Table Of Contents
Release Notes for Cisco Access Registrar 3.5
New Features and Software Changes
Software Enhancements in Cisco AR 3.5.5
Support for XML Statistics Using aregcmd
Support for User-Configured Attribute List in Access-Reject
Software Enhancements in Cisco AR 3.5.4
Retry Sending Accounting-Request
Reverse DDNS Zone Name Synthesis
Trusted Identity Authorization
New Features in Cisco AR 3.5.3
Extensible Authentication Protocols
Cisco AR 3.5 Full Installation
Cisco AR 3.5 Configuration-Only Installation
Co-Existence With Other Network Management Applications
Primary Performance Test Results
Downloading Cisco Access Registrar Software
Getting Cisco AR 3.5 Feature Licenses
Installing Cisco AR 3.5 Licenses
Upgrading Your Cisco AR 3.5 License File
Displaying License Information
Installing Cisco AR 3.5 Software on Solaris
Installing Cisco AR Software from CD-ROM
Installing Downloaded Software
Installing Cisco AR 3.5 Software on Linux
Installing Downloaded Software
Upgrading to Cisco AR 3.5 Software
Using pkgrm to Remove Cisco AR Software
Known Anomalies in Cisco AR 3.5.5
Anomalies Fixed in Cisco AR 3.5.5
Anomalies Fixed in Cisco AR 3.5.4
Anomalies Fixed in Cisco AR 3.5.3
Anomalies Fixed in Cisco AR 3.5.2
Anomalies Fixed in Cisco AR 3.5.1
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Access Registrar 3.5
Cisco Access Registrar (AR) 3.5 provides RADIUS authentication, authorization, and accounting (AAA) services for the service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco AR 3.5 is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
Cisco AR 3.5 supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco AR 3.5 supports the latest wireless authentication protocols such as Extensible Authentication Protocol and Protected EAP used in wireless LAN deployments. Cisco AR 3.5 also is able to make real-time AAA requests to billing systems to support prepaid applications.
Note
This version of Cisco Access Registrar 3.5 can be used with Solaris 8, Solaris 9, or the Red Hat 7.3 Linux operating system using kernel version 2.4.20-24.7, glibc version 2.2.5-42.
CCO Date: May 28, 2004
Revised: March 17, 2008
Note
Contents
This release note contains the following sections:
•
•
•
•
Copyright Notice
This product contains copyrighted programs that are used with permission and are the property of the following respective owners.
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
NAI copyright notice (BSD) Copyright © 2001, NAI Labs. All rights reserved.All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
•
•
•
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
New Features and Software Changes
This section lists the new features and software changes in Cisco AR 3.5.
Software Enhancements in Cisco AR 3.5.5
Cisco AR 3.5.5 includes the following enhancements:
•
•
Support for Null Service
Cisco AR 3.5.5 adds a new null service type. You can use a null service for pass-through authentication, authorization, or accounting (AAA).
When using the Cisco AR identity cache engine (ICE), the null service enables you to use ICE purely as a caching engine based on the RADIUS accounting messages. In this environment, the null service runs only optional incoming and outgoing scripts, maximizing performance and minimizing file system overhead.
The null service can also be used in AA to create an authentication or authorization pass through service. The null service must be configured to bypass (or skip) any of the phases in authentication, authorization or accounting. You can use the null type service to set any of AuthenticationService, AuthorizationService, or AccountingService. In other words, if you do not have to perform authentication, a null service can be used to skip authentication.
Example Configuration
The following shows an example configuration of a null type service:
[ //localhost/Radius/Services/Null-Service ]Name = Null-ServiceDescription =Type = nullIncomingScript~ =OutgoingScript~ =Trace Messages
When a null type service bypasses any AAA phase, a trace message is printed when trace is enabled (at trace level 1). For example, when bypassing authentication, the null service will print a trace message like the following:
"01/24/2005 5:11:22: P100: Service Null-Service is bypassing authentication"Support for XML Statistics Using aregcmd
Cisco AR 3.5.5 provides a collection of statistics specific to XML requests in the output of the aregcmd stats command when used in an identity cache engine environment with an AR-ADD-CACHE license. Table 1 lists the XML statistics supported by this enhancement and their descriptions.
