] y 

Step 5 Because you want to retain your configuration, enter y.

You are prompted to provide an Cisco AR administrator username and password.

Step 6 Enter the username for an Cisco AR administrator and the password, then retype the password.

The upgrade process asks if you want to remove old session information.

Remove old sessions in /opt/CSCOar/data/radius [y,n,?,q]

Step 7 If you want to remove the old session information, enter y. If you enter n, you will retain the old session information.

Step 8 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.

Step 9 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.

The software installation process begins.

Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>

## Installing part 1 of 1.

/opt/CSCOar/README

/opt/CSCOar/bin/screen

/opt/CSCOar/conf/screen.orig

.

.

.

## Executing postinstall script.

# setting up command script /opt/CSCOar/usrbin/screen

# setting up command script /opt/CSCOar/usrbin/arstatus

# setting up command script /opt/CSCOar/usrbin/mcdadmin

# setting up command script /opt/CSCOar/usrbin/mcdshadow

# setting up command script /opt/CSCOar/usrbin/radclient

# setting up command script /opt/CSCOar/usrbin/aregcmd

# setting up control script /etc/init.d/arserver

# linking /etc/init.d/arserver to /etc/rc.d files

# setting up product configuration file /opt/CSCOar/conf/car.conf

Starting Access Registrar Server Agent..completed.

# Upgrade of the configuration db is in progress

# Backing up configuration.

# Wait..... 

Back-up Copy of Original Configuration

At this point, the upgrade process displays a message like the following to indicate where a copy of your original configuration has been stored.

###############################################################

#

#  A backup copy of your original configuration has been

#  saved to the file:

#

#    /opt/CSCOar/temp/10062.origconfig-backup

#

#  If you need to restore the original configuration,

#  enter the following command:

#

#    mcdadmin -coi /opt/CSCOar/temp/10062.origconfig-backup

#

###############################################################

Removing Old VSA Names

The upgrade process continues with an analysis of the configuration database, addition of new database elements, and a search for obsolete VSA names. When this is complete, a message like the following is displayed:

##############################################################

#

#   Sometimes VSAs get renamed from version to version of AR.

#   The upgrade process does not automatically remove the

#   old names. The upgrade process has generated a script

#   to remove the old names. The script is located in:

#

#       /opt/CSCOar/temp/10062.manual-deletes

#

#   Review the script to make sure you are not using any of

#   these old VSAs. Modify your configuration and your

#   scripts to use the new names before you attempt to run

#   the script.

#

#   To run the removal script, type:

#

#       aregcmd -sf /opt/CSCOar/temp/10062.manual-deletes

#

##############################################################

At this point, you should examine the script produced by the upgrade process to make sure that your site is not using any of the old VSAs. In the example above, the script can be found at /opt/CSCOar/temp/10062.manual-deletes.

---

Note The number preceding manual.deletes is produced from the PID of the upgrade process.

---

Step 10 Modify your configuration and your scripts to use the new names before you attempt to run the script generated by the upgrade process.

VSA Update Script

The upgrade process continues and builds a script you can use to update VSAs in your system.

##############################################################

#

#   VSAs for the old AR version are not updated

#   automatically. The upgrade process generated a script

#   to perform the update. The script is located in:

#

#       /opt/CSCOar/temp/10062.manual-changes

#

#   Review the script to make sure it does not conflict with

#   any of your VSA changes. Make sure you modify the script,

#   if necessary, before you attempt to run it.

#

#   To run the update script, type:

#

#       aregcmd -sf /opt/CSCOar/temp/10062.manual-changes

#

##############################################################

Step 11 Review the script and make sure that the changes it will make do not conflict with any changes you might have made to the VSAs. Modify the script if necessary.

Step 12 Record the location of the upgrade messages for future reference.

##############################################################

#

#  These upgrade messages are saved in:

#

#      /opt/CSCOar/temp/10062.upgrade-log

#

##############################################################

---

Starting the Cisco AR Server

After you have completed the upgrade steps describe above, you can start the Cisco AR server.

/etc/init.d/arserver   start

Configuring SNMP

If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.

Upgrade Cisco Access Registrar Software and Erase Your Configuration

This section describes how to upgrade your Cisco Access Registrar software and erase your existing configuration database.

---

Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Cisco Access Registrar 3.0R9 [SunOS-5.8, official]

(sparc) 3.0R9

Copyright (C) 1998-2004 by Cisco Systems, Inc.

This program contains proprietary and confidential information.

All rights reserved except as may be permitted by prior written

consent.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.

Cisco AR provides extensions that can be written in Java.

If you intend to write Java extensions, the Java Runtime

Environment (JRE) is required.

Do you require the Cisco AR Java extension? [No]: [?,q] 

Step 4 If you do not plan to use Java extensions, enter No, and skip to Step 6. If you do plan to use Java extensions, enter Yes.

If you already have JRE installed, please enter the directory

where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] 

Step 5 If you entered Yes, enter the directory where the JRE is installed.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.

Step 6 Select the default for a Full installation.

The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:

The AR local database contains:"

  * session information"

  * all server object definitions"

  * local UserLists"

Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] 

Step 7 Because you are erasing your original configuration, enter n.

The upgrade process displays a message about example configurations that can be installed with the software. These examples can help you with initial configuration of Cisco Access Registrar.

Do you want to install the example configuration now [y,n,?,q]

Step 8 Enter y to install the example configuration, or n if you do not want to install it.

You can delete the example configuration at any time by running the following command:

$INSTALL/usrbin/aregcmd -f $INSTALL/examples/cli/delete-example-configuration.rc

Step 9 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.

Step 10 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.

The software installation process begins.

Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>

## Installing part 1 of 1.

/opt/CSCOar/README

/opt/CSCOar/bin/screen

/opt/CSCOar/conf/screen.orig

.

.

.

# installing example configuration

Starting Access Registrar Server Agent..completed.

The Radius server is now running.

If SNMP needs to be reconfigured please follow the following procedure:

(1) stop AR: /etc/init.d/arserver stop

(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf

(3) restart AR: /etc/init.d/arserver start

# done with postinstall.

Installation of <CSCOar> was successful.

---

If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.

Restarting Replication

Before you enable replication, you must first upgrade all replication slave servers to the same version of Cisco Access Registrar software as the master server. Do not enable replication on the master server until all slave servers have been upgraded.

Use the same process you used to upgrade the master server to upgrade any slave servers. If you retained your configuration on the master, retain the configuration on the slaves, too.

After the same version of Cisco Access Registrar software has been installed on all slave servers, you can enable replication on the master server again. After enabling replication on the master server, you can enable replication on each of the slave servers.

Installing Cisco Access Registrar Software For the First Time

This section provides information to help you install Cisco Access Registrar software on a system for the first time.

Adding Group Staff

Before you begin to install the software, check your workstation's group file and make sure that group staff exists. Software installation will fail if group staff does not exist before installing the software.

Installing from CD-ROM

To begin installing software from the product CD, complete the following steps:

---

Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /cdrom/cdrom0/kit/sunos58 CSCOar

Step 3 Proceed to Installing Software.

---

Uncompressing the Tarfile and Extracting Files

If you downloaded the Cisco Access Registrar 3.0 software from the Cisco Access Registrar Resource Center, the software package is contained within a compressed tarfile named ar-3.0sunos58.tar.gz.

---

Note You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in
chmod 555 zcat.

---

Complete the following steps to prepare for software installation.

---

Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.

Step 2 Become root user by entering su and the root password.

Step 3 Change directory to the location where you have stored the uncompressed tarfile.

host# cd /tmp/AR

Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.

host# ./zcat  ar-3.0r9-sunos58.tar.gz | tar xvf -

---

Preparing to Use SNMP

If you plan to use the SNMP features of Cisco Access Registrar, complete the following steps:

---

Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following commands to disable the Sun SNMP daemon and allow Cisco AR's SNMP daemon to function:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 3 Enter the following commands to prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled

---

Installing Software

To begin installing downloaded software, complete the following steps:

---

Step 1 Become root user by entering su, then the root password.

---

Note If you do not plan to use Cisco Access Registrar's SNMP features, skip steps 2 and 3 and proceed to step 4.

---

Step 2 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 3 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled

Step 4 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Processing package instance <CSCOar> from

	   <source_directory/ar-3.0r9-sunos58>

Cisco Access Registrar 3.0R9 [SunOS-5.8, official]

(sparc) 3.0R9

Copyright (C) 1998-2004 by Cisco Systems, Inc.

This program contains proprietary and confidential information.

All rights reserved except as may be permitted by prior written

consent.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 5 Select the location where you want to install the package, or accept the default location of /opt/CSCOar.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 6 If the directory does not exist, you are asked if you want it created. Choose Yes to continue the installation.

Cisco AR provides extensions that can be written in Java.

If you intend to write Java extensions, the Java Runtime

Environment (JRE) is required.

Do you require the Cisco AR Java extension? [No]:  [?,q]

Step 7 If you plan to use Cisco AR Java extensions, reply Yes. If you do not plan to use Cisco AR Java extensions reply No and skip to Step 6.

When using Cisco AR Java extensions, the installation process requests the directory where the JRE is installed.

If you already have JRE installed, please enter the directory

where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

Step 8 Enter the directory where the JRE is installed, as shown above.

If you do not enter a directory, and simply press Enter, the following message will display, and the installation will fail without making changes to the system.

You can download the JRE from:

    ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official

The filename is:j2re-1_4_1-solaris-sparc.sh

After you have installed the JRE, re-initiate the Cisco AR

software installation.

pkgadd:ERROR:request script did not complete successfully

Installation of <CSCOar> failed.

No changes were made to the system.

If you enter an invalid directory, the following message will display, and the installation will fail without making changes to the system.

Where is the current JRE installed?  [?,q] /foo 

The directory specified does not contain java, please

download a compatible one from:

    ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official

The filename is:j2re-1_4_1-solaris-sparc.sh

pkgadd:ERROR:request script did not complete successfully

Installation of <CSCOar> failed.

No changes were made to the system. 

In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.

This package contains the Access Registrar Server and the Access

Registrar Configuration Utility.  You can choose to perform a Full

installation, just install the Server, or just install the

Configuration Utility.

What type of installation: Full, Server only, Config only [Full] [?,q] 

Step 9 Select the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only. Select the default for a Full installation.

To select Server-only, enter Server. To select configuration-only, enter Config.

---

Note If you choose to install the server over a previous installation, the installation will prompt you with the following questions.

---

a. If the installation detects a configuration database from a previous installation of Cisco Access Registrar, it asks you if you want to overwrite the database. If you want to start with a clean configuration and remove your session information answer