Guest

Cisco Access Registrar

Cisco Access Registrar Technical Data Sheet

  • Viewing Options

  • PDF (539.9 KB)
  • Feedback

Product Overview

Cisco® Access Registrar is a carrier class solution that provides scalable, flexible, intelligent authentication, authorization, and accounting (AAA) services.

Service providers face tremendous challenges in deploying and managing mission-critical access services. These include:

Efficiently serving an increasingly diverse mix of access technologies (and corresponding authentication protocols), users, and roaming partners

Rapidly delivering new subscriber services for competitive advantage (for example, a new prepaid service)

Facilitating different service delivery models such as mobile virtual network operators (MVNOs)/wholesale and roaming

Efficiently managing resources like IP addresses or session limits

Keeping up with scalability demands

Adding to this complexity is the fact that many service providers have multivendor, heterogeneous AAA environments and increasingly complex business requirements. Service providers also are under pressure to reduce operating expenses (OpEx) and have to keep up with the need to centralize data stores and adapt billing systems. Operators need a comprehensive access management solution to address these issues.

Cisco Access Registrar provides a RADIUS/Diameter server designed from the ground up for scalability and extensibility for deployment in complex service provider environments including integration with external data stores and systems and multivendor network access servers (NASs). Session and resource management tools track user sessions and allocate dynamic resources to support new subscriber service introductions. The solution supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.

Cisco Access Registrar Director provides proxy function and scripting capability for RADIUS. Cisco Access Registrar Director is intended for use in scenarios such as roaming or those in which a customer is going to use the solution to perform an intelligent proxy or load-balance the RADIUS packet based on certain conditions or rules.

Product Architecture

At the core of Cisco Access Registrar (Figure 1) is a policy engine that determines processing based on the contents of the request packet. The policy engine makes the following types of decisions:

Whether to perform one or more of the following against any incoming packet: authentication, authorization, accounting, proxy

Which authentication/authorization data store to perform authentication and/or authorization against. Supported options are Lightweight Directory Access Protocol Version 3 (LDAPv3) directories (including Microsoft Active Directory [AD]), Oracle database, MySQL database, and the local embedded database

What type of authentication to use: built-in authentication mechanisms or a custom-built mechanism. Built-in mechanisms include Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and the following Extensible Authentication Protocol (EAP) authentication methods: EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS, EAP-GTC, EAP-MSCHAPV2, LEAP, EAP-FAST, EAP-MD5, PEAPv0, PEAPv1

Whether accounting against an external database like Oracle or MySQL or a local flat file is required

Whether a request should be proxied to an external RADIUS/Diameter server

What type of accounting is required

Whether user/group session limits apply

Whether an IP-address has to be allocated and whether to use static mapping or to allocate one from a preconfigured pool

While the basic operation of the server is determined by configuration, multiple extension points within the server provide optional callouts to custom code. Extension points can be used for several purposes, including influencing the processing of a request or modifying incoming or outgoing packets to meet specialized requirements.

Figure 1. Cisco Access Registrar Architecture

Features and Benefits

Supports a broad range of wireless and wireline access technologies on a common AAA server platform, delivering operational and capital expense savings while providing flexibility to the service provider regarding choice in AAA.

Provides extensive subscriber data store support including an internal database and integration with external databases including Oracle, MySQL, Microsoft AD, and OpenLDAP through the use of connectivity mechanisms such as Open Database Connectivity (ODBC), LDAP, Oracle Call Interface (OCI), and Java Database Connectivity (JDBC).

Provides scalability to support large service deployments. An external session manager allows tens of millions of simultaneous active sessions. Additionally, the multithreaded architecture provides performance that scales with additional CPUs.

Efficiently manages resource use with real-time session management to track user sessions and dynamically allocate resources like IP addresses and user/group session limits.

Gives service providers an off-the-shelf, standards-based RADIUS/Diameter server that is highly flexible and extensible. With extension point scripting (EPS), the solution can be customized to meet unique business, regulatory, and technical requirements.

Provides broad integration support: Reduces operational costs and speeds service rollout by supporting integration with provisioning, billing, and other service-management components.

Table 1 lists detailed features and benefits of Cisco Access Registrar.

Table 1. Features and Benefits

Feature

Benefit

Access Technology Support

Supports a broad range of wireless and wireline access technologies including: dial, wholesale dial, broadband, mobile wireless (including WiMAX, wireless LAN and public WLAN, voice over IP [VoIP], Code Division Multiple Access [CDMA], iDen, General Packet Radio Service [GPRS], Universal Mobile Telecommunications Service [UMTS], and femtocell).

By helping enable standardization on a common AAA server platform, the solution delivers operational and capital expense savings while providing flexibility to the service provider regarding choice in AAA.

Supports femtocell network rollouts in conjunction with Cisco Broadband Access Center and Cisco Network Registrar. Cisco Access Registrar acts as the RADIUS headend to authenticate and authorize a 3G femtocell.

Extends AAA resources where they may already be deployed. For a mobile operator, femtocells provide improvements to both coverage and capacity, especially indoors where access would otherwise be limited or unavailable. Consumers benefit from improved coverage and potentially better voice quality and battery life.

Authentication and Authorization

High-speed internal embedded user database.

Provides a rapid start point for small-scale deployments
Easy, logical grouping of users
Easy configuration to return attributes in responses and check attributes (“check items”) in requests
Provides operator ability to enable and disable user access

Able to authenticate/authorize user information stored in an external data store: LDAP directory (like Microsoft AD, OpenLDAP), Oracle or MySQL database, combined with the ability to:

Store return and check-items attributes
Add custom logic based on information in user’s record

Integration support is data-store schema independent, simplifying deployment and day-to-day operations, providing OpEx savings by using existing infrastructure, and helping to support networks with tens of millions of subscribers.

Advanced RADIUS/Diameter proxy support for service provider environments

Includes ability to add/modify/delete attributes while proxying attributes

Facilitates roaming arrangements with other service providers and load balancing.

Rich set of authentication protocols including support for EAP-proxy and certificate revocation list (CRL)

PAP, CHAP, MSCHAPv2, LEAP, PEAPv0, PEAPv1
EAP-MD5, GTC, EAP-FAST, EAP-TLS, EAP-TTLS, EAP-SIM, EAP‑AKA
EAP Negotiate (run-time selection of EAP service)
EAP proxy
Diameter NASREQ
HTTP Digest Authentication
LDAP remote server bind-based authentication
CRL support for EAP services

Broad user support with the ability to extend to others such as POP3 through custom services for meeting unique requirements.

IETF RADIUS tunnel support.

Provides support for VPN authentication.

Automatic and customizable reply-message generation.

Helps provide detailed information in case of authentication rejects.

Flexible AAA processing through use of logical operators.

Logical operators AND, OR, PARALLEL-AND, PARALLEL-OR provide extreme flexibility in evaluating AAA processing choices in serial or parallel. Parallel is used when a response from any one subsystem is sufficient to trigger a decision process. Serial is used when a sequential response from subsystems is required.

Accounting

Local file

Able to store accounting records in a single file or multiple files
Automatic file rollover based on file age, size, or specific time

The ability to store accounting information on the same server on which the AAA services are running speeds up processing.

Proxy

Option to ignore acknowledgements and continue processing

Able to speed up decision-making logic when responses (or lack of) from certain remote systems can be ignored.

Database/LDAP

Able to write accounting records directly to an Oracle or MySQL database or an LDAPv3 directory
Buffering option for relational database management systems (RDBMSs) for higher throughput and fault tolerance

Integration support is schema independent, simplifying deployment and day-to-day operations, providing OpEx savings by using existing infrastructure, and helping to support networks with tens of millions of subscribers.

Option to have a mix of multiple types of accounting (local file, proxy, database) and destinations within each type.

Flexibility and customer choice.

Platform Support

Supported operating systems:

Cisco Access Registrar 5.1:

Oracle Solaris 10
Red Hat Enterprise Linux (RHEL) 5.3/5.4/5.5

Cisco Access Registrar Jumpstart:

CentOS5.4, VMware ESXi 4.1

Broad operating system support for customer choice.

Support for virtualization technologies: Oracle VM Server for SPARC and VMware ESXi 4.1.

Lower total cost of ownership (TCO), ease of deployment, and greater flexibility in migration and backup.

Various Technology Support

IPv6 support:

Performs processing of RADIUS/Diameter requests from IPv6 RADIUS/Diameter clients/servers
Able to proxy requests to and receive responses from a remote IPv6 RADIUS/Diameter server

Provides support for IPv6 networks and dual-stack IPv4/IPv6 networks.

Diameter support

Provides the following facilities:

Supports authentication and authorization of Diameter packets with the help of a local database or an external database with interfaces such as LDAP and ODBC
Performs session management and resource management
Supports writing a Diameter accounting packet in a local file or proxying to another AAA server
Supports adding, modifying, or deleting the attribute-value pairs (AVPs) in Diameter packets through extension point scripting
Supports open-ended Diameter applications

Complies with the WiMAX Network Working Group (NWG) stage 3 document version 1.3.1.

Meets the various WiMAX NWG requirements for WiMAX networks.

Support for PWLAN/hotspot markets and wireless data offload

Wx interface support for Home Subscriber Server (HSS) lookup: Cisco Access Registrar supports Subscriber Identity Module (SIM) and Universal SIM (USIM) authentication for data access against the newer generation subscriber database HSS through the Diameter interface Wx. This support adds to existing authentication support against the Home Location Register (HLR) and external databases including Oracle, MySQL, OpenLDAP, andAD.

Helps enable service providers to effectively provide public WLAN and wireless data offload functionality.

Proxy, Database, and LDAP Configuration

Remote server support:

Operator is able to define a list of remote systems to be used in failover or round-robin modes
Operator is able to define the individual characteristics of each remote system, for example, ports, timeouts, retries, or reactivate timers
Sophisticated algorithms detect status of remote systems

Provides option to perform authentication, authorization and accounting against a wide variety of remote systems with adequate options for load balancing and handling failure scenarios.

Outage policies: When no remote systems are available, Accept All, Reject All, and Drop Packet outage policies are available.

Helps enable AAA processing to occur based on preconfigured policies even when remote systems are not available.

Rule and Policy Engine for Decision Making

Able to process requests using different types of data stores; for example, use LDAP for some access requests, the internal database for others
Able to process requests using a variety of options; for example, store an accounting request to a local file and proxy it to a number of remote RADIUS/Diameter servers, in series or in parallel waiting for acknowledgement from some and not from others
Able to split authentication and authorization by selecting one method for authentication and another for authorization (One-Time Password [OTP] server and Oracle database, for example)
Able to decide how to process a packet based on attributes in the request packet such as source or destination IP address or User Datagram Protocol (UDP) port or based on Cisco Access Registrar’s environment variables settings such as reauthentication service, reauthorization service, and reaccounting service
Easy request processing options based on a variety of attributes/values like DNS domain, username prefix, dialed number, calling number, NAS, and others, using the predefined policies in Cisco Access Registrar policy engine

Provides a variety of predefined rules and policies for meeting most usual requirements in service provider environments. Provides the ability to extend default logic with custom policies written using C/C++/Tool Command Language [Tcl]/Java.

Session Management and Resource Allocation

Built-in feature to track user sessions

Dynamic resource allocation including:

Session limits
IP addresses

Supports:

Enforcement of session limits per user and per group
Allocation of critical resources such as IP-addresses and home‑agents

Options to store active session information to an external database like Oracle.

Helps enables scaling up to tens of millions of sessions per server.

In an environment with multiple Cisco Access Registrar servers, the operator may designate one Cisco Access Registrar to manage all sessions.

Helps avoid bypass of session limits and to allocate IP addresses and other resources centrally.

Session query capabilities:

Real-time query of the session table using the command-line interface (CLI), XML over UDP, or RADIUS
Able to query cached attributes through the query session
Able to query and release sessions based on session age, username, NAS, and other criteria

Allows external/business applications to query Access Registrar for information on users who are logged in and the resources (like IP-address) that they are allocated. This can then be used for making other business decisions such as providing personalized services, reduced sign-on, and enhanced video delivery.

Session release capabilities:

Manual release of sessions and resources
Automatic session release when accounting stop is lost (inactivity timeout)
Able to release sessions and generate Packet of Disconnect (PoD)
Automatic session release when accounting on/off is detected (system accounting)

Helps manage session state information across the network automatically or through administration intervention.

Session information not lost even if Cisco Access Registrar or the system is restarted.

Avoids information loss during server restarts that can otherwise wreck user/group session limit enforcement or allocation of IP addresses.

Session tracking for accounting-only servers: Able to count the number of user sessions.

Session management can be done for servers through which only accounting messages pass through. This can be used in cases such as username to IP address resolution or International Mobile Subscriber Identity (IMSI) to IP address resolution where only accounting traffic is forwarded through Cisco Access Registrar.

Able to send Change of Authorization (CoA) request.

Helps in changing service levels of users who are logged in, on the fly. For example, a user on a 1 MB plan could be bumped up to 2 MB without having to log off.

Scalability

An external session manager allows tens of millions of simultaneous active sessions by storing the active session records on an external database server (Oracle 10g and 11i) instead of storing it in the internal memory of Cisco Access Registrar.

Supports large service deployments with a single instance of Cisco Access Registrar.

Multithreaded architecture provides performance that scales with additional CPUs.

Supports large service deployments with a single instance of Cisco Access Registrar and allows the solution to grow with the business.

Customization/Extensibility

Able to add custom logic to the request processing flow using Tcl, C or C++, or Java through extension point scripting:

Access request and response packets
Modify processing decisions in real time
Target specific requests with multiple callout points
Add, delete, or modify the AVPs

EPS allows users to interact with request processing and communicate with Cisco Access Registrar at numerous API points.

Helps enable meeting unique business, regulatory, and technical requirements.

Able to create custom processing methods

Helps to meet new/unique business requirements. For example, custom code can be written and integrated to support authentication mechanisms, such as POP3, which are not built into Cisco Access Registrar.

Extensible attribute dictionary

Populated with latest attribute definitions, including third-party, vendor-specific attributes
Easy addition of new attributes (add/modify/delete)
Variable-length vendor type in vendor-specific attributes

Easy interoperability with third-party devices.

Resilience

Automatic configuration replication to other Cisco Access Registrar servers
Specify lists of alternate remote systems for each processing method
Specify multiple methods to process a request
Automatic server restart

Provides multiple levels of redundancy including server redundancy, remote-system redundancy, and processing-method redundancy.

Veritas and Sun clustering for high availability.

Minimizes application downtime.

Troubleshooting and Monitoring

Multilevel debugging output

Helps troubleshoot and isolate incidents faster. Allows controlling error, debug output.

Statistics:

Real-time query of statistics
Reset statistics without restarting Cisco Access Registrar

Statistics are provided for a variety of events occurring within the server, such as number of packets processed, number of packets dropped, number of packets proxied to remote server, received response, and so on. These help in analyzing usage patterns, troubleshoot issues, and more.

Able to query status of all Cisco Access Registrar processes and utilities.

Simple utilities that show status of all Cisco Access Registrar-related processes help in troubleshooting.

Logging:

Log files for each Cisco Access Registrar process
Audit log of all configuration changes
Able to direct logs to a syslog server

Multiple logs for various components and logging levels helps manage and isolate incidents quicker.

Audit trails can be maintained through configuration change logs.

SNMP:

RADIUS Simple Network Management Protocol (SNMP) support
SNMP traps generated for critical events

Allows for easy monitoring from network management systems.

Utility to generate RADIUS AAA requests: Radclient

Helps to simulate network deployment scenarios in a lab through:

Creation of individual packets of various types - access-requests, accounting requests, and more.
Simulating stress/performance testing scenarios to exhibit server behavior and for tuning the system

Configuration

Powerful command-line configuration utility with interactive/noninteractive full and view-only modes
Dynamic configuration feature allows configuration changes to take effect without a server restart
Command and value recall, inline editing, autocommand completion, and a context-sensitive list of options
Revamped web-based interface for configuring most of the objects in Cisco Access Registrar
Wildcard definitions for grouping RADIUS clients

Noninteractive modes allow for configuration automation and OSS integration. Powerful CLI allows easy interactive operations saving operators time and helping avoiding errors.

Broad Systems Integration Capabilities

Support for integration with provisioning, billing, and other service-management components.

Reduces operational costs and speeds service rollout.

Prepaid billing interface allows billing vendors to integrate their systems into Cisco Access Registrar for prepaid functionality.

Service providers may offer prepaid data or usage-based premium services while reusing their existing billing system and protecting their investments.

Management

Replication of the internal databases allows multiple servers to be similarly configured
Supports SNMP and syslog for network management

Centralized management and ease of use.

System Requirements

Table 2 lists system requirements for Cisco Access Registrar 5.1.

Table 2. Server System Requirements

Demo Server Requirements

Operating system

Solaris 10

Linux RHEL 5.3

Model

SPARC Enterprise T5220

X86

CPU type

UltraSPARC-T2 (SPARC V9)

Intel Xeon CPU 3.40 GHz

CPU number

8 cores (8 threads each)

4

CPU speed

1165 MHz

3.40 GHz

Memory (RAM)

8 GB

8 GB

Swap space

10 GB

10 GB

Disk space

2 x 72 GB

1 x 146 GB

Ordering Information

To place an order, visit the Cisco Ordering Home Page. See Table 3 for a list of Cisco Access Registrar product numbers and upgrade product numbers. To download software, visit the Cisco Software Center.

Table 3. Ordering Information

Cisco Access Registrar Product Numbers

Product Number

Description

AR-5.1-BASE-K9

Access Registrar Base license for Solaris/Linux; support for RADIUS; required for each Access Registrar Base Server; supports 100 transactions per second

AR-5.1-BASE-NG-K9

Access Registrar Next-Generation Base license for Solaris/Linux; required for each Access Registrar Next‑Generation Base Server; support for RADIUS, Diameter, and IPv6; supports 100 transactions per second

AR-5.1-DIR-BASE-K9

Access Registrar Director Base license; load balancing and intelligent AAA proxy support; Includes RADIUS support; required for each Access Registrar Director Base Server; supports 2000 transactions per second

AR-5.1-SECOND-K9

Access Registrar Secondary license; required for each standby server or session management server

L-AR-5.1-100TPS=

eDelivery Access Registrar Additional License per server; supports 100 transactions per second

L-AR-5.1-200TPS=

eDelivery Access Registrar Additional License per server; supports 200 transactions per second

L-AR-5.1-500TPS=

eDelivery Access Registrar Additional License per server; supports 500 transactions per second

L-AR-5.1-1000TPS=

eDelivery Access Registrar Additional License per server; supports 1000 transactions per second

L-AR-5.1-2000TPS=

eDelivery Access Registrar Additional License per server; supports 2000 transactions per second

L-AR-5.1-3000TPS=

eDelivery Access Registrar Additional License per server; supports 3000 transactions per second

L-AR-5.1-5000TPS=

eDelivery Access Registrar Additional License per server; supports 5000 transactions per second

Cisco Access Registrar Upgrade Product Numbers

Product Number

Description

AR-5.1-UPG-K9

Access Registrar Upgrade Base license for Solaris/Linux; support for RADIUS; required for each Access Registrar Base Server; supports 100 transactions per second

AR-5.1-UPG-NG-K9

Access Registrar Upgrade Next-Generation Base license for Solaris/Linux; required for each Access Registrar Next-Generation Base Server, support for RADIUS, Diameter, and IPv6; supports 100 transactions per second

AR-5.1-UPG-DIR-K9

Access Registrar Upgrade Director Base license; load balancing and intelligent AAA proxy support; includes RADIUS support; required for each Access Registrar Director Base Server; supports 2000 transactions per second

AR-5.1-UPSECOND-K9

Access Registrar Upgrade Secondary license; required for each standby server or session management server

L-AR-5.1-UP100TPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 100 transactions per second

L-AR-5.1-UP200TPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 200 transactions per second

L-AR-5.1-UP500TPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 500 transactions per second

L-AR-5.1-UP1KTPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 1000 transactions per second

L-AR-5.1-UP2KTPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 2000 transactions per second

L-AR-5.1-UP3KTPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 3000 transactions per second

L-AR-5.1-UP5KTPS=

eDelivery Access Registrar Upgrade Additional License per server; supports 5000 transactions per second

Cisco Services

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare the network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.

For More Information

For more information about Cisco Access Registrar, visit http://www.cisco.com/go/car/, contact your local account representative, or send an email to ar-tme@cisco.com for presales/business queries or cs-ar@cisco.com for technical queries.