Following is an example of the output of the stats command when no XML statistics are found:
Global Statistics for Radius:serverStartTime = Thu May 26 01:28:13 2005serverResetTime = Thu May 26 01:28:14 2005serverState = RunningtotalPacketsInPool = 1024totalPacketsReceived = 0totalPacketsSent = 0totalRequests = 0totalResponses = 0totalAccessRequests = 0totalAccessAccepts = 0totalAccessChallenges = 0totalAccessRejects = 0totalAccessResponses = 0totalAccountingRequests = 0totalAccountingResponses = 0totalStatusServerRequests = 0totalAscendIPAAllocateRequests = 0totalAscendIPAAllocateResponses = 0totalAscendIPAReleaseRequests = 0totalAscendIPAReleaseResponses = 0totalUSRNASRebootRequests = 0totalUSRNASRebootResponses = 0totalUSRResourceFreeRequests = 0totalUSRResourceFreeResponses = 0totalUSRQueryResourceRequests = 0totalUSRQueryResourceResponses = 0totalUSRQueryReclaimRequests = 0totalUSRQueryReclaimResponses = 0totalPacketsInUse = 0totalPacketsDrained = 0totalPacketsDropped = 0totalPayloadDecryptionFailures = 0Global Statistics for XML:No XML packets were received by the serverFollowing is an example of the output of the stats command when XML statistics are found:
Global Statistics for Radius:serverStartTime = Thu May 26 01:28:13 2005serverResetTime = Thu May 26 01:28:14 2005serverState = RunningtotalPacketsInPool = 1024totalPacketsReceived = 0totalPacketsSent = 0totalRequests = 0totalResponses = 0totalAccessRequests = 0totalAccessAccepts = 0totalAccessChallenges = 0totalAccessRejects = 0totalAccessResponses = 0totalAccountingRequests = 0totalAccountingResponses = 0totalStatusServerRequests = 0totalAscendIPAAllocateRequests = 0totalAscendIPAAllocateResponses = 0totalAscendIPAReleaseRequests = 0totalAscendIPAReleaseResponses = 0totalUSRNASRebootRequests = 0totalUSRNASRebootResponses = 0totalUSRResourceFreeRequests = 0totalUSRResourceFreeResponses = 0totalUSRQueryResourceRequests = 0totalUSRQueryResourceResponses = 0totalUSRQueryReclaimRequests = 0totalUSRQueryReclaimResponses = 0totalPacketsInUse = 0totalPacketsDrained = 0totalPacketsDropped = 0totalPayloadDecryptionFailures = 0Global Statistics for XML:totalXMLPacketsInPool = 1024totalXMLPacketsReceived = 2totalXMLRequests = 4totalXMLResponses = 4totalXMLPacketsInUse = 0totalXMLPacketsDrained = 0totalXMLPacketsDropped = 0totalXMLPacketParseFailures = 0Support for User-Configured Attribute List in Access-Reject
Cisco AR 3.5.5 enables Cisco-AV Pair vendor-specific attributes (VSAs) to be sent in the Access-Reject packet. Prior to Cisco AR 3.5.5, only the RFC listed attributes such as Reply-Message and Proxy-State could be included in the packet.
A new object has been introduced in /Radius/Advanced called RFCCompliance. It is used to denote a placeholder for something that might make the product RFC non-compliant. The RFCCompliance object has a single property called AllowRejectAttrs. If it set to FALSE, attributes will not be passed through a reject packet. If AllowRejectAttrs is set to TRUE, attributes will be allowed to pass through a reject packet.
You add attributes to the response packet using a script. Cisco recommends that you check that you are inserting only attributes when the response is a reject. It is also advisable that you empty the response dictionary before adding attributes so that there is no confusion about attributes that will be returned.
[ /Radius/Advanced/RFCCompliance ]AllowRejectAttrs = trueIf you reset the value of RFCCompliance, you must reload the Cisco AR server.
Default Port Type
Cisco AR 3.5.5 has been enhanced to set a default port type to radius when you add a new port to your Cisco AR server configuration. In previous releases, after adding a port, you had to set its type to the desired type.
Software Enhancements in Cisco AR 3.5.4
Cisco AR 3.5.4 includes the following enhancements:
•
•
•
•
Retry Sending Accounting-Request
Cisco AR 3.5.4 has been enhanced to retry sending Accounting-Requests to a remote server until a response is received or the value set in Maxtries is reached.
Prior to the release of Cisco AR 3.5.4, if the ACKAccounting property of a remote UDP server was set to FALSE, the Cisco AR server would proxy Accounting-Requests to the remote server only once, regardless of the value configured for the server's Maxtries property. The Cisco AR server would not perform any retries even if it was configured to do so.
With ACKAccounting set to FALSE, AR will always send the Accounting-Response to the client immediately, without waiting for a response from the remote server. This behavior remains the same.
Reverse DDNS Zone Name Synthesis
Cisco AR 3.5.4 has been enhanced to enable DDNS Resource Managers to perform reverse zone synthesis based on the IP address and netmask. This enhancement enables you to configure multiple DDNS Resource Managers in a single Session Manager. Each DDNS Resource Manager can handle a different reverse zone and be used for a different Internet Protocol technology.
Invalid EAP Packet Processing
Cisco AR 3.5.4 has been enhanced to implement fatal error packet handling for Extensible Authentication Protocol (EAP) messages as described in section 2.2 of Internet RFC 3579 which states the following:
A RADIUS server determining that a fatal error has occurred must send an Access-Reject containing an EAP-Message attribute encapsulating EAP-Failure.
Because this enhancement is a deviation from various EAP specifications, you must explicitly enable this feature through a new configuration property in /Radius/Advanced named EapBadMessagePolicy.
You can set the EapBadMessagePolicy property to one of two values: SilentDiscard (the default) or RejectFailure. When set to SilentDiscard, the Cisco AR server silently discards and ignores bad EAP messages unless the protocol specification explicitly requires a failure message. When set to RejectFailure, the Cisco AR server sends RADIUS Access-Rejects messages with embedded EAP-Failure in response to bad EAP messages as described in Internet RFC 3579.
The implementation of EAP authentication methods in Cisco AR 3.5.3 (and earlier releases) behaves as described in Internet RFC 2284 (EAP) and related EAP method specifications. These specify silent discard as the standard way to handle all EAP error conditions. Any EAP response message from the client that contains an error or is received in an invalid authenticator state is discarded and there is no error response.
In a configuration where EAP requests are proxied between RADIUS servers using RADIUS messages (EAP over RADIUS), the silent discard of an EAP message means that no RADIUS response message is sent back to the originating RADIUS server. Because of this, the RADIUS server originating the request eventually declares the destination RADIUS server dead and fails over to a backup server (if so configured).
Proxying Session Keys
When previous versions of Cisco AR were configured to proxy the Microsoft Point-to-Point Encryption (MPPE) attributes used as session keys in many types of EAP, the proxy server was occasionally unable to re-encrypt the session keys received from a RADIUS peer. The failure was accompanied with the following generic error message that did not indicate where the failure occurred:
"Unable to proxy MS-MPPE session keys"Cisco AR 3.5.4 has been enhanced to eliminate the cause of this type of failure. Additionally, the text of all relevant error messages has been modified to enable technical support to determine exactly where an error of this type occurred. Additional tracing and logging statements have been added to Cisco AR 3.5.4 that provide detailed error information, including a dump of the RADIUS packet in case an error is detected during the handling of MPPE attributes.
Trusted Identity Authorization
Cisco AR 3.5.4 can be used in a Service Selection Gateway (SSG) - Cisco Subscriber Edge Services Manager (SESM) deployment to enable the Trusted ID Authorization feature.
The Trusted ID feature provides transparent login capabilities for users based on a trusted ID instead of the user's name, enabling end users of an SSG to maintain an always-on connection without the need to authenticate on each connect. Using SSG's Transparent Auto-Login (TAL) feature, a TAL access-request packet contains a Trusted ID, such as a MAC address, that identifies the user without the user's real username and password.The SESM Profile Management Guide provides detailed information about Trusted ID authorization in SESM.
For detailed information about Trusted ID, including software requirements and how to configure the Cisco AR server to use Trusted ID with SESM, see the online documentation in the Cisco AR User Guide:
Using Trusted ID Authorization with SESM
New Features in Cisco AR 3.5.3
Cisco AR3.5.3 includes a new session timeout feature and support for running Cisco AR on the Solaris 9 operating system.
Session Timeout Feature
Cisco AR 3.5.3 provides a session timeout feature. Stale sessions have been a common issue for Cisco AR users. A stale session occurs when a user disconnects from the network, but the Cisco AR server does not receive the information and is unable to delete the session's records. Stale sessions cause an inaccurate picture of network resources and can lead to denied network access if resources become depleted or access rejection for users exceeding their session limit. Stale sessions can increase costs due to unnecessary support calls to manually delete sessions.
The session timeout feature in Cisco AR 3.5.3 provides timeout for sessions. After the timeout has expired, a session will be considered stale by the Cisco AR server, and all resources allocated to that stale session will be released. Two new properties support the session timeout feature:
•
•
If the SessionPurgeInterval property is set, the Cisco AR server will check SessionManagers with a SessionTimeOut value set for timed-out sessions at the time interval specified by the SessionPurgeInterval property and release the timed-out sessions and their resources. Both properties must be set to use the session timeout feature.
SessionPurgeInterval
The SessionPurgeInterval is a new property under /Radius/Advanced that determines the time interval at which to check for timed-out sessions. If no value is set, the feature is disabled. The checks are performed in the background when system resources are available, so checks might not always occur at the exact time set.
This is an optional property. The minimum recommended value for SessionPurgeInterval is 60 minutes. The SessionPurgeInterval value is comprised of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
SessionTimeOut
The SessionTimeOut property is a new SessionManager property that allows you to enable or disable the session timeout feature for specific session managers. If the SessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for timeouts at each SessionPurgeInterval. If any sessions have timed out, they will be released, and all resources associated with those sessions are also released.
The SessionTimeOut property determines the timeout for a session. If the time difference between the current time and the last update time is greater than this property's value, the session is considered to be stale. The last update time of the session is the time at which the session was created or updated.
The SessionTimeOut property is optional; no value for this property means the session timeout feature is disabled. The minimum recommended value for SessionTimeOut is 60 minutes. The SessionTimeOut value is comprised of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
Support for Solaris 9
You can install and run Cisco AR 3.5.3 on a workstation running the Solaris 9 operating system. Cisco provides separate Cisco AR installation packages for Solaris 8 and Solaris 9.
New Features in Cisco AR 3.5
This section lists the new features and software changes in Cisco AR 3.5 and includes the following:
Cisco AR 3.5 uses a different licensing mechanism than the license key used in earlier releases of Cisco AR. Before you upgrade your Cisco AR server to Cisco AR 3.5 software, you must install a license file. Installing Cisco AR 3.5 Licenses provides information about how to install the license file.
•
Cisco AR 3.5 includes the following new EAP authentication methods:
–
–
–
–
–
–
Identity Caching
Cisco Access Registrar 3.5.2 (and above) software includes the identity caching feature. Identity caching provides subscriber identity resolution services with fast access to associated subscriber identity data for service providers, enabling them to offer new services to their customers based on identity caching and context information management.
Linux Support
Cisco AR 3.5.2 (and above) runs on Red Hat 7.3, kernel version 2.4.20-24.7, glibc version 2.2.5-42.
aregcmd
Cisco AR 3.5 adds two new command line options to aregcmd, -l and -V. Entering the command line aregcmd -l <$INSTALL/license> provides licensing information. Entering the command line aregcmd -V starts the session in view-only mode even if the administrator is not a view-only administrator.
"General Command Syntax" section on page 1 in Chapter 2, "Using the aregcmd Commands," provides more detailed information. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/users.html
Extensible Authentication Protocols
The Extensible Authentication Protocol (EAP) provides for support of multiple authentication methods. Cisco AR 3.5 adds support for the following EAP authentication methods:
•
•
•
•
•
•
Chapter 7, "Extensible Authentication Protocols," provides detailed information about the EAP authentication methods. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/eap.html
Dynamic DNS
Cisco AR 3.5 supports the Dynamic DNS protocol providing the ability to update DNS servers. The dynamic DNS updates contain the hostname/IP Address mapping for sessions managed by Cisco AR.
You enable dynamic DNS updates by creating and configuring new Resource Managers and new Remote Servers, both of type dynamic-dns. The dynamic-dns Resource Managers specify which zones to use for the forward and reverse zones and which Remote Servers to use for those zones. The dynamic-dns Remote Servers specify how to access the DNS Servers.
Dynamic DNS in Chapter 13, "Using Cisco Access Registrar Server Features," provides more detailed information. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/features.html
Packet of Disconnect
Cisco AR 3.5 adds support for the Packet of Disconnect (POD). The POD feature enables Cisco AR to send disconnect requests (PODs) to a NAS so that all the session information and the resources associated with the user sessions can be released. Cisco AR can also determine when to trigger and send the POD.
For example, when a PDSN handoff occurs during a mobile session, the new PDSN sends out a new access-request packet to Cisco AR for the same user. Cisco AR should detect this handoff by the change in NAS-Identifier in the new request and trigger sending a POD to the old PDSN if it supports POD. Cisco AR also provides an option for administrator to initiate sending POD requests through the command-line interface (CLI) for any user session. Cisco AR forwards POD requests from external servers to the destination NAS.
Packet of Disconnect in Chapter 13, "Using Cisco Access Registrar Server Features," provides more information about using Packet of Disconnect. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/features.html
Note
Oracle Accounting
Previous releases of Cisco AR supported accessing user data from Oracle database using Open Database Connectivity (ODBC), but this feature was limited to performing authentication and authorization (AA). You could only write the accounting records to local file or proxy to another RADIUS server. Cisco AR 3.5 supports writing accounting records into Oracle database enabling integration between billing systems and Oracle.
Oracle Accounting in Chapter 6, "RADIUS Accounting," provides detailed information about Oracle Accounting. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/accountg.html
New RemoteServers
Previous releases of Cisco AR supported only three types of RemoteServer: radius, ldap, and odbc. Cisco AR 3.5 adds five new types of RemoteServer objects including the following:
•
•
•
•
•
Remote Servers in Chapter 3, "Cisco Access Registrar Server Objects," provides detailed information about the new RemoteServer objects. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/objects.html
Related Documentation
The following is a list of the documentation for Cisco Access Registrar 3.5 3.5. You can access the URLs listed for each document at www.cisco.com on the World Wide Web. We recommend that you refer to the documentation in the following order:
•
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/installation/guide/install_1.html
•
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/users.html
•
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/concepts/guide/concepts.html
System Requirements
This section describes the system requirements for installing the Cisco AR 3.5 software.
Cisco AR 3.5 Full Installation
Table 2 lists the system requirements for a full installation of Cisco AR 3.5.
Cisco AR 3.5 Configuration-Only Installation
Table 3 lists the system requirements for installing the configuration-only component of Cisco AR 3.5.
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco AR 3.5 disk. If Cisco AR 3.5 runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Cisco Access Registrar should be the only application running on a single machine. You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure Cisco AR 3.5 to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no another application can be configured to use SNMP on the Cisco AR machine.
Note
Cisco AR Performance
This section provides information about Cisco AR performance results for Cisco AR on Solaris and Cisco AR on Linux.
Cisco AR on Solaris
The Cisco AR 3.5.5 performance tests were run on a Sun Fire V210 with two GB RAM, two 1000 MHz UltraSPARC-3i processors, one 36GB SCSI-UW disks, and Solaris 8 64-bit kernel. Further platform tests were done to compare across multiple platforms. The reported numbers are an average of 100 test runs with results outside of the second deviation dropped.
Note
The LDAP servers run on an HP Kayak XU with 256 MB RAM, two 500 MHz Pentium 3 processors, a 9.1 GB SCSI-UW disk, and Windows 2000 with Service Pack 4. No special performance tuning was made to the servers or to Cisco AR. All LDAP tests were run with three proxy servers in a round-robin configuration. The Oracle servers run on the same platform and number of servers in round robin.
The LDAP vendor was the iPlanet Directory Server 4.11. The Oracle server used was version 9.2.0.1. Both data stores have at least 10,000 users.
For the ODBC with Oracle Accounting tests, Oracle 9.2.0.5 was installed on a Sun Fire 280R with 8 GB RAM, two 1200 MHz UltraSPARC-3+ processors, one 36 GB FC-AL disk and the Solaris 8 64-bit kernel.
Numbers of transactions are given in RADIUS Pairs Per Second (RPPS). In general, one transaction is one RADIUS request and response pair (for example, an access-request and an access-accept). The specific pair usage for each test type is as follows:
•
•
•
Primary Performance Test Results
Table 4 lists performance test results for Cisco AR 3.5.5 when using a local database.
Table 5 lists performance test results for Cisco AR 3.5.5 when used with a proxy server and a local database.
Table 6 lists performance test results for Cisco AR 3.5.5 when used with an LDAP server.
Table 6 LDAP Server Performance Test Results
AA
1386 RPPS
AAA
1335 RPPS
AA plus Session Management
224 RPPS
AAA plus Session Management
990 RPPS
Table 7 lists performance test results for Cisco AR 3.5.5 when used with an ODBC server.
Table 7 ODBC Server with Local Accounting Performance Test Results
AA
1270 RPPS
AAA
1893 RPPS
AA plus Session Management
836 RPPS
AAA plus Session Management
1254 RPPS
Table 8 lists performance test results for Cisco AR 3.5.1 when used with an ODBC server and Oracle accounting.
Cisco AR on Linux
Table 9 lists performance test results for Cisco AR 3.5.2 on Linux when using a local database. The platform used to obtain these results consisted of an IBM x335 dual-processor Pentium Xeon with 2.60 GHz clock and 2 GB memory.
Downloading Cisco Access Registrar Software
Cisco AR 3.5 software is available for download from http://www.cisco.com at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release
The page at this URL lists all available versions of Cisco AR software available for download. The current Solaris 8 version is named CSCOar-3.5.5-sunos58-k9.tar.gz. The current Solaris 9 version is named CSCOar-3.5.5-sunos59-k9.tar.gz. The current RedHat Linux version is named CSCOar-3.5.5-linux2420-install-k9.sh.
Complete the following steps to download the software.
Step 1
Step 2
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release
Step 3
CSCOar-3.5.5-sunos58-k9.tar.gz for the Solaris 8 version, or
CSCOar-3.5.5-sunos59-k9.tar.gz for the Solaris 9 version, or
CSCOar-3.5.5-linux2420-install-k9.sh for the Linux version.The Encryption Software Export Distribution Authorization page displays. Pay special attention to the information in the Important Notice which includes the following:
Cisco strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end-user eligible to receive and use Cisco encryption solutions are limited. As a result of this limitation, Cisco requires all Cisco.com users to complete this form and accept the terms and conditions as set forth below in order to establish eligibility for software updates.
Cisco records and reports all downloads of strong encryption solutions to participating governments of the Wassenaar Arrangement.
Please visit the encryption web page for a control summary, or contact Cisco's Regulatory Affairs for further information.
Step 4
Step 5
A second Encryption Software Export Distribution Authorization page displays. This page explains the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy.
Step 6
Note
A third Encryption Software Export Distribution Authorization page displays. This page provides the Cisco Systems Inc. Encryption Software Export/Distribution Form and instructions about download, resell, transfer, export or re-export conditions for software images with strong encryption capabilities.
Step 7
The Software Download page displays with a link to the Cisco AR 3.5 software package you selected for download.
Step 8
A File Download dialog box displays indicating the file you are about to download.
Step 9
Cisco AR 3.5 Licensing
Cisco AR 3.5 uses a licensing mechanism that enables you to activate different features in Cisco AR using a combination of different license keys. During system initialization, the Cisco AR server sets up the licensing data model and activates any features that are properly licensed.
Licensed Features
Table 10 lists the Cisco AR 3.5 names of the features that require licenses. As new licensed features are added to Cisco AR, new license files will also be required.
Getting Cisco AR 3.5 Feature Licenses
When you order the Cisco AR 3.5 product, a text license file will be sent to you in EMail. If you are evaluating the software, Cisco will provide you with an evaluation license.
If you decide to upgrade your Cisco AR 3.5 software and add a feature, a new text license file will be sent to you in EMail when you order the upgrade.
If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs:
Use this site if you are a registered user of Cisco Connection Online.
•
Use this site if you are not a registered user of Cisco Connection Online.
Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in email.
Installing Cisco AR 3.5 Licenses
You must have a license in a directory on the Cisco AR machine before you attempt to install Cisco AR 3.5 software. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.
You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.
The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Cisco AR license file, you can copy and paste the text into a file, or you can simply save the file you receive in EMail to an accessible directory.
Upgrading Your Cisco AR 3.5 License File
If you add additional features that require licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix.
If you upgrade your Cisco AR license for additional features, you must restart the Cisco AR server for the new license to take effect. To restart the Cisco AR server, enter the following on the server command line:
/opt/CSCOar/bin/arserver restart
Sample License File
The following is an example of a Cisco AR 3.5 license file.
INCREMENT AR-CPU cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>7</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>1</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-STANDARD cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>2</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=654321FEDCBA
INCREMENT AR-HLR cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>3</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=GHIJKL123456
INCREMENT AR-PREPAID cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>4</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=654321LMNOPQ
Displaying License Information
Cisco AR 3.5 provides two ways of getting license information using aregcmd:
•
•
aregcmd Command-Line Option
Cisco AR 3.5 provides a new -l command-line option to aregcmd. The syntax is:
aregcmd -l directory_name
where directory_name is the directory where the Cisco AR license file is stored. The following is an example of the aregcmd -l command:
aregcmd -l /opt/CSCOar/license
Licensed Application: Cisco Access Registrar (Standard Version)
Following are the licensed components:
NAME VERSION EXPIRY_INFO
==== ======= ===========
AR-Standard 3.5 permanent
AR-CPU 3.5 permanent
AR-HLR 3.5 permanent
AR-Prepaid 3.5 permanent
Following components are present but unlicensed (disabled):
NAME VERSION EXPIRY_INFO
==== ======= ===========
AR-Cache 3.5 N/A
Launching aregcmd
The Cisco AR 3.5 server displays license information when you launch aregcmd, as shown in the following:
aregcmd
Cisco Access Registrar 3.5.5 Configuration Utility
Copyright (C) 1995-2004 by Cisco Systems, Inc. All rights reserved.
Cluster:
User:
Password:
Logging in to localhost
[ //localhost ]
LicenseInfo = AR-Standard + AR-CPU + AR-HLR + AR-Prepaid
Radius/
Administrators/
Server 'Radius' is Running, its health is 10 out of 10
Installing Cisco AR 3.5 Software on Solaris
This section describes the software installation process when installing Cisco AR 3.5 software on a Solaris workstation for the first time.
Note
This section includes the following subsections:
•
•
Tips
Deciding Where to Install
Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco AR 3.5 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Installing Cisco AR Software from CD-ROM
The following steps describe how to begin the software installation process when installing software from the Cisco AR 3.5 CD-ROM. If you are installing downloaded software, proceed to Installing Downloaded Software.
Note
Step 1
Step 2
pkgadd -d /cdrom/cdrom0/kit/solaris-2.8 CSCOar
Note
Step 3
Installing Downloaded Software
This section describes how to uncompress and extract downloaded Cisco AR 3.5 software and begin the software installation.
Note
Step 1
Step 2
cd /tmp
Step 3
zcat CSCOar-3.5.5-sunos58-k9.tar.gz | tar xvf -
Note
Step 4
pkgadd -d /tmp CSCOar
where /tmp is the temporary directory where you stored and uncompressed the installation files.
Step 5
Common Installation Steps
This section describes the installation process immediately after you have issued the pkgadd command installing from CD-ROM or from downloaded software.
Processing package instance <CSCOar> from </tmp>Cisco Access Registrar 3.5.5 [SunOS-5.8, official](sparc) 3.5.5Copyright (C) 1998-2004 by Cisco Systems, Inc.This program contains proprietary and confidential information.All rights reserved except as may be permitted by prior written consent.This package contains the Cisco Access Registrar Server and theCisco Access Registrar Configuration Utility. You can choose toperform a Full installation or just install theConfiguration Utility.What type of installation: Full, Config only [Full] [?,q]Step 6
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]Step 7
Access Registrar requires FLEXlm license file to operate. A listof space delimited license files or directories can be supplied asinput; license files must have the extension ".lic".Where are the FLEXlm license files located? [/opt/CSCOar/license] [?,q]Step 8
Access Registrar provides extensions that can be written in Java.If you intend to write Java extensions, the Java RuntimeEnvironment (JRE) is required.If you are not using Java, press Enter/Return to skip this step.If you already have a JRE installed, please enter the directorywhere it is installed. If you do not, the JRE can be downloadedfrom:You may specify or modify the location of the JRE later byentering the following command then restarting the AR server.# ln -s <java-root> /opt/CSCOar/j2re1.4Where is the JRE installed? [?,q]Step 9
If you are not using ORACLE, press Enter/Return to skip this step.ORACLE installation directory is required for ODBC configuration.ORACLE_HOME variable will be set in /etc/init.d/arserver scriptWhere is ORACLE installed? [] [?,q]Step 10
If you want to learn about Access Registrar by follo
Guest
