Guest

Cisco Access Registrar

Release Notes for Cisco CNS Access Registrar 3.0

  • Viewing Options

  • PDF (954.7 KB)
  • Feedback
Release Notes for Cisco Access Registrar 3.0R9

Table Of Contents

Release Notes for Cisco Access Registrar 3.0R9

Contents

Copyright Notice

Introduction

What's New in Cisco AR 3.0

New Features in Cisco AR 3.0

HTTP Digest Authentication

Parallel Service Grouping

View-Only Administrator

Oracle 9 Support

MySQL Support

Configuring MySQL

Example Configuration

Changes from Previous Versions of Cisco AR

Changes to Package Name

Changes to Environment Variables

Changes to Subdirectories

Relocation of Executables

Executable Name Changes

Removal of Wrapper Scripts

Changes in aregcmd

Related Documentation

System Requirements

Cisco Access Registrar Full Installation

Cisco Access Registrar Server-only Installation

Cisco Access Registrar Configuration-only Installation

Co-Existence With Other Network Management Applications

Downloading Cisco Access Registrar Software

Upgrading Cisco Access Registrar Software

Preparing to Install Downloaded Cisco Access Registrar Software

Designating the JRE Location

Upgrade Cisco Access Registrar Software and Retain Your Configuration

Back-up Copy of Original Configuration

Removing Old VSA Names

VSA Update Script

Starting the Cisco AR Server

Configuring SNMP

Upgrade Cisco Access Registrar Software and Erase Your Configuration

Restarting Replication

Installing Cisco Access Registrar Software For the First Time

Adding Group Staff

Installing from CD-ROM

Uncompressing the Tarfile and Extracting Files

Preparing to Use SNMP

Installing Software

Modifying Your Environment

Borne, Korn, Bash, or zsh

csh or tcsh

Changing Log Directory

SNMP Configuration

Stopping the Master Agent

Modifying the snmpd.conf File

Access Control

Trap Recipient

System Contact Information

Starting the Master Agent

Enabling SNMP

Cisco Access Registrar Subdirectories

Using the Cisco AR License

Specifying the License Key

Changing the License Key

Testing Cisco Access Registrar

Checking the Servers

Logging into Cisco AR

Testing a Packet

Caveats

Known Anomalies in Cisco Access Registrar 3.0R9

Anomalies Fixed in Cisco Access Registrar 3.0R9

Anomalies Fixed in Cisco Access Registrar 3.0R8

Anomalies Fixed in Cisco Access Registrar 3.0R7

Anomalies Fixed in Cisco Access Registrar 3.0R6

Anomalies Fixed in Cisco Access Registrar 3.0R5

Anomalies Fixed in Cisco Access Registrar 3.0R4

Anomalies Fixed in Cisco Access Registrar 3.0R2

Anomalies Fixed in Cisco Access Registrar 3.0R2

Anomalies Fixed in Cisco Access Registrar 3.0R1

Anomalies Fixed in Cisco Access Registrar 3.0R0

Known Problems in Solaris 8

Buffer Overflow in Multiple DNS Resolver Libraries (CERT Advisory CA-2002-19)

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco Access Registrar 3.0R9


This document contains important information about the Cisco Access Registrar 3.0R9 software. All features in previous versions of Cisco Access Registrar are present in Cisco Access Registrar 3.0R9. Cisco AR 3.0R9 is available for Solaris 8 only.


Note Releases since Cisco Access Registrar 3.0R1 use a version of aregcmd that is incompatible with Cisco AR 3.0R0 and Cisco AR 1.7R6 (and earlier). You can find more details about aregcmd incompatibility with other versions of Cisco AR software in Changes in aregcmd.


CCO Date: May 23, 2002

Revised: October 25, 2004

Contents

This document contains the following sections:

Copyright Notice

Introduction

What's New in Cisco AR 3.0

Changes from Previous Versions of Cisco AR

Related Documentation

System Requirements

Upgrading Cisco Access Registrar Software

Installing Cisco Access Registrar Software For the First Time

Modifying Your Environment

Changing Log Directory

SNMP Configuration

Cisco Access Registrar Subdirectories

Using the Cisco AR License

Testing Cisco Access Registrar

Caveats

Obtaining Documentation

Obtaining Technical Assistance

Copyright Notice

This product contains copyrighted programs that are used with permission and are the property of the following respective owners.

Copyright 1989, 1991, 1992 by Carnegie Mellon University

Derivative Work - 1996, 1998-2000

Copyright 1996, 1998-2000 The Regents of the University of California

All Rights Reserved

Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

NAI copyright notice (BSD) Copyright © 2001, NAI Labs. All rights reserved.All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

Neither the name of the NAI Labs nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Introduction

Cisco Access Registrar (AR) provides RADIUS authentication, authorization, and accounting (AAA) services for the service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.

Cisco Access Registrar is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.

Cisco Access Registrar supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco Access Registrar 3.0 supports the latest wireless authentication protocols such as Extensible Authentication Protocol—Message Digest 5 (EAP-MD5) used in wireless LAN deployments. Cisco Access Registrar 3.0 also has the ability to make real-time AAA requests to billing systems to support prepaid applications.

What's New in Cisco AR 3.0

Cisco Access Registrar 3.0 includes the following new features:

Open Database Connectivity (ODBC)

Cisco Access Registrar 3.0 provides Oracle database support using Open Database Connectivity (ODBC). Using ODBC, you can store user information including return attributes and check items in an Oracle database. Cisco AR 3.0 supports authentication and authorization through ODBC.

Prepaid Billing

Cisco Access Registrar 3.0 provides a generic prepaid billing application-programming interface (API) that allows a real-time interface to billing and rating systems. Cisco Access Registrar 3.0 Prepaid supports Cisco Packet Data Serving Node (PDSN) Code-division Multiple Access (CDMA2000) mobile wireless prepaid services.

Cisco AR 3.0 works with the client NAS and an external billing system (EBS) or billing server. EBS vendors are required to provide a Solaris 8 shared library that is built with gcc version 2.95.3.

EAP-MD5 Support

Cisco Access Registrar 3.0 supports the EAP standard that provides enhanced security for PPP authentication. EAP support is extended by supporting the EAP-MD5 authentication protocol, an EAP authentication exchange. EAP-MD5 uses a CHAP-like exchange and the password is hashed by challenge from both client and server to verify it is correct.

Enhanced configuration interface

Cisco AR's configuration utility, aregcmd, has been enhanced for faster and easier service provider AAA provisioning including:

Automatic command completion

Context-sensitive list of options

Recall of values for quick editing

User return-attribute configuration

Check-items configuration

Detailed configuration-error messages

Prefix Rule in Policy Engine

Cisco Access Registrar 3.0 has an addition rule in its policy engine that allows user-name prefix matching for dynamic processing decisions. Cisco AR 3.0 is able to select a service based on a prefix in the username. Cisco AR can strip the prefix and use it in the policy engine to select a particular service.

Lightweight Directory Access Protocol (LDAP) Directory Rebind

For environments using smart Domain Name System (DNS), Cisco AR can be configured to requery DNS at fixed intervals and dynamically rebind to any new IP address returned. When configuring to use an LDAP server, you can specify a qualified or unqualified hostname of an LDAP directory server.

Time-based Accounting File Rollover

Cisco Access Registrar 3.0 provides additional accounting file rollover criteria based on specific times.

User-password Overriding

The Cisco Access Registrar scripting API now allows easy user-password overriding.

Optimized Accounting-request Handling

Cisco Access Registrar 3.0 provides improved algorithms for handling duplicate accounting requests containing Acct-Delay-Time.

Increased Multi-vendor Support

Cisco Access Registrar 3.0 supports an extended vendor type field in vendor-specific attributes.

Support for MS-CHAPv1

Cisco AR 3.0 provides native support for MS-CHAPv1 authentication as defined in Internet RFCs 2433 and 2548. When using MS_CHAPv1 with LDAP or ODBC user storage, the password must be stored in clear text.

Managing Multi-Valued Attributes

Cisco AR 3.0 provides a mechanism to all easy editing of multi-value attributes that enables you to add new values, change part of the values, and delete any portion of the values without having to enter the entire value.

HTTP Digest Authentication

Cisco Access Registrar 3.0R6 supports HTTP Digest, an encryption method used by protocols such as HTTP, SIP, and EAP to authenticate RADIUS clients.

Parallel Service Grouping

Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or, that ask each referenced service to process requests simultaneously instead of sequentially, thereby saving processing time.

View-Only Administrator and View-only aregcmd Sessions

A view-only administrator or a view-only aregcmd session enables an administrator to view Cisco AR configuration, but not modify it.

Support for Oracle 9

Cisco AR supports Oracle 9 in addition to Oracle 8.1.6 and 8.1.7 for Open Database Connectivity.

Support for Java Extensions

Cisco Access Registrar 3.0R9 provides support for Java extensions. In addition to the Tcl/C/C++ extension point scripting capability, Cisco AR 3.0R9 provides support for extensions written in Java. You must have installed JRE 1.4.x.

Two New Environment Variables

AR 3.0R9 provides two new AR environment variables, Destination-IP-Address and Destination-Port. These variables enable Cisco AR to distinguish between RADIUS requests sent to different IP addresses or UDP ports on the Cisco AR server and make processing decisions based on this information.

MySQL Support

AR 3.0R9 provides support for MySQL version 4.0.18 and MyODBC 3.51.06 to enable querying user records from a MySQL database.

New Features in Cisco AR 3.0

This section describes the new features included in this release of Cisco Access Registrar 3.0.

HTTP Digest Authentication

HTTP Digest is an encryption method used by protocols such as Hypertext Transport Protocol (HTTP), Session Initiation Protocol (SIP), and Extensible Authentication Protocol (EAP).

Cisco Access Registrar 3.0R6 provides an interface to authenticate RADIUS clients based on HTTP Digest. The client sends an Access-Request packet containing a Digest-Response and associated Digest Attributes. The Cisco AR server computes a value based on the user's profile and compares this with the digest response to return an Access-Accept or Access-Reject.

The Cisco AR server generates a session key based on Internet RFC 2617, the RADIUS Extension for Digest Authentication. The generated session key is delivered to the client using the MS-MPPE-Recv-Key attribute in the Access-Accept packet if the algorithm specified in the Access-Request is MD5-sess.

No special configuration is required for HTTP Digest authentication. The Cisco AR server automatically detects HTTP Digest Access-Requests and processes them accordingly. When using HTTP Digest, the MS-MPPE-Recv-Key attribute requires a session-timeout value. You might need to modify the default session timeout value using aregcmd.

Parallel Service Grouping

Cisco Access Registrar 3.0R6 supports parallel service grouping. In Cisco Access Registrar 3.0, Group Services contain a list of references to other services and specify whether the responses from each of the services should be handled as a logical AND or a logical OR function. You specify AND or OR in the Result-Rule attribute of Group Services. The default value is AND.

If Result-Rule is set to AND, the response from the Group Service is positive if each of the services referenced return a positive result. The response is negative if any of the services reference return a negative result. If Result-Rule is set to OR, the response from the Group Service is positive if any of the services referenced return a positive result. The response is negative if all the referenced services return a negative result.

When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially, and the Group Service waits for a response from the first referenced service before moving on to the next service (if necessary). If a service takes a long time to respond, that causes a delay in sending the request to the next referenced server.

Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or. These new types are similar to the AND and OR settings except that they ask each referenced service to process the request simultaneously instead of asking each referenced server sequentially, thereby saving processing time.

A parallel-and setting might respond with its own reply as soon as it receives a negative response, but otherwise must wait for all responses before it can respond with a positive reply. Likewise, a parallel-or might respond as soon as it receives a positive response, but otherwise must wait for all responses before it can reply with a negative response.

If a service referenced from a Group Service is of type RADIUS and if Accounting-Requests are being processed by the Group Service, setting the AckAccounting property in the remote server will affect the behavior of the parallel-or Group Service. This is because if AckAccounting is set to FALSE, the RADIUS Remote Server will not wait for the response from the remote server but returns a response immediately. Since the Group Service is set to parallel-or, once it receives the response from the RADIUS service, it is free to send a response itself. This will have the effect that a response is sent very quickly from the Group Service acknowledging the Accounting-Request and responses from the other referenced services are handled as the arrive.

Note that since AckAccounting was set to FALSE, there is no guarantee that the Remote Server successfully processed the request. Since it is a RADIUS Remote Server, the Cisco AR server attempts for MaxTries to send the request to the server and to get back an acknowledgement, but if that fails, there will be no indication to the client about that event. The acknowledgement to the client has been sent long before.


Note It is not valid to have Services of type Group, EAP_LEAP, or EAP-MD5 referenced from a Service of type Group.


View-Only Administrator

Cisco Access Registrar 3.0R6 introduces the view-only administrator option to aregcmd. When you launch aregcmd with the -V option, an aregcmd session opens in view-only mode, even if the administrator is not a view-only administrator.

You can also create or modify administrative users to be view-only administrators by setting the new View-Only attribute to TRUE. The default setting of the View-Only property for any new administrator is FALSE. When the View-Only property is set to FALSE, an aregcmd session functions as it did previously.

At least one administrator must not be a view-only administrator. When you save your configuration, validation will fail if none of the administrators have the View-Only property set FALSE.

When you upgrade your Cisco Access Registrar 3.0 software to version R6, any existing administrators will have the View-Only property added and set to FALSE.

When you open an aregcmd session in view-only mode, an error occurs if you attempt to issue a command that modifies the configuration. The following commands issued in a view-only session will cause the error: add, delete, set, unset, insert, validate, save, start, stop, reload, reset-stats, release-sessions, and trace. The error is reported as follows:

316 Command failed: session is View-Only

When the session is not view-only, but the server is a slave server, the following commands cause an error message when the object or property being affected is not under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces, or any properties in /Radius/Advanced: add, delete, set, unset, and insert. The error is reported as follows:

317 Command failed: session is a Replication Slave

Oracle 9 Support

Cisco Access Registrar 3.0R6 provides support for Oracle 9. Oracle 9 support is in addition to Oracle 8.1.6 and 8.1.7 when an ODBC type service is used. When using Oracle 9, set ORACLE_HOME to the location where you have installed Oracle software.

The following changes have been made to support Oracle 9:

The file liboraodbc.so has been renamed to liboraodbc8.so.

The file liboraodbc9.so has been added.

MySQL Support

Cisco Access Registrar 3.0R7 provides support for MySQL to support querying user records from a MySQL database. Cisco Access Registrar 3.0 has been tested with MySQL 4.0.18 and MyODBC 3.51.06 (reentrant).

For the Cisco AR server to use MySQL, you must create and configure an ODBCDataSource object of type myodbc and a RemoteServer object set to protocol odbc.

Configuring MySQL

To configure the Cisco AR server to query records form a MySQL database, complete the following configuration:


Step 1 Log in to the Cisco AR server and launch aregcmd.

Log in as a user with administrative rights such as user admin.

Step 2 Change directory to the /Radius/Advanced/ODBCDataSources and add a new ODBCDataSource.

cd /Radius/Advanced/ODBCDataSources

add mysql

Step 3 Set the new ODBCDatasource type to myodbc.

cd mysql

set type myodbc

Step 4 Set the Driver property to the path of the MyODBC library.

Step 5 Set the UserID property to a valid username for the MyODBC database and provide a valid password for this user.

Step 6 Provide a DataBase name and the name of the Cisco AR RemoteServer object to associate with the ODBCDataSource.

Step 7 Change directory to /Radius/RemoteServers and add a RemoteServer object to associate with the new ODBCDatasource.

cd /Radius/RemoteServers

add mysql

Step 8 Change directory to the new RemoteServer and set its protocol to odbc.

cd mysql

set protocol odbc

Step 9 Set the ODBCDataSource property to the name of the ODBCDataSource to associate with this RemoteServer object.

set ODBCDataSource mysql


Example Configuration

The following shows an example configuration for a MySQL ODBC data source.

[ //localhost/Radius/Advanced/ODBCDataSources/mysql ]
Name = mysql
Type = myodbc
Driver = /tmp/libmyodbc3_r.so
UserID = mysql
Password = <encrypted>
DataBase = test
Server = mysql-a
Port = 3306

The following shows an example configuration for a RemoteServer

[ //localhost/Radius/RemoteServers/mysql-a ]
Name = mysql
Description = 
Protocol = odbc
ReactivateTimerInterval = 300000
Timeout = 15
DataSourceConnections = 8
ODBCDataSource = mysql
KeepAliveTimerInterval = 0
SQLDefinition/
ODBCToRadiusMappings/
ODBCToEnvironmentMappings/
ODBCToCheckItemMappings/

Changes from Previous Versions of Cisco AR

Several significant changes were made in Cisco Access Registrar 3.0. This section provides a summary of those changes.

Changes to Package Name

The Cisco Access Registrar software is now in a package named CSCOar. The previous package name was AICar1. The default location for installing the Cisco AR software is now /opt/CSCOar.

Changes to Environment Variables

Table 1 lists four environment variables that have new names in Cisco AR 3.0. If you have been using an earlier version of Cisco AR and have written scripts that use these environment variables, you will have to modify the scripts to use the new names.

Table 1 Environment Variable Name Changes

Old Name
New Name

AIC_CONF

CAR_CONF

AIC_CLUSTER

CAR_CLUSTER

AIC_NAME

CAR_NAME

AIC_PASSWORD

CAR_PASSWORD


Changes to Subdirectories

In Cisco Access Registrar 3.0, the directory structure has been changed to include a new .system directory. Programs in .system should never be run directly. Programs that should be run directly have been moved to the /opt/CSCOar/bin directory, where one would expect to find executable shell scripts.

Executables and shell scripts had previously been located in /opt/AICar1/bin and /opt/AICar1/usrbin. The bin subdirectory is now under /opt/CSCOar. The usrbin subdirectory has been removed, and there is a symbolic link from usrbin to bin.

Relocation of Executables

In previous versions of Cisco AR, executables were divided into the bin and usrbin subdirectories. Executables in the /opt/AICar1/bin were almost all executable link format (ELF) binary SPARC executables not intended to be run directly. Executables in the /opt/AICar1/usrbin were almost all shell scripts that acted as wrappers for the ELFs and were intended to be run directly.

In Cisco AR 3.0, shell scripts have been moved to the bin and the ELFs have been moved to the new .system directory.

Executable Name Changes

Two executable scripts have been renamed. Table 2 lists the two name changes. The new arserver now resides in the /opt/CSCOar/bin directory.

Table 2 Executable Script Name Changes

Old Name
New Name

screen

share-access

/etc/init.d/arservagt

arserver


Removal of Wrapper Scripts

To maintain backward compatibility, a symbolic link in Cisco AR 3.0 ties usrbin to bin. In addition, the wrapper scripts have been removed, meaning that there is only one file in the Cisco AR package named aregcmd, for example.

Changes in aregcmd

aregcmd was changed in the Cisco AR 3.0R1 release to correct a security vulnerability. The changes cause an incompatibility between releases of Cisco AR 3.0R1 and all Cisco AR releases prior to it.

After installing Cisco Access Registrar 3.0R1 (or later) software, you will be unable to remotely configure other Cisco AR servers if the software on the remote server is running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier). Conversely, you will also be unable to modify a Cisco AR server running release 3.0R1 (or later) from a remote server running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier).

Attempts to log in to use aregcmd where this incompatibility exists will result in command line responses like the following:

Logging in to hostname
400 Login failed
Login to cluster 'hostname' failed

and:

402 Login failed: version of aregcmd is incompatible with server

Attempts to use aregcmd to remotely configure Cisco AR servers affected by this incompatibility will result in log entries like the following:

07/21/2003 11:38:49 config/mcd/1 Info Protocol 0 new connection 0x981d0 from 
[10.1.9.104]
07/21/2003 11:38:49 config/mcd/1 Warning Protocol 0 got bad program-number/version, 
closing connection 0x981d0

If this problem occurs, you can log in to the affected server locally to modify its configuration. If the server is remote, you can use telnet or rlogin to log in remotely, then launch aregcmd.

Related Documentation

The following documents describe Cisco Access Registrar and are available online via CCO and on the Cisco Documentation CD-ROM:

Cisco Access Registrar User's Guide (part number OL-2681-02)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/users/index.htm

The Cisco Access Registrar User's Guide describes Cisco Access Registrar components and how to use them.

Cisco Access Registrar Installation and Configuration Guide (part number OL-2682-03)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/install/index.htm

The Cisco Access Registrar Installation and Configuration Guide describes how to install and configure the Cisco Access Registrar 3.0 software, and how to customize your site.

Cisco Access Registrar Concepts and Reference Guide (part number OL-2683-01)

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/concepts/index.htm

The Cisco Access Registrar Concepts and Reference Guide provides information to help you gain a better understanding of Cisco Access Registrar features and concepts.

System Requirements

This section describes the system requirements for installing theCisco Access Registrar 3.0 software.

Cisco Access Registrar Full Installation

Table 3 lists the system requirements for a full installation of Cisco Access Registrar3.0.

Table 3 Cisco Access Registrar Full Installation Requirements

Component
Requirement

CPU Architecture

SPARC

OS Version

Solaris 8

Minimum RAM

64 MB

Recommended RAM

128 MB

Recommended Disk Space

175 MB


Cisco Access Registrar Server-only Installation

Table 4 lists the system requirements for installing the server-only component of Cisco Access Registrar 3.0.

Table 4 Cisco Access Registrar Server-only Requirements 

Component
Requirement

CPU Architecture

SPARC

OS Version

Solaris 8

Minimum RAM

64 MB

Recommended RAM

128 MB

Recommended Disk Space

130 MB


Cisco Access Registrar Configuration-only Installation

Table 5 lists the system requirements for installing the configuration-only component of Cisco Access Registrar 3.0.

Table 5 Cisco Access Registrar Configuration-only Requirements

Component
Requirement

CPU Architecture

SPARC

OS Version

Solaris 8

Minimum RAM

32 MB

Recommended RAM

64 MB

Recommended Disk Space

50 MB


The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco Access Registrar disk. If Cisco Access Registrar runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.

Co-Existence With Other Network Management Applications

To achieve optimal performance, Cisco Access Registrar should be the only application running on a single machine. You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.

You can configure Cisco Access Registrar to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no another application can be configured to use SNMP on the Cisco AR machine.


Note Cisco Network Registrar and Cisco Access Registrar cannot co-exist on the same workstation.


Downloading Cisco Access Registrar Software

You can download the Cisco Access Registrar software from Cisco Connection Online (CCO) at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/access-registrar

You will need your active CCO username and password to achieve access. All current versions of Cisco Access Registrar software including the most recent maintenance releases are available for download. The link for Cisco Access Registrar 3.0R9 software is ar-3.0r9-sunos58.tar.gz. You might also need the zcat program file to unpack the software file (.tar.gz suffix).

Cisco AR provides extensions that can be written in Java. If you intend to write Java extensions, the Java Runtime Environment (JRE) is required. You can download a current version of the JRE from http://java.sun.com.

Upgrading Cisco Access Registrar Software

The software upgrade procedure has been changed in Cisco Access Registrar 3.0. If you are upgrading from a previous release, you are no longer required to export your existing database to retain it.

The installation process provides the following options to consider before you begin to upgrade your software:

Upgrade from an earlier version of Cisco AR and erase your previous configuration

Upgrade from an earlier version of Cisco AR and retain your previous configuration

Install Cisco AR on a system for the first time

Before you install the software, the following tasks must be done:

Ensure that replication is disabled


Note If you are using Cisco Access Registrar's replication feature, you must disable it during the upgrade process or the upgrade will fail. When completed, refer to "Restarting Replication" section for the correct way to restart replication.


Use pkgrm to remove the earlier version of Cisco Access Registrar executables

If you plan to use Cisco Access Registrar's SNMP features:

Disable the current Sun SNMP daemon

Prevent the Sun SNMP daemon from restarting after a reboot

To upgrade your software to Cisco AR 3.0, login as user root and complete the following steps:


Step 1 Login as administrator and use aregcmd to ensure that replication is disabled.

cd /radius/replication

[ //localhost/Radius/Replication ]
RepType = None
RepTransactionSyncInterval = 60000
RepTransactionArchiveLimit = 100
RepIPAddress = 0.0.0.0
RepPort = 1645
RepSecret = NotSet
RepIsMaster = FALSE
RepMasterIPAddress = 0.0.0.0
RepMasterPort = 1645
Rep Members/

Make sure that RepType is set to None.

Step 2 If you made changes, save them and exit the aregcmd command interface.

Step 3 Remove the existing Cisco Access Registrar software package.

To remove Cisco AR 1.7 (or earlier) software, enter the following:

pkgrm AICar1

To remove Cisco AR 3.0 software, enter the following:

pkgrm CSCOar

Step 4 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 5 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled


Preparing to Install Downloaded Cisco Access Registrar Software

This section provides you with information to help you prepare to install downloaded software. The current version is named ar-3.0r9-sunos58.tar.gz.

You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in chmod 555 zcat.

Complete the following steps to prepare for software installation.


Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.

Step 2 Become root user by entering su and the root password.

Step 3 Change directory to the location where you have stored the downloaded software package.

host# cd /tmp/AR

Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.

host# ./zcat ar-3.0r9-sunos58.tar.gz | tar xvf -


Designating the JRE Location

If you plan to use Java extensions, you must indicate during the software installation process the directory location where the JRE is installed. If you reply that you plan to use Java extensions, the installation process requests the directory where the JRE is installed.

If you already have JRE installed, please enter the directory
where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

Step 5 Enter the directory where the JRE is installed, as shown above.

If you do not enter a directory and simply press Enter, the following message will display:

You can download the JRE from:

    http://java.sun.com/products/archive

pkgadd: ERROR: request script did not complete successfully

Installation of <CSCOar> failed.
No changes were made to the system.

If you enter an invalid directory, the following message will display:

Where is the current JRE installed?  [?,q] /foo 

The directory specified does not contain java, please
download a compatible one from:

    http://java.sun.com/products/archive

pkgadd: ERROR: request script did not complete successfully

Installation of <CSCOar> failed.
No changes were made to the system.


In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.

Upgrade Cisco Access Registrar Software and Retain Your Configuration

This section describes how to upgrade your Cisco Access Registrar software and retain your existing configuration database.


Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.

You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.

Step 4 Select the default for a Full installation.

The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:

The AR local database contains:"
  * session information"
  * all server object definitions"
  * local UserLists"

Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] y 

Step 5 Because you want to retain your configuration, enter y.

You are prompted to provide an Cisco AR administrator username and password.

Step 6 Enter the username for an Cisco AR administrator and the password, then retype the password.

The upgrade process asks if you want to remove old session information.

Remove old sessions in /opt/CSCOar/data/radius [y,n,?,q]

Step 7 If you want to remove the old session information, enter y. If you enter n, you will retain the old session information.

Step 8 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.

Step 9 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.

The software installation process begins.

Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/README
/opt/CSCOar/bin/screen
/opt/CSCOar/conf/screen.orig
.
.
.
## Executing postinstall script.
# setting up command script /opt/CSCOar/usrbin/screen
# setting up command script /opt/CSCOar/usrbin/arstatus
# setting up command script /opt/CSCOar/usrbin/mcdadmin
# setting up command script /opt/CSCOar/usrbin/mcdshadow
# setting up command script /opt/CSCOar/usrbin/radclient
# setting up command script /opt/CSCOar/usrbin/aregcmd
# setting up control script /etc/init.d/arserver
# linking /etc/init.d/arserver to /etc/rc.d files
# setting up product configuration file /opt/CSCOar/conf/car.conf
Starting Access Registrar Server Agent..completed.

# Upgrade of the configuration db is in progress
 
# Backing up configuration.
# Wait..... 

Back-up Copy of Original Configuration

At this point, the upgrade process displays a message like the following to indicate where a copy of your original configuration has been stored.

###############################################################
#
#  A backup copy of your original configuration has been
#  saved to the file:
#
#    /opt/CSCOar/temp/10062.origconfig-backup
#
#  If you need to restore the original configuration,
#  enter the following command:
#
#    mcdadmin -coi /opt/CSCOar/temp/10062.origconfig-backup
#
###############################################################

Removing Old VSA Names

The upgrade process continues with an analysis of the configuration database, addition of new database elements, and a search for obsolete VSA names. When this is complete, a message like the following is displayed:

##############################################################
#
#   Sometimes VSAs get renamed from version to version of AR.
#   The upgrade process does not automatically remove the
#   old names. The upgrade process has generated a script
#   to remove the old names. The script is located in:
#
#       /opt/CSCOar/temp/10062.manual-deletes
#
#   Review the script to make sure you are not using any of
#   these old VSAs. Modify your configuration and your
#   scripts to use the new names before you attempt to run
#   the script.
#
#   To run the removal script, type:
#
#       aregcmd -sf /opt/CSCOar/temp/10062.manual-deletes
#
##############################################################

At this point, you should examine the script produced by the upgrade process to make sure that your site is not using any of the old VSAs. In the example above, the script can be found at /opt/CSCOar/temp/10062.manual-deletes.


Note The number preceding manual.deletes is produced from the PID of the upgrade process.


Step 10 Modify your configuration and your scripts to use the new names before you attempt to run the script generated by the upgrade process.

VSA Update Script

The upgrade process continues and builds a script you can use to update VSAs in your system.

##############################################################
#
#   VSAs for the old AR version are not updated
#   automatically. The upgrade process generated a script
#   to perform the update. The script is located in:
#
#       /opt/CSCOar/temp/10062.manual-changes
#
#   Review the script to make sure it does not conflict with
#   any of your VSA changes. Make sure you modify the script,
#   if necessary, before you attempt to run it.
#
#   To run the update script, type:
#
#       aregcmd -sf /opt/CSCOar/temp/10062.manual-changes
#
##############################################################

Step 11 Review the script and make sure that the changes it will make do not conflict with any changes you might have made to the VSAs. Modify the script if necessary.

Step 12 Record the location of the upgrade messages for future reference.

##############################################################
#
#  These upgrade messages are saved in:
#
#      /opt/CSCOar/temp/10062.upgrade-log
#
##############################################################


Starting the Cisco AR Server

After you have completed the upgrade steps describe above, you can start the Cisco AR server.

/etc/init.d/arserver   start

Configuring SNMP

If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.

Upgrade Cisco Access Registrar Software and Erase Your Configuration

This section describes how to upgrade your Cisco Access Registrar software and erase your existing configuration database.


Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
(sparc) 3.0R9
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written
consent.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.

Cisco AR provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime
Environment (JRE) is required.

Do you require the Cisco AR Java extension? [No]: [?,q] 

Step 4 If you do not plan to use Java extensions, enter No, and skip to Step 6. If you do plan to use Java extensions, enter Yes.

If you already have JRE installed, please enter the directory
where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] 

Step 5 If you entered Yes, enter the directory where the JRE is installed.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.

Step 6 Select the default for a Full installation.

The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:

The AR local database contains:"
  * session information"
  * all server object definitions"
  * local UserLists"

Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] 

Step 7 Because you are erasing your original configuration, enter n.

The upgrade process displays a message about example configurations that can be installed with the software. These examples can help you with initial configuration of Cisco Access Registrar.

Do you want to install the example configuration now [y,n,?,q]

Step 8 Enter y to install the example configuration, or n if you do not want to install it.

You can delete the example configuration at any time by running the following command:

$INSTALL/usrbin/aregcmd -f $INSTALL/examples/cli/delete-example-configuration.rc

Step 9 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.

Step 10 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.

The software installation process begins.

Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/README
/opt/CSCOar/bin/screen
/opt/CSCOar/conf/screen.orig
.
.
.
# installing example configuration
Starting Access Registrar Server Agent..completed.

The Radius server is now running.

If SNMP needs to be reconfigured please follow the following procedure:

(1) stop AR: /etc/init.d/arserver stop
(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf
(3) restart AR: /etc/init.d/arserver start

# done with postinstall.

Installation of <CSCOar> was successful.

If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.

Restarting Replication

Before you enable replication, you must first upgrade all replication slave servers to the same version of Cisco Access Registrar software as the master server. Do not enable replication on the master server until all slave servers have been upgraded.

Use the same process you used to upgrade the master server to upgrade any slave servers. If you retained your configuration on the master, retain the configuration on the slaves, too.

After the same version of Cisco Access Registrar software has been installed on all slave servers, you can enable replication on the master server again. After enabling replication on the master server, you can enable replication on each of the slave servers.

Installing Cisco Access Registrar Software For the First Time

This section provides information to help you install Cisco Access Registrar software on a system for the first time.

Adding Group Staff

Before you begin to install the software, check your workstation's group file and make sure that group staff exists. Software installation will fail if group staff does not exist before installing the software.

Installing from CD-ROM

To begin installing software from the product CD, complete the following steps:


Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following command:

pkgadd -d /cdrom/cdrom0/kit/sunos58 CSCOar

Step 3 Proceed to Installing Software.


Uncompressing the Tarfile and Extracting Files

If you downloaded the Cisco Access Registrar 3.0 software from the Cisco Access Registrar Resource Center, the software package is contained within a compressed tarfile named ar-3.0sunos58.tar.gz.


Note You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in
chmod 555 zcat.


Complete the following steps to prepare for software installation.


Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.

Step 2 Become root user by entering su and the root password.

Step 3 Change directory to the location where you have stored the uncompressed tarfile.

host# cd /tmp/AR

Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.

host# ./zcat  ar-3.0r9-sunos58.tar.gz | tar xvf -


Preparing to Use SNMP

If you plan to use the SNMP features of Cisco Access Registrar, complete the following steps:


Step 1 Become root user by entering su, then the root password.

Step 2 Enter the following commands to disable the Sun SNMP daemon and allow Cisco AR's SNMP daemon to function:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 3 Enter the following commands to prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled


Installing Software

To begin installing downloaded software, complete the following steps:


Step 1 Become root user by entering su, then the root password.


Note If you do not plan to use Cisco Access Registrar's SNMP features, skip steps 2 and 3 and proceed to step 4.


Step 2 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:

/etc/rc3.d/S76snmpdx stop

/etc/rc3.d/S77dmi stop

Step 3 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:

mkdir /etc/rc3.d/.disabled

mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled

mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled

Step 4 Enter the following command:

pkgadd -d /tmp/AR CSCOar

where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.

Processing package instance <CSCOar> from
	   <source_directory/ar-3.0r9-sunos58>

Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
(sparc) 3.0R9
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written
consent.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 5 Select the location where you want to install the package, or accept the default location of /opt/CSCOar.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 6 If the directory does not exist, you are asked if you want it created. Choose Yes to continue the installation.

Cisco AR provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime
Environment (JRE) is required.

Do you require the Cisco AR Java extension? [No]:  [?,q]

Step 7 If you plan to use Cisco AR Java extensions, reply Yes. If you do not plan to use Cisco AR Java extensions reply No and skip to Step 6.

When using Cisco AR Java extensions, the installation process requests the directory where the JRE is installed.

If you already have JRE installed, please enter the directory
where it is installed.  Press return otherwise.

Where is the current JRE installed?  [?,q] /directory/j2re1.4.0

Step 8 Enter the directory where the JRE is installed, as shown above.

If you do not enter a directory, and simply press Enter, the following message will display, and the installation will fail without making changes to the system.

You can download the JRE from:

    ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official

The filename is:j2re-1_4_1-solaris-sparc.sh

After you have installed the JRE, re-initiate the Cisco AR
software installation.

pkgadd:ERROR:request script did not complete successfully

Installation of <CSCOar> failed.
No changes were made to the system.

If you enter an invalid directory, the following message will display, and the installation will fail without making changes to the system.

Where is the current JRE installed?  [?,q] /foo 

The directory specified does not contain java, please
download a compatible one from:

    ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official

The filename is:j2re-1_4_1-solaris-sparc.sh

pkgadd:ERROR:request script did not complete successfully

Installation of <CSCOar> failed.
No changes were made to the system. 

In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.

This package contains the Access Registrar Server and the Access
Registrar Configuration Utility.  You can choose to perform a Full
installation, just install the Server, or just install the
Configuration Utility.

What type of installation: Full, Server only, Config only [Full] [?,q] 

Step 9 Select the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only. Select the default for a Full installation.

To select Server-only, enter Server. To select configuration-only, enter Config.


Note If you choose to install the server over a previous installation, the installation will prompt you with the following questions.


a. If the installation detects a configuration database from a previous installation of Cisco Access Registrar, it asks you if you want to overwrite the database. If you want to start with a clean configuration and remove your session information answer Yes. If you want to keep your original configuration information, answer No.

b. If you answer No to overwriting the database, the installation asks you if you want to overwrite the session information. If you want to start with an empty session information, answer Yes. If you want to keep your original information, answer No.

The AR local database contains:"
  * session information"
  * all server object definitions"
  * local UserLists"

Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] 

Step 10 When prompted whether to preserve the local database, reply Yes or No to continue.

If you choose to preserve the local database, you are required to enter the administrator's User ID and password.

The upgrade procedure needs administrator access to your
configuration so that it can upgrade it.

Enter an AR administrator username and password:
 
User: admin
Password: 
Retype password: 
 

If you choose to preserve the local database, you are prompted whether to remove old sessions.

Remove old sessions in /opt/CSCOar/data/radius [y,n,?,q] 

Step 11 When prompted whether to remove old sessions, reply Yes or No to continue.

If you want to learn about Access Registrar by following the examples
in the Installation and Configuration Guide, you need to populate the
database with the example configuration.

Do you want to install the example configuration now [y,n,?,q] 

Step 12 When prompted whether to install the example configuration now, reply Yes to continue.


Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.


The installation process displays a message about using ODBC.

If you are not using ODBC, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script

Where is ORACLE installed ? [] [?,q] 

Step 13 If you plan to use Oracle and ODBC, enter the path to the Oracle installation directory; otherwise, press Enter to continue.

The following files are being installed with setuid and/or setgid
permissions:
  /opt/CSCOar/.system/screen <setuid root>
 /opt/CSCOar/bin/aregcmd <setgid staff>

Do you want to install these as setuid/setgid files [y,n,?,q] 

Step 14 The installation process prompts you whether or not to install files as setuid/setgid files. Reply Yes to continue.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <CSCOar> [y,n,?] y


Note After you reply Yes to the following step, the Cisco Access Registrar 3.0 software is installed on the target workstation.


Step 15 The installation informs you that it will install scripts that will run as the superuser (su). Reply Yes t o begin the software installation. (If you reply No, the installation will abort.)

Installing Cisco Access Registrar 3.0R9 [SunOS-5.8, official] as <CSCOar>

## Installing part 1 of 1.
/opt/CSCOar/.system/screen
/opt/CSCOar/README
/opt/CSCOar/bin/arbug
...

The installation copies all of the files and starts the Access Registrar Server Agent which, in turn, starts the Cisco Access Registrar server (if you chose to install the server).

## Executing postinstall script.
# setting up product configuration file /opt/CSCOar/conf/car.conf
# linking /etc/init.d/arserver to /etc/rc.d files
# setting ORACLE_HOME variable in arserver
Starting Access Registrar Server Agent..completed.
 
The Radius server is now running.
 

Note If you plan to use SNMP, note the following message.


If SNMP needs to be reconfigured please follow the following
procedure:
 
(1) stop AR: /opt/CSCOar/bin/arserver stop
(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf
(3) restart AR: /opt/CSCOar/bin/arserver start
 
# done with postinstall.

Installation of <CSCOar> was successful.

The installation process displays a message informing you it completed successfully.

The following packages are available:
  1  CSCOar     Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
                (sparc) 3.0R9

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: q

Step 16 The installation returns to the opening prompt. Choose q to quit the pkgadd program.


If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the procedure described in "SNMP Configuration" section.

Modifying Your Environment

The following scripts are provided to make access to Cisco AR programs and documentation easier. You can insert one of the following scripts into your login script to set up your environment properly. When you use these scripts, you do not have to enter long path names to run Cisco AR programs. For example, instead of entering $INSTALLPATH/usrbin/aregcmd, you can now enter aregcmd.

Borne, Korn, Bash, or zsh

If you are using a Bourne shell (sh), Korn shell (ksh), bash, or zsh, add the following lines to your .profile file.

INSTALLPATH=/opt/CSCOar 
##           (or replace with your install path

if [ "$LD_LIBRARY_PATH" = "" ]; then
LD_LIBRARY_PATH=$INSTALLPATH/lib:$INSTALLPATH/ucd-snmp/lib
else
LD_LIBRARY_PATH=$INSTALLPATH/ucd-snmp/lib:$LD_LIBRARY_PATH
LD_LIBRARY_PATH=$INSTALLPATH/lib:$LD_LIBRARY_PATH
fi

if [ "$PATH" = "" ]; then
PATH=$INSTALLPATH/usrbin:$INSTALLPATH/bin
PATH=$PATH:$INSTALLPATH/ucd-snmp/bin
PATH=$PATH:$INSTALLPATH/ucd-snmp/sbin
else
PATH=$INSTALLPATH/ucd-snmp/sbin:$PATH
PATH=$INSTALLPATH/ucd-snmp/bin:$PATH
PATH=$INSTALLPATH/bin:$PATH
PATH=$INSTALLPATH/usrbin:$PATH
fi

if [ "$MANPATH" = "" ]; then
MANPATH=$INSTALLPATH/ucd-snmp/man:/usr/share/man
else
MANPATH=$INSTALLPATH/ucd-snmp/man:$MANPATH
fi

CAR_CONF=$INSTALLPATH/conf/car.conf

export LD_LIBRARY_PATH
export CAR_CONF
export MANPATH

csh or tcsh

If you are using a csh or tcsh, add the following lines to your .cshrc file.

set INSTALLPATH = /opt/CSCOar 
##                (or replace with your install path)

if ( "$LD_LIBRARY_PATH" == "" ) then
setenv LD_LIBRARY_PATH $INSTALLPATH/lib:$INSTALLPATH/ucd-snmp/lib
else
setenv LD_LIBRARY_PATH $INSTALLPATH/ucd-snmp/lib:$LD_LIBRARY_PATH
setenv LD_LIBRARY_PATH $INSTALLPATH/lib:$LD_LIBRARY_PATH
endif

if ( "$PATH" = "" ) then
setenv PATH $INSTALLPATH/usrbin:$INSTALLPATH/bin
setenv PATH $PATH:$INSTALLPATH/ucd-snmp/bin
setenv PATH $PATH:$INSTALLPATH/ucd-snmp/sbin
else
setenv PATH $INSTALLPATH/ucd-snmp/sbin:$PATH
setenv PATH $INSTALLPATH/ucd-snmp/bin:$PATH
setenv PATH $INSTALLPATH/bin:$PATH
setenv PATH $INSTALLPATH/usrbin:$PATH
endif

if ( "$MANPATH" = "" ) then
setenv MANPATH $INSTALLPATH/ucd-snmp/man:/usr/share/man
else
setenv MANPATH $INSTALLPATH/ucd-snmp/man:$MANPATH
endif

setenv CAR_CONF $INSTALLPATH/conf/car.conf 

Changing Log Directory

By default Cisco Access Registrar log files are stored in the $INSTALLPATH/log directory. You can change the directory where log messages are stored by adding the following line in the $INSTALLPATH/conf/car.conf file.

LOGDIR full_path

Where full_path is a full path to the directory where you want to store the log messages.

For example, to store all system logs in /var/log/CSCOar, add the following line in the $INSTALLPATH/conf/car.conf file:

LOGDIR /var/log/CSCOar

You must first stop the Cisco AR server prior to changing the car.conf file. After changing the car.conf file, copy all existing log files to the new directory, then restart the server.

SNMP Configuration

Before you can perform SNMP configuration, you must first stop the SNMP master agent, then configure your local snmpd.conf file. The snmpd.conf file is the configuration file which defines how the Cisco AR server's SNMP agent operates. The snmpd.conf file may contain any of the directives found in the DIRECTIVES section.

Stopping the Master Agent

You stop the Cisco AR SNMP master agent by stopping the Cisco Access Registrar server.

arserver   stop

Modifying the snmpd.conf File

The path to the snmpd.conf file is /cisco-ar/ucd-snmp/share/snmp. Use vi (or another text editor) to edit the snmpd.conf file. There are three parts of this file to modify:

Access Control

Trap Recipient

System Contact Information

Access Control

Access control defines who can query the system. By default, the agent responds to the public community for read-only access, if run without any configuration file in place.

The following example from the default snmpd.conf file shows how to configure the agent so that you can change the community names, and give yourself write access as well.

Complete the following steps to modify the snmpd.conf file.


Step 1 Look for the following lines in the snmpd.conf file for the location in the file to make modifications:

###############################################################################

# Access Control

###############################################################################

Step 2 First map the community name (COMMUNITY) into a security name that is relevant to your site, depending on where the request is coming from:

# sec.name source community

com2sec local localhost private

com2sec mynetwork 10.1.9.0/24 public

The com2sec directive specifies the mapping from a source/community pair to a security name. The format of com2sec is: NAME   SOURCE   COMMUNITY

SOURCE can be a hostname, a subnet, or the word default. A subnet can be specified as IP/MASK or IP/BITS. The first source/community combination that matches the incoming packet is selected.

Step 3 Map the security names into group names. The group directive defines the mapping from securitymodel/securityname to group. Model is one of v1, v2c, or usm. The format of the group directive is:
group   NAME   MODEL   SECURITY

# sec.model sec.name

group MyRWGroup v1 local

group MyRWGroup v2c local

group MyRWGroup usm local

group MyROGroup v1 mynetwork

group MyROGroup v2c mynetwork

group MyROGroup usm mynetwork

Step 4 Create a view to enable the groups to have rights. The view directive defines the named view. The format of the view directive is: view   NAME   MODEL   SECURITY

# incl/excl subtree mask

view all included .1 80

Step 5 Finally, you grant the two groups access to the one view with different write permissions.

The access directive maps from group/security model/security level to a view.

MODEL is one of any v1, v2c, or usm. LEVEL is one of noauth, auth, or prev. PREFX specifies how CONTEXT should be matched against the context of the incoming pdu, either exact or prefix. READ, WRITE, and NOTIFY specifies the view to be used for the corresponding access. For v1 or v2c access, LEVEL will be noauth, and CONTEXT will be empty.

# context sec.model sec.level match read write notif

access MyROGroup "" any noauth exact all none none

access MyRWGroup "" any noauth exact all all none


Trap Recipient

The following example shows the default configuration that sets up traps for SNMP versions v1 and v2c.


Note Most sites use a single NMS, not two as shown below.


# -----------------------------------------------------------------------------

trapcommunity trapcom

trapsink zubat trapcom 162

trap2sink ponyta trapcom 162

###############################################################################


Note trapsink is used in SNMP version 1; trap2sink is used in SNMP version 2.


The trapcommunity directive defines the default community string to be used when sending traps. This command must appear prior to trapsink or trap2sink which use this community string.

trapsink and trap2sink are defined as follows:

trapsink hostname community port

trap2sink hostname community port

System Contact Information

System contact information is provided in two variables through the snmpd.conf file, syslocation and syscontact.

Look for the following lines in the snmpd.conf file:

###############################################################################

# System contact information

#

#

syslocation Your Location, A Building, 8th Floor

syscontact A. Person <someone@somewhere.org>

Starting the Master Agent

You start the master agent by starting the Cisco Access Registrar server.

arserver   start

Enabling SNMP

After you have started the Cisco Access Registrar server again, you can enable SNMP and begin using the feature. To enable SNMP on the Cisco AR server, complete the following steps:


Step 1 As an admin, launch the aregcmd and cd to /Radius/Advanced/SNMP.

aregcmd
cd /Radius/adv/snmp

[ //localhost/Radius/Advanced/SNMP ]
Enabled = FALSE
TracingEnabled = FALSE
InputQueueHighThreshold = 90
InputQueueLowThreshold = 60
MasterAgentEnabled = TRUE

Step 2 Enter the following command:

set enabled True

Step 3 Exit aregcmd and stop the Cisco AR server; enter the following:

arserver   stop

Step 4 Start the Cisco AR server; enter the following:

arserver   start


Note SNMP is not enabled until you stop and restart the server.



Cisco Access Registrar Subdirectories

The installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 6.

Table 6 CSCOar Subdirectories 

Subdirectory
Description

.system

Contains executables that should not be run directly

bin

Contains the program executables

usrbin

Contains a symbolic link that points to bin.

data

Contains the radius directory that contains session backing files, the db directory that contains configuration database files, the db.bak directory that contains backup files, and the archive directory that contains the replication archive.

logs

Contains system logs and is the default directory for RADIUS accounting

scripts

Contains sample scripts that you can use to customize your RADIUS server

examples

Contains documentation, sample configuration scripts, and shared library scripts

lib

Contains Cisco Access Registrar software library files

ucd-snmp

Contains the UCD-SNMP software Cisco Access Registrar uses

temp

Used for temporary storage

conf

Contains configuration files


Using the Cisco AR License

Cisco Access Registrar licensing controls your ability to configure your servers. Every copy of Cisco Access Registrar requires a license. You must enter your license the first time you configure each cluster.

To get your Cisco Access Registrar license, send EMail to car-license@cisco.com. If you have purchased Cisco AR, include your sales order or purchase order number in the EMail content. You will receive your Cisco AR license key in return EMail, usually within 24-48 hours.

If you have a permanent license, you will not see the license prompt again unless you reinstall and overwrite the database.

If you have an evaluation copy of Cisco Access Registrar, you have a license that will expire. When the license key expires you will not be able to configure or manage the Cisco Access Registrar RADIUS server. The server itself however, will continue to function normally.

If you have an invalid or missing licensing key, you will not be able to configure or manage the Cisco Access Registrar RADIUS server.

Specifying the License Key

Use the aregcmd command and specify a license key.


Note You have three tries to log in successfully before Cisco Access Registrar logs you out.



Step 1 Enter the aregcmd command and log in to the Cisco AR server.

aregcmd

Type your cluster administrator name and password. The installation default is admin for the user and aicuser for the password.

Step 2 If you see the message that you have an invalid license key, you must enter a valid key.

Step 3 Cisco Access Registrar displays the license key at the cluster level and displays the number of days left on the license. For example:

[ //RadiusServer ]
LicenseKey = WXYZ-WXYZ-WXYZ-WXYZ (expires in 30 days)
Radius/
Administrators/

Changing the License Key

If your license key has expired, and you have received a new license key from Cisco, you can enter the new key by using the set command.


Step 1 Enter the aregcmd command.

aregcmd

Step 2 Type your cluster administrator name and password. The installation default is admin for the administrator and aicuser for the password.

Step 3 Use the set command and specify the new license key. Note, the license key is not case sensitive.

--> set LicenseKey <ABCD>-<ABCD>-<ABCD>-<ABCD>


Testing Cisco Access Registrar

After you have installed Cisco Access Registrar, the Cisco AR Server Agent starts automatically. You can verify that the server is running correctly with the arstatus command. (Successfully running this command ensures that you can communicate with the database, and determine whether the server is running or stopped. You can run the aregcmd to log in to the server. You can also run the radclient command to create and send a simple Access-Request.

Checking the Servers


Step 1 Check that the servers are running. Enter the arstatus command:

arstatus

Server Agent running (pid: 2098)
MCD server running (pid: 2102)
SNMP Master Agent running (pid: 2090)
RADIUS server running (pid: 2106)
MCD lock manager running (pid: 2103)


Note The SNMP Master Agent process is optional and only present if you are using SNMP.


Step 2 If the servers are not running, do the following:

a. Become superuser (su).

b. Change to the /etc/init.d directory.

c. Type the arserver command with the start argument:

./arserver start

Starting AIC Server Agent for Access Registrar

Logging into Cisco AR


Step 1 After the servers are running, run the aregcmd command in interactive mode:

aregcmd

Step 2 Cisco Access Registrar prompts you for the cluster. Type the cluster name or press Enter for localhost.

Cisco Access Registrar prompts you for the admin login and password. Use admin for the user name, and aicuser for the password.

Step 3 Cisco Access Registrar prompts you to enter a valid license key. Enter the license key that is located on the back of the Cisco Access Registrar CD case.

For more information about the license key, see the "Using the Cisco AR License" section.

Testing a Packet


Step 1 Run the radclient command.

> radclient

Cisco Access Registrar prompts you for the cluster.

Step 2 Type the cluster name or press Enter for localhost.

Cisco Access Registrar prompts you for the admin login and password. Use admin for the user name, and aicuser for the password.

Step 3 Create a simple Access-Request packet for User-Name bob and User-Password bob. At the prompt, type:

simple bob bob

p001

The radclient command displays the ID of the packet p001.

Step 4 Send the request to the default host (localhost):

p001 send

p002

p002

Packet: code = Access-Accept, id = 1, length = 62, 
attributes = 
Service-Type = Framed 
Framed-Protocol = PPP 
Framed-Routing = None 
Framed-MTU = 1500 
Framed-Compression = VJ TCP/IP header compression 
Ascend-Idle-Limit = 1800

The radclient command displays the response, an Access-Accept, when the server is running properly.

Caveats

This section provides information about known anomalies in Cisco Access Registrar 3.0 and anomalies (from previous versions of Cisco AR) that have been fixed. This section also has information about known problems with the Solaris 8 operating environment.

Known Anomalies in Cisco Access Registrar 3.0R9

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R9.

Table 7 Known Anomalies in Cisco AR 3.0R9 

Bug
Description

CSCai02102

Session backing store can become corrupted if the disk partition becomes full

Symptoms: aregcmd fails while logging in or aregcmd fails while saving with an error message similar to "500 Internal Error / Checking to see if we needed to synchronize with external changes to database failed." or after a reload AR's knowledge of user sessions is missing information that it had before the reload.

Conditions: The disk partition upon which Cisco AR is installed is full.

Workaround: Make more space available on the partition. Cisco AR might need to be restarted.

CSCdw74227

Increasing the maximum number of file descriptors in /etc/system causes aregcmd to stop working

Symptoms: aregcmd cannot login to the server, even on a fresh install.

Conditions: The administrator has raised the maximum number of file descriptors in /etc/system to increase the maximum number of open file handles.

Workaround: Remove the maximum number of file descriptors lines and reboot the Cisco AR server.

CSCdy04282

Cisco AR may not handle non-tagged attributes correctly from proxy

Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.

Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.

Workaround: Have the downstream server return tagged attributes instead of untagged ones.

CSCdy29522

Access Registrar trap MIB not on CCO nor MIB-police submitted

Problem description: The Access Registrar MIB referenced at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/referenc/snmp.htm#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.

Workaround: None.

CSCdy51365

Java services not hot-configured properly

Symptoms: Java services do not work until the server is reloaded.

Conditions: A Java service is added and saved, and the server is not reloaded.

Workaround: Reload the server on adding a Java service.

CSCdy71586

Class file not located if classpath set after java script configuration

Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.

Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.

Workaround: Set the classpath for Java extensions before configuring the script or restart the server.

CSCdy87379

Script with invalid class requires restart even after correction

Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.

Conditions: The class configured for the script is not valid.

Workaround: Restart the server.

CSCdz21344

Concurrency control problem with user attributes

Symptoms: Attributes in a user's attributes or check-items directory are deleted in two different aregcmd sessions. Only one of the two attributes shows up as deleted in subsequent aregcmd sessions.

Conditions: This only occurs when these attributes are deleted in two different aregcmd sessions.

Workaround: Remove the attribute which was not deleted a second time.

CSCdz36245

Alternate threading library causes AX_EWOULDBLOCK messages

Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.

Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.

Workaround: Use the default library in /usr/lib rather than the alternate one.

CSCeb05384

Memory leak in third-party libraries while reloading

Symptoms: Memory leaks found in TCL and nramia while analyzing with Purify.

Conditions: While reloading Cisco AR software.

Workaround: Restart the Cisco AR processes.

CSCeb11506

Add Rule arguments not aligned with properties

Symptoms: Setting rule properties with the add command fails.

Conditions: After executing the following:

add /Radius/Rules/myrule "" ExecRealmRule

Added /Radius/Rules/myrule

ls myrule

[ myrule ]
    Name = myrule
    Description = 
    Script~ = 
    Attributes/

Workaround: Use the following configuration:

add /Radius/Rules/myrule ExecRealmRule

Added /Radius/Rules/myrule

ls myrule

[ myrule ]
    Name = myrule
    Description = ExecRealmRule
    Script~ = ExecRealmRule
    Attributes/ 

CSCeb19955

Changing name of pre-existing administrator requires you to delete the previous name

Symptoms: Unable to change the name of an existing administrator.

Conditions: The name of an existing administrator may be changed, but will remain unchanged the next time aregcmd is used.

Workaround: If the name of a administrator must be changed, delete it and add a new administrator.

CSCeb46418

Misleading aregcmd error when swap space consumed

Symptoms: aregcmd indicates that it was unable to read the internal configuration.

Conditions: This might occur when all swap space on a machine is in use.

Workaround: Redistribute applications so there is adequate swap space on the machine.

CSCeb80164

Retrace-Packet prints erroneous trace information

Symptoms: The trace shows two response packets to a single request. The first response trace shows an invalid length, as shown in this example:

07/30/2003 20:52:32: P712: Tcl: environ put Retrace-Packet TRUE -> OK
07/30/2003 20:52:32: P712: Using Client: localhost (127.0.0.1)
7/30/2003 20:52:32: P712: Using NAS: localhost (127.0.0.1)
07/30/2003 20:52:32: P712: Request is directly from a NAS: TRUE
07/30/2003 20:52:32: P712: Trace of Access-Request packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70
07/30/2003 20:52:32: P712: reqauth =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: User-Name = user1@domain1.com

07/30/2003 20:52:32: P712: User-Password =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: NAS-Port = 1
07/30/2003 20:52:32: P712: NAS-Identifier = localhost
07/30/2003 20:52:32: P712: Authenticating and Authorizing with Service aalocal
07/30/2003 20:52:32: P712: Getting User user1@domain1.com's UserRecord from UserList local
07/30/2003 20:52:32: P712: User user1@domain1.com's password matches07/30/2003 20:52:32: P712: Merging BaseProfile 1 into response dictionary
07/30/2003 20:52:32: P712: Merging attributes into the Response Dictionary:
07/30/2003 20:52:32: P712: Adding attribute Cisco-AVPair, value = ip:addr-pool=public
07/30/2003 20:52:32: P712: No default Remote Session Service defined.
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70 <====== INCORRECT
07/30/2003 20:52:32: P712: reqauth =
53:a3:5b:73:3d:58:3b:2c:f2:3c:59:7d:c9:dc:78:0d
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 47
07/30/2003 20:52:32: P712: reqauth =
02:7d:9c:1f:d9:c5:be:9a:0b:7d:6d:70:96:6a:21:16
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Sending response to 127.0.0.1

Conditions: The Retrace-Packet AR environment variable has been set to TRUE and the trace level has been set to four or above.

Workaround: None

CSCeb86676

Error message for malformed packet wrong with LDAP.

Symptoms: Trace messages indicate that poorly-formatted packets were rejected due to unknown user names or incorrect passwords.

Conditions: This might occur when LDAP is used for authentication or authorization.

Workaround: In some cases, it may be necessary to turn trace levels up and examine the contents of packets. Generally this will not be required.

CSCec11705

An error message for ODBC and FDS is confusing

Symptoms: ODBC is configured properly, but the following message appears in the log:

/opt/CSCOar/logs/name_radius_1_log:08/22/2003  9:35:29 name/radius/1 Error
Server 0 ODBC client (Connection 30): SQLConnect failed: IM002
[unixODBC][Driver Manager]Data source name not found, and no default driver specified

Conditions: This might occur when the number of open file descriptors exceeds the system limit.

Workaround: Increase the number of open file descriptors permitted, or ignore the message when it occurs.

CSCec22061

OutagePolicy of AcceptAll leads to strange responses

Symptoms: An Access-Accept for an HTTP Digest message does not contain an MS-MPPE-Recv key attribute or a Session-Timeout.

Conditions: This might occur if the authentication or authorization service is down and the outage policy is set to AcceptAll.

Workaround: Set the outage policy to RejectAll.

CSCec53453

Parse errors appear in Replication messages

Symptoms: The message parse failed \<unknown user\> appears in the log.

Conditions: This might occur with replication configured.

Workaround: Ignore these messages; the server should recover without intervention.

CSCec56101

After lock is manager killed, all servers die

Symptoms: After the lock manager is killed, all other servers die.

Conditions: This may occur if the lock manager is manually killed on busy multi-processor machines.

Workaround: None

CSCec61714

Rapid memory growth in arservagt

Symptoms: The arservagt process becomes quite large.

Conditions: This has been observed occasionally, under conditions of extreme stress.

Workaround: Restart the arservagt process.

CSCec71481

Invalid attribute message given for good accounting requests

Symptom: Excessive invalid attribute messages appear in the name_radius_1_log file such as the following:

10/27/2003 17:21:54 name/radius/1 Warning Protocol 0 Accounting Request from
localhost (127.0.0.1) contains invalid at tributes in packet user9020%PPP

Conditions: The server is processing accounting packets and is under high load (over 500 RPPS) with packet latency of over 10ms (load with session management).

Workaround: None. However, the RADIUS protocol should recover and try to resend the accounting requests.

CSCed03397

USR VSAs have incorrect format

Symptom: 3Com PDSN complains about the USR VSAs being returned to it from AR

Condition: Cisco AR is configured to use USR VSAs. Cisco AR uses the normal VSA format of:

type, length, vendor, vendor type, length, data

instead of the USR format:

type, length, vendor, vendor type, data

Workaround: Use an extension point script to configure the USR VSAs.

CSCed77005

Response-Type not read at ServiceOutgoing

Symptoms:Cisco AR ignores the Response-Type environment variable at the service outgoing scripting point.

Conditions: An LDAP service was in use for authentication and authorization. An outgoing script on this service checked if the request was rejected. If it was, the script changed the Response-Type to Access-Accept.

Workaround: If the same script is placed at the server outgoing scripting point, the script successfully accepts the user.

CSCed82478

Minor memory leak with ODBC failure connect attempts with myodbc

Symptoms: Radius process memory size increases.

Condition: When invalid myodbc datasource is configured in remote odbc server and ReactivateTimeInterval is configured to very low value.

Workaround: None.

CSCed83041

After load of large user file with replication, packets are dropped

Symptoms: The master replication server ceases responding to packets after a very large number of users are loaded.

Conditions: This might occur with very large numbers of users and probably also with large numbers of profiles.

Workaround: Load larger user files into both master and member servers prior to starting up replication, or load in large files during very off-peak problems when a backup server is available.

CSCee88854

The unset 0 command causes decrement of entry index in indexed lists

Symptom: The unset 0 command causes the entry indices in indexed lists to be decremented by one, and aregcmd segmentation faults on subsequent commands with valid indices.

Condition: The unset command is used with index 0.

Workaround: Use the unset command with valid indices only.

CSCef20109

Session management performance degradation

Symptom: Performance peaks at about 500 requests per second.

Condition: Session management is in use.

Workaround: None.

CSCef34090

File descriptor count not consistent across Cisco AR server reloads

Symptoms: Radius process file descriptor count not consistent

Condition: Occurs after executing aregcmd reload, stop, and start.

Workaround: None

CSCef70457

With HTTP digest, Reply-Message not sent when UserPasswordInvalid

Symptoms: Reply-Message not present in Access-Reject

Condition: With HTTP digest authentication and local-users service, send an Access-Request with digest response generated from invalid password.

Workaround: None

CSCef90638

Cisco AR log files need to check log size at startup and roll if needed

Symptoms: The aregcmd log does not roll when it gets to the configured rolling size.

Conditions: The aregcmd log grows to a size that is larger than the LogFileSize property, but it does not roll.

Workaround: An aregcmd session must have 25 commands after reaching the roll size before the log will roll.

CSCin45016

Session Manager hangs while changing the system date

Symptoms: The release-session command of aregcmd hangs and also the RADIUS does not give response for access-requests and hangs in session management.

Conditions: Changing the system date to some time in previous and not restarting the server.

Workaround: Restart the Cisco AR after changing the system date/time.

CSCin46551

RADIUS server is reloaded when enabling SNMP and doing restart immediately thereafter.

Symptoms: RADIUS is reloaded automatically.

Conditions: Enabling SNMP in Cisco AR and restarting the server immediately.

Workaround: None.

CSCin53226

On heavy load odbc.ini file becomes empty

Symptoms: The log reports that the ODBC datasource cannot be found.

Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.

Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.

CSCin57842

LEAP challenge not sent when setting Response-Type to accept

Symptoms: User accepted without sending EAP challenge.

Conditions: Setting the Response-Type to accept using rex or java script.

Workaround: None

CSCin64112

With SNMP, armcdsvr occasionally reloads itself

Symptoms: Occasionally armcdsvr process restarted automatically by Cisco AR server.

Conditions: Enabling SNMP and restarting the Cisco AR server

Workaround: None

CSCin64207

Upgrade fails when setting ARIsCaseInSensitive to false

Symptoms: Upgrade to 1.7R7 fails with the following error message

307 Object not found/Path ambiguous

Condition: /Radius/Advanced/ARIsCaseInSensitive flag is set to false in AR

Workaround: Before upgrading to 1.7R7 kit, set /Radius/Advanced/ARIsCaseInSensitive to True. After upgrade revert the /Radius/Advanced/ARIsCaseInSensitive to false.


Anomalies Fixed in Cisco Access Registrar 3.0R9

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R9.

Table 8 Anomalies Fixed in Cisco AR 3.0R9 

Bug
Description

CSCdy09195

The aregcmd_log file does not show NULL values

Symptoms: The aregcmd_log file does not show all values that were set.

Conditions: When setting a property to NULL (set property ""), the aregcmd_log file does not change the expression "" to NULL.

Workaround: None

CSCdy59596

arserver script should set umask to 113

Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.

Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.

Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.

CSCea06535

Service outgoing script fails to run when the service type is Authenticate Only

Symptoms: Service outgoing script fails to run.

Conditions: The request contains the attribute, Service-Type = Authenticate-Only.

Workaround: None

CSCea87237

Check-items checked even if a password is incorrect

Symptoms: A user is rejected due to invalid check-items.

Conditions: The user's password is incorrect, therefore check-items are irrelevant.

Workaround: None.

CSCeb37136

totalPacketsinUse goes negative after reset

Symptoms: The value for totalPacketsInUse may be briefly negative.

Conditions: After using the reset command, the value for totalPacketsInUse might be negative briefly.

Workaround: Ignore the value for totalPacketsInUse immediately after a reset command is issued.

CSCeb54417

The aregcmd_log file has different output than what was done in the resource manager

Symptom: The aregcmd_log shows a different command than what was issued after changing the IP range of a resource manager.

Conditions: A resource manager that manages an IP range (such as ip-dynamic) was changed such that an existing pool had the start or end address moved.

Workaround: None, however using an explicit command such as set <start IP>-<end IP> will show the correct command or changing directory to the IP range to use the set end <IP> or set start <IP> commands.

CSCec21944

Cisco AR HTTP digest and Cisco SIP Provisioning Server are incompatible

Symptoms: Cisco AR and Cisco SIP Provisioning Server will not inter-operate.

Conditions: This might occur if the algorithm is md5-sess or if the QOP in use is none.

Workaround: None.

CSCed35533

The aregcmd_log file does not roll according to LogFileSize property

Symptom: aregcmd_log file does not roll according to the /Radius/Advanced/LogFileSize property.

Conditions: The /Radius/Advanced/LogFileSize property was changed to something other than the default.

Workaround: None

CSCed60493

The maximum setting from Event-Timestamp is incorrect

Symptoms: Cisco AR states that Event-Timestamp value is out of range even though it is 2^32-1, the legal range specified in the RFC.

Conditions: Unable to set full range of values allowed by Event-Timestamp, in aregcmd, radclient,

or via extension point scripting.

Workaround: Edit the maximum setting for Event-Timestamp in the Cisco AR attribute dictionary to the legal maximum:

set "/Radius/Advanced/Attribute Dictionary/Event-Timestamp/Max" 4294967295

save

reload

CSCee74431

Unloading java extensions while processing requests causes an exception

Symptoms: Core file produced when shutting down with traffic.

Conditions: Java extensions are being used while the server is shutting down and traffic is still flowing into the server.

Workaround: None, but server will recover on its own.

CSCee88859

Upgrade to server-only install fails because aregcmd is not present

Symptom: Upgrade to server-only installs fails.

Condition: Cisco AR is upgraded to a later version and the Server only' installation option is selected.

Workaround: None.

CSCee91780

Custom java Services will not start

Symptoms: A custom service using Java does not start.

Conditions: The server has been configured to use a script as one of the AAA services and the script language is Java. After saving, the restart will fail and the server never recovers.

Workaround: None

CSCef03772

Sending too big RADIUS packet cores server

Symptoms: Cisco AR cores after sending a response packet.

Conditions: The RADIUS response packet is larger than 4 KB.

Workaround: Decrease the response packet size to fit in the RADIUS packet (RFC mandated 4KB).

CSCef20423

Access-Request without User-Name attribute causes Cisco AR to drop RADIUS packets

Symptoms: Some Access-Request packets are dropped by Cisco AR as retransmissions. By looking at the aregcmd stats output we can see that difference between totalAccessRequests and totalAccessResponses is increasing rapidly, while totalPacketsInUse is higher over time.

Trace log shows increasing number of error messages:

"Dropping packet: packet is a retransmission of one we are currently working on" in name_radius_1_log:

"No User-Name attribute in packet <unknown user>"

Conditions: Problem affects only service type LDAP.

Workaround: Reload aregcmd or restart Server Agent.

CSCef35083

Need bypass for accounting broadcast

Symptoms: Accounting-On and Accounting-Off requests are broadcast to every remote server (sometimes more than once).

Conditions: Remote server objects have been defined and accounting broadcast packets are received.

Workaround: None required if local session management is used.

CSCef41407

Empty column filled with leftover from previous query

Symptoms: Data returned from an ODBC query contains information from a pervious query.

Conditions: ODBC is used to store users and their authorization parameters.

Workaround: None

CSCef63397

Core in _default_terminate using example Java Accounting Service

Symptom: Intermittent cores occur when a Java AccountingService is used.

Condition: This might occur when the example Java AccountingService is used as an accounting service.

Workaround: None

CSCef66780

Java services are not functional in AR 3.0

Symptom: Java services are not functional on AR 3.0.

Condition: Java services are configured.

Workaround: None.

CSCef75797

Cannot change administrator password in replication slave

Symptom: Replication slave administrator password cannot be changed using the CLI.

Condition: This might occur when attempting to change the administrator's password in the Replication slave configuration.

Workaround: Disable the replication in the slave and save the configuration. Open another aregcmd session to change the administrator password and enable the replication.

CSCin70770

Memory leak in armcdsvr

Symptoms: Memory footprint of the armcdsvr process grows continuously on repeated aregcmd logins.

Condition: Login and logout from aregcmd continuously

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R8

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R8.

Table 9 Anomalies Fixed in Cisco AR 3.0R8 

Bug
Description

CSCea43192

Enum values are not validated properly

Symptoms: Enum values outside the specified range are not validated properly.

Conditions: An enum value outside the specified range is set.

Workaround: Restrict enums to those within the specified range.

CSCea60081

LicenseKey property does not autocomplete

Symptoms: The LicenseKey property in aregcmd does not autocomplete.

Conditions: The <Tab> key is used to autocomplete the /LicenseKey property.

Workaround: None, but this does not prevent the property from being set.

CSCeb19831

Cannot reload with enum out of range

Symptoms: The server will not restart or it is not possible to use radclient, and the error messages indicate that an enumeration is outside of specified Minimum and Maximum range.

Conditions: An attribute of type ENUM has been defined, and one of the enumerated values is not in the range between the minimum and maximum values.

Workaround: Modify the maximum value for the attribute so that all enumerations are included in the allowed range.

CSCed83003

Cannot commit change with modifications to session managers or resource managers

Symptoms: A change is not replicated to a member, and the member log indicates "Could not commit transaction."

Conditions: This might occur when deletions and additions of resource managers and session managers are included in a single save operation.

Workaround: Perform full resynchronization as described in the User Guide. More frequent aregcmd save operations may also be beneficial.

CSCed83165

Two unset commands of DefaultSessionManager results in replication failure

Symptoms: A member replication log indicates that a transaction was not committed.

Conditions: This might occur when values such as the DefaultSessionManager are unset multiple times.

Workaround: Perform a full database synchronization.

CSCed84906

Cisco AR accounting RollOverSchedule has problem on February 29th (Leap Year).

Symptom: Accounting logs do not roll over at preconfigured time when using the rollover schedule feature.

Conditions: The administrator has configured the server to rollover accounting files using the schedule rather than max age or size. Also, this is seen only on the Leap Day (February 29).

Workaround: None

CSCee03199

ODBC authorization-only service should not reject if no data is found

Symptoms: Cisco AR rejects the Access-Request with an InternalError indication.

Condition: This occurs when an ODBC service is configured as authorization-only service and no data is returned for the user from database table during authorization.

Workaround: None.

CSCee47129

Tunnel-Password values are angled for certain tag numbers

Symptoms: A tunnel password attribute is mangled, even if the configuration was correct. Also, the attribute may be missing from the response.

Conditions: The tunnel-password attribute is configured to be sent back in an access-accept packet. However, certain tag numbers are always mangled or are missing.

Workaround: Try to use a different tag number (for example, use tag4 rather than tag3).

CSCee59794

Cisco AR rejects a user with internal error when the database package is recompiled

Symptoms: Cisco AR rejects the Access-Request with and InternalError indication.

Condition: When PL/SQL packages at database were recompiled while AR is running.

Workaround: Reload the Cisco AR server.

CSCin43901

Accounting file rollover not happening at daylight savings time (DST)

Symptoms: Accounting file rollover will not happen at DST but it will happen one hour before or after the DST change.

Conditions: The configured rollover schedule is same as DST and the system time reaches the configured rollover schedule.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R7

This section describes the anomalies in fixed Cisco Access Registrar, Release 3.0R7.

Table 10 Anomalies Fixed in Cisco AR 3.0R7 

Bug
Description

CSCdy72758

After a Cisco AR server agent restart, SNMP MIBs walks stops working

Symptoms: SNMP MIBs walk stop working

Conditions: When Cisco AR server agent dies and is restarted by trampoline.

Workaround: restart Cisco AR server using the /etc/init.d/arservagt restart command

CSCea10104

Reload/stop and start of Cisco AR gives core file when SNMP is enabled

Symptoms: When SNMP is enabled, reload, stop and start from aregcmd gives core file and displays 'Unable to access server.' However, the radius process will be restarted and packet processing will be continued.

Conditions: SNMP is enabled in Cisco AR.

Workaround: Restart of Cisco AR using /etc/init.d/arservagt .

CSCea49061

Cisco AR does not allow port change if default values are used

Symptoms: Cisco AR does not start. During the installation or running the arservagt utility, the following message is displayed:

RADIUS port already occupied, program can not start

Because Cisco AR does not start, aregcmd also fails to start:

# ./aregcmd
Cisco Access Registrar 1.7R5 Configuration Utility
Copyright (C) 1995-2002 by Cisco Systems, Inc.  All rights reserved.
Cluster:
User: admin
Password:
Logging in to localhost
400 Login failed

Conditions: Another application is using ports 1645, 1646, 1812, or 1813.

Workaround: In the arservagt script, comment out the exit 1 line as follows:

            # make sure no other RADIUS server is running
            exist=`netstat -an | awk '$1 ~ /\.(1812|1813|1645|1646)$/'`
            if [ "$exist" != "" ]; then
                echo " "
                echo "RADIUS port already occupied, program can not start."
                echo " "
            #    exit 1
            fi

Start Cisco AR using the following:

/etc/init.d/arservagt start

If there is a port conflict, configure Cisco AR to use alternative ports. For example, in aregcmd:

cd /Radius/Advanced/Ports

add 1812

add 1813

save

reload

CSCec25472

After restarting the SNMP agent, SNMP MIB walk no longer works

Symptoms: SNMP traps are still seen, but there is no response to SNMP MIB walk commands.

Conditions: This might occur after the SNMP Master Agent crashes and is restarted.

Workaround: Restart the Cisco AR server using /etc/init.d/arservagt restart command.

CSCec60339

Cisco AR software upgrade from 3.1R2 causes startup error

Symptoms: Cisco AR will not start correctly after an upgrade.

Conditions: An attribute return list in a profile, user group, or user set the Tunnel-Medium-Type attribute with the value of 802. After an upgrade, the name_radius_1_log file contains the following message when the server tries to start:

10/15/2003 12:40:36 name/radius/1 Error Configuration 0 Error in property 
/Radius/Profiles/ldapmap-VLAN/Tunnel-Medium-Type_tag1: Invalid value

Workaround: After the server tries to start, login to aregcmd and add the enum back into the dictionary, then issue a save command, and restart the server.

cd "/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums"

set 6 802

save

start

CSCec63780

Apparent deadlock in the replication master during a replication test

Symptoms: The RADIUS server stops responding to RADIUS packets.

Conditions: This situation occurs extremely rarely when the configuration is being updated after an Accounting-On message is received.

Workaround: Kill the RADIUS server using kill -9. The Cisco AR server will be automatically restarted by the server agent.

CSCec71268

Adding new ODBC remote server in one shot fails

Symptoms: After adding a new ODBC remote server using a single line within interactive aregcmd, validation fails.

Conditions: The following command format was used to add a remote server:

add /Radius/RemoteServers/server description odbc reactivate timeout connections datasource keepalive

Workaround: Set each property individually after adding the remote server.

CSCec72065

Skewed time results in brief corrupt session time

Symptoms: The session time displayed in the response to query-sessions command is 1193046:28:15.

Conditions: This might occur when aregcmd is run on a remote system, the time on the remote system is behind the time on the system running the server, and the session time is less than the difference between the session times. Note that time refers to Universal Time and that differences in time zones should not cause this problem to occur.

Workaround: Ignore session times of 1193046:28:15. Assume that these session times are less than the difference between the system time on the system running aregcmd and the system time running the RADIUS server. Use a time synchronization server to minimize these discrepancies.

CSCec74817

The query-sessions command displays large NAS-Port incorrectly

Symptoms: A negative value is displayed for a NAS-Port in the output of the query-sessions command.

Conditions: This might occur when the value of the NAS-Port is greater than 65,535.

Workaround: None.

CSCed01236

Proxy of EAP packets breaks client IP stack

Symptoms: Client cannot ping anything except itself after a successful EAP transaction.

Conditions: A proxy server is placed between the access point (AP) and authentication server to proxy EAP packets between the AP and authentication server.

Workaround: If possible, remove the proxy server from the authentication path.

CSCed22089

Cisco AR cores on accounting request after configuration change

Symptoms: Cisco AR restarts and creates a core file.

Conditions: Cisco AR has been restarted and a configuration change is performed and saved. Cisco AR restarts on receipt of an accounting request.

Workaround: None

CSCed37168

A software upgrade will fail if you already have Oracle 8 configured

Symptoms: Cisco AR will not start after a software upgrade to 3.0R6 when the previous system has been configured with Oracle 8. This is because the old Cisco AR used liboraodbc.so to access Oracle 8 and this has been changed in 3.0R6 to liboraodbc8.so for adding support of Oracle 9.

Conditions: Existing Cisco AR has configured ODBC with Oracle 8.

Workaround: Set up a symbolic link before running pkgadd: such as the following:

cd <install-dir>/lib && ln -s liboraodbc8.so liboraodbc.so 

CSCed42695

Too-old unclosed session results in huge session

Symptoms: The following messages appear in the log:

"Log: Backing Store: Error composing log file, item is too large for one page (8192).

Log: Session Backing Store: Unable to save Session 991 to backing store."

Conditions: This might occur when Cisco AR fails to receive an Accounting-Stop, then receives a number of Accounting-Start messages with the same Acct-Session-ID.

Workaround: Manually release the session using the release-sessions option of aregcmd.

CSCed50688

EAP-SIM pseudonym passed as User-Name too long for ExecRealmRule

Symptoms: The realm rule does not find the realm in the username, even though the trace file shows that the realm is present.

Conditions: A very long username (at least 100 bytes in length) is used.

Workaround: None

CSCed51002

ExecRealmRule script may overwrite memory

Symptoms: The RADIUS server cores occasionally.

Conditions: Lengthy user names are frequently used, and the ExecRealmRule script is in use.

Workaround: None.

CSCed75402

Cannot add enumerations to attributes of type TAG_ENUM

Symptoms: It is not possible to add new enumerations to attributes of type TAG_ENUM, or an upgraded configuration containing tagged attributes does not function after upgrade.

Condition: This will occur when 3.0R6 or 1.7R7 is in use.

Workaround: Consult with Cisco Tech Support to get advice about adding the tagged enumerations to your configuration using internal tools.

CSCin60005

Replication fails when modifying IP addresses of resource manager

Symptoms: Replication fails and replication slaves name_radius_log file shows the following error message:

Internal Error in /Radius/ResourceManagers/new/IPAddresses/: Required property end did not 
exist

Conditions: Add a new ip-dynamic resource manager without doing a save, then modify the IP address using aregcmd interactive set command.

Workaround: Do a save before modifying the IP address using interactive set.

CSCin62448

Cisco AR server reloads itself when rolling accounting file under heavy load

Symptoms: Cisco AR server occasionally reloads by itself

Conditions: Under heavy load, when Cisco AR is unable to open or flush the accounting files.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R6

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R6.

Table 11 Anomalies Fixed in Cisco AR 3.0R6 

Bug
Description

CSCai02102

Session backing store can become corrupted if the disk partition becomes full

Symptoms: aregcmd fails while logging in or aregcmd fails while saving with an error message similar to "500 Internal Error / Checking to see if we needed to synchronize with external changes to database failed." or after a reload AR's knowledge of user sessions is missing information that it had before the reload.

Conditions: The disk partition that AR is installed on is full.

Workaround: Make more space available on the partition. AR may need to be restarted.

CSCdy04282

Cisco AR may not handle non-tagged attributes correctly from proxy

Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.

Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.

Workaround: Have the downstream server return tagged attributes instead of untagged ones.

CSCdy29522

Access Registrar trap MIB not on CCO nor MIB-police submitted

Problem description: The Access Registrar MIB referenced at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/referenc/snmp.htm#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.

Workaround: None.

CSCdy46148

Cisco AR cores when java extension without required interface is used

Symptoms: Cisco AR cores when a Java extension script that does not implement the interface required for such scripts is used.

Conditions: A Java extension script that does not implement the interface required for such scripts is added, set as the server IncomingScript, saved but not reloaded, and an access request is then sent.

Workaround: Reload Cisco AR on adding the Java extension script.

CSCdy50196

Cisco AR server cores when Java service does not handle stops and starts

Symptoms: Server fails to start when Java service does not handle service starts and stops.

Conditions: You configure then reload a Java service that does not handle service starts and stops.

Workaround: Handle service starts and stops in all Java services.

CSCdy51365

Java services not hot-configured properly

Symptoms: Java services do not work until the server is reloaded.

Conditions: A Java service is added and saved, and the server is not reloaded.

Workaround: Reload the server on adding a Java service.

CSCdy57104

Java example accounting script causes core when not initialized

Symptoms: Cisco AR cores when the example Java accounting script is created but not initialized, saved and reloaded.

Conditions: The example Java accounting script is not initialized.

Workaround: Specify the initialization parameter when creating the service.

CSCdy59596

arserver script should set umask to 113

Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.

Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.

Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.

CSCdy71586

Class file not located if classpath set after java script configuration

Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.

Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.

Workaround: Set the classpath for Java extensions before configuring the script or restart the server.

CSCdy72758

After restart of Cisco AR server agent, SNMP MIB walk stops working

Symptoms: SNMP MIB walk stops working

Conditions: When Cisco AR server agent dies and trampoline restarts server

Workaround: restart Cisco AR server by using the following command:
/etc/init.d/arservagt restart

SCdy84713

Replication of /Radius/Script object logs error message in Slave

Symptoms: Replication of /Radius/Script object logs error message in slave name_radius_log when it is replicated.

Conditions: Configure single master-slave replication, add a script object under /Radius/script to master host

Workaround: None

CSCdy87379

Script with invalid class requires restart even after correction

Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.

Conditions: The class configured for the script is not valid.

Workaround: Restart the server.

CSCdz21344

Concurrency control problem with user attributes

Symptoms: Attributes in a user's attributes or check-items directory are deleted in two different aregcmd sessions. Only one of the two attributes shows up as deleted in subsequent aregcmd sessions.

Conditions: This only occurs when these attributes are deleted in two different aregcmd sessions.

Workaround: Remove the attribute which was not deleted a second time.

CSCdz36245

Alternate threading library causes AX_EWOULDBLOCK messages

Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.

Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.

Workaround: Use the default library in /usr/lib rather than the alternate one.

CSCdz71935

Insufficient trace message when password incorrect

Symptoms: Local user is rejected but trace does not explain.

Conditions: The user's AllowNullPassword property is set to TRUE and the user's password is incorrect in the access request.

Workaround: Check the log file for explanation.

Log: Request from HA2 (10.8.15.45): User bob rejected (UserPasswordInvalid)

CSCea06535

Service outgoing script fails to run when the service type is Authenticate Only

Symptoms: Service outgoing script fails to run.

Conditions: The request contains the attribute, Service-Type = Authenticate-Only.

Workaround: None

CSCea10104

The Cisco AR server gives a core file when SNMP is enabled and you reload, stop, and restart the server.

Symptoms: When SNMP is enabled and you reload, stop, and start the server from aregcmd gives core file and displays Unable to access server. However, RADIUS processes are restarted and packet processing continues.

Conditions: SNMP is enabled in the AR server.

Workaround: Restart of the Cisco AR server using /etc/init.d/arservagt.

CSCea43192

Enum values are not validated properly

Symptoms: Enum values outside the specified range are not validated properly.

Conditions: An enum value outside the specified range is set.

Workaround: Restrict enums to those within the specified range.

CSCea49061

Cisco AR does not allow port change if default values are in use

Symptoms: Cisco AR does not start. During the installation or running the arservagt utility, the following message is displayed:

RADIUS port already occupied, program can not start

Because Cisco AR does not start, aregcmd also fails to start:

# ./aregcmd
Cisco Access Registrar 1.7R5 Configuration Utility
Copyright (C) 1995-2002 by Cisco Systems, Inc.  All rights reserved.
Cluster:
User: admin
Password:
Logging in to localhost
400 Login failed

Conditions: Another application is using ports 1645, 1646, 1812, or 1813.

Workaround: In the arservagt script, comment out the exit 1 line as follows:

            # make sure no other RADIUS server is running
            exist=`netstat -an | awk '$1 ~ /\.(1812|1813|1645|1646)$/'`
            if [ "$exist" != "" ]; then
                echo " "
                echo "RADIUS port already occupied, program can not start."
                echo " "
            #    exit 1
            fi

Start Cisco AR using the following:

/etc/init.d/arservagt start

If there is a port conflict, configure Cisco AR to use alternative ports. For example, in aregcmd:

cd /Radius/Advanced/Ports

add 1812

add 1813

save

reload

CSCea82594

Session count decreases to a negative value

Symptoms: Session count decreases to a negative value when CDMA-Session-Continue attribute is used.

Conditions: This occurs when the CDMA-Session-Continue value TRUE is sent in the accounting request packet, then its session is released by sending CDMA-Session-Continue value FALSE. Session count shows as -1 instead of zero when the session is released.

Workaround: None

CSCea87237

Check-items checked even if a password is incorrect

Symptoms: A user is rejected due to invalid check-items.

Conditions: The user's password is incorrect, therefore check-items are irrelevant.

Workaround: None.

CSCea89613

Cisco AR cores while running odbc-authorize-envmap

Symptoms: The Cisco AR server cores after a reload.

Conditions: This might occur when two different ODBC servers are used (one for authentication and one for authorization) and the authorization server is configured to perform environment mappings.

Workaround: None. The Cisco AR server will be restarted by the server agent and will function properly.

CSCeb04281

IPX networks displayed in decimal

Symptoms: IPX network numbers are occasionally displayed in decimal format.

Conditions: After a save, IPX network numbers are displayed in decimal format.

Workaround: None.

CSCeb04316

Command completion not working for resource manager directories

Symptoms: Command completion does not work for resource manager subdirectories.

Conditions: When in a resource manager subdirectory, pressing the tab key will not complete subdirectory names.

Workaround: In most cases, hitting the return key rather than the tab key will perform the desired action.

CSCeb05384

Memory leak in third-party libraries while reloading

Symptoms: Memory leaks found in TCL and nramia while analyzing with Purify.

Conditions: While reloading Cisco AR software.

Workaround: Restart the Cisco AR processes.

CSCeb11506

Add Rule arguments not aligned with properties

Symptoms: Setting rule properties with the add command fails.

Conditions: After executing the following:

add /Radius/Rules/myrule "" ExecRealmRule

Added /Radius/Rules/myrule

ls myrule

[ myrule ]
    Name = myrule
    Description = 
    Script~ = 
    Attributes/

Workaround: Use the following configuration:

add /Radius/Rules/myrule ