Cisco® Access Registrar is the flagship Cisco RADIUS authentication, authorization, and accounting (AAA) server for the service provider market. It supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management. Cisco Access Registrar is a standards-based RADIUS and proxy RADIUS server designed for high performance, extensibility, and integration with external data stores and systems.
Cisco Access Registrar 3.5, the newest release, supports some of the latest standards and protocols used in broadband and wireless environments.
HIGHLIGHTS, FEATURES, AND BENEFITS
Cisco Access Registrar 3.5 Highlights
• Expanded platform and OS support-Cisco Access Registrar adds support for RedHat Linux on PC-based computers (Cisco Access Registrar 3.5.2), and Solaris 9 support on Sun Sparc computers (Cisco Access Registrar 3.5.3).
• Expanded database support for AAA-In addition to Oracle 8, Cisco Access Registrar supports Oracle 9 and MySQL 4.0
• database accounting. Cisco Access Registrar can write accounting records directly to an Oracle or MySQL database, with buffering for increased throughput and resilience.
• Expanded Extensible Authentication Protocol (EAP) support-Cisco Access Registrar adds support for Protected EAP (PEAP), subscriber identity module (SIM), and Transport Layer Security (TLS).
• Cisco CDMA2000 IS835-C support-Cisco Access Registrar 3.5 adds packet of disconnect (PoD) during packet data serving node (PDSN) handoff; quality of service (QoS); remote address accounting attributes; MN-HA shared key distribution, prepaid (Cisco Access Registrar 3.5.3), and DNS update.
• Improved performance of grouped AAA method-Cisco Access Registrar offers Parallel-OR and Parallel-AND options in service groups.
• High-speed, queryable identity session cache (Cisco Access Registrar 3.5.2)-A real-time information cache of active users; applications can query the cache using Extensible Markup Language (XML) over User Datagram Protocol (UDP).
• Additional features-Session release based on session age;automatic session timeout based on session inactivity (Cisco Access Registrar 3.5.3);Trusted-ID authorization for transparent autologon in Service Selection Gateway (SSG) environments (Cisco Access Registrar 3.5.3);
• PoD (RFC 3576); HTTP digest authentication for Session Initiation Protocol (SIP) and Web servers; Cisco SSG prepaid support; a view-only administrator; and Java extension point scripts and custom services.
• Cisco Access Registrar supports multiple access technologies (dial, wholesale dial, broadband, mobile wireless, wireless LAN, and public wireless LAN) with a single AAA platform.
• Provides service providers with an off-the-shelf, standards-based RADIUS server that offers the flexibility and extensibility previously only available by maintaining internally built versions of public-domain RADIUS software.
• Enables service providers to focus their businesses on specific areas of service delivery by supporting additional wholesale, outsourcing, and roaming service scenarios using proxy RADIUS.
• Reduces operational costs and speeds service rollout by supporting integration with provisioning, billing, and other service-management components using directory or relational database management system (RDBMS) support and scriptable configuration interfaces.
• Efficiently manages resource use by supporting centralized IP address assignment and session limit enforcement across access devices spanning multiple geographic regions and across multiple Cisco Access Registrar servers.
• Allows service providers to extend competitive advantages by rapidly deploying the latest wireless technologies.
Cisco Access Registrar is built on a multithreaded architecture to take advantage of multiprocessor systems and provide the highest AAA performance. At the core of Cisco Access Registrar (Figure 1) is a "policy" engine that determines processing based on the contents of the RADIUS request packet. The policy engine makes the following types of decisions:
• Whether authentication against a Lightweight Directory Access Protocol (LDAP) directory or Oracle database is required
• Whether a request should be forwarded to an external RADIUS server
• What type of accounting is required
• Whether session limits apply
• Whether an IP address pool has been assigned
While the basic operation of the server is determined by configuration, multiple extension points within the server provide optional callouts to custom code. Extension points can be used for several purposes, including influencing the processing of a request or modifying incoming or outgoing packets to meet specialized requirements.
Cisco Access Registrar provides a rich set of processing methods, including local, LDAP, Open Database Connectivity (ODBC), proxy, and prepaid, but Cisco Access Registrar also permits custom service code to be inserted into its architecture to allow service providers to support special request processing and system integration.
Figure 1. Cisco Access Registrar Architecture
Authentication and Authorization
• High-speed internal embedded user database
• Easy, logical grouping of users
• Easy return attributes and check-item configuration
• Ability to enablee and disable user access
• User information can be stored in external datastores
• LDAP directory or Oracle or MySQL database support
– Store return and check-items attributes
– Datastore schema independent
– Add custom logic based on information in user's record
• Advanced RADIUS proxy support for service provider environments
– Include proxy attribute filtering
• EAP support
– Message Digest Algorithm 5 (MD5), LEAP, PEAP (with Microsoft Challenge Handshake Authentication Protocol [MS-CHAP] v2, Generic Token Card [GTC ], and SIM ), and TLS
– EAP Proxy
• IETF RADIUS tunnel support (RFC 2867, RFC 2868)
• Automatic and customizable Reply-Message generation
• Local file
– Store accounting records in single file or multiple files
– Automatic file rollover based on file age, size, or specific time
– Option to ignore acknowledgements and continue processing
– Write accounting records directly to an Oracle or MySQL database
– Schema independent
– Buffering option for higher throughput and fault tolerance
• Define a list of remote systems to be used in failover or round-robin modes
• Accept All, Reject All, and Drop Packet outage policies available when no remote systems are available
• Define the individual characteristics of each remote system; for example, ports, timeouts, retries, or reactivate timers
• Sophisticated algorithms to detect status of remote systems
Request Processing Decisions
• Process requests using different methods; for example, use LDAP for some access requests, the internal database for others
• Process requests using a combination of these methods; store an accounting request to a local file and proxy it to a remote RADIUS server
• Split authentication and authorization by selecting one method for authentication and another for authorization (One-Time Password [OTP] server and Oracle database)
• Decide which method to use based on attributes in the request or on Cisco Access Registrar's "environment variables", such as source or destination IP address or UDP port
• Easy method selection based on DNS domain, username prefix, dialed number, calling number, or network access server (NAS), using the Cisco Access Registrar Policy Engine
Session/Identity Tracking and Caching
• Built-in feature to track user sessions and allocate resources
• Enforcement of session limits per user and per group
• Allocation of addresses from IP pools
• Allocation of home agents and on-demand address pools
• Real-time query of the session table using the command-line interface (CLI) or XML over UDP
• Add custom information to the session table
• Configure which attributes to store in the session table
• Manual release of sessions and resources
• Query and release sessions based on session age, username, NAS, and other criteria
• Release sessions and generate PoD
• Automatic session release when accounting stop is lost (inactivity timeout)
• Automatic session release when accounting on/off is detected (system accounting)
• In an environment with multiple Cisco Access Registrars, designate one Cisco Access Registrar to manage all sessions to avoid bypass of session limits and to allocate IP addresses and other resources centrally
• Session information is not lost even if Cisco Access Registrar or the system is restarted
• Session tracking for accounting-only servers
• Configure session key on calling number or other attributes
System Tuning and System Configuration
• Configure Cisco Access Registrar to listen on multiple UDP ports
• Specify which network interfaces to use
• Set the number of simultaneous requests to be processed
• Enable access accept logging
• Regular and advanced duplicate Radius packet detection features
• Extensible attribute dictionary
– Populated with latest attribute definitions, including third-party, vendor-specific attributes
– Easy addition of new attributes
– Variable-length vendor type in vendor-specific attributes
• Specify log file rollover rules
Troubleshooting and Monitoring
• Multilevel debugging output
• Real-time query of processing counters
• Reset processing counters without restarting Cisco Access Registrar
• Query status of all Cisco Access Registrar processes and utilities
• Log files for each Cisco Access Registrar process
• Audit log of all configuration changes
• Direct logs to a syslog server
• RADIUS Simple Network Management Protocol (SNMP) RFC 2618-21 support
• SNMP traps generated for critical events
• Utility to generate RADIUS requests
• Powerful configuration utility with interactive and noninteractive modes
• Noninteractive modes allow for configuration automation and operations support system (OSS) integration
• Dynamic configuration feature allows configuration changes to take effect without a server restart
• Command and value recall, inline editing, autocommand completion, and a context-sensitive list of options
• Automatic configuration replication to other Cisco Access Registrar servers (server redundancy)
• Specify lists of alternate remote systems for each processing method (remote-system redundancy)
• Specify multiple methods to process a request (processing-method redundancy)
• Automatic server restart
• Add custom logic to the request processing flow using Tool Command Language (TCL), C or C++, or Java
– Access request and response packets
– Modify processing decisions in real time
– Multiple call-out points to target specific requests
• Create custom processing methods
• Cisco PDSN for CDMA2000 mobile wireless
– Home agent allocation for balanced home agent access
– Null password support
– Multiple accounting start/stop detection for roaming users
– CDMA2000 vendor-specific attribute support
– Prepaid billing
– QoS and Remote Address Accounting attributes support
– PoD during PDSN handoff
– MN-HA shared keys distribution for mobile IP
– DNS updateu for IP reachability
• Public wireless LAN solutions for service providers
• Cisco IOS® Software On-Demand Address Pool Manager
– Dynamic, variable size, address pool assignment for Multi Protocol Label Switching (MPLS) VPNs
• Broadband aggregation
– Trusted-ID authorization for transparent autologon (Cisco Access Registrar 3.5.3)
• Other solutions
– Cisco Gateway GPRS Support Node (GGSN) for GPRS
– Cisco Any Service, Any Port (ASAP) solutions
Table 1. System requirements for Cisco Access Registrar 3.5.
175 MB (minimum)
Sun SPARC or x86
64 MB (minimum)
Solaris 8 or 9 for Sun SPARC, RedHat Linux 7.3 for x86 ( Solaris 9 supported in Cisco Access Registrar 3.5.3)
Cisco Systems® offers a wide range of services programs to accelerate customer success.These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction.Cisco services help you to protect your network investment, optimize network operations, and prepare the network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see
Cisco Technical Support Services or
Cisco Advanced Services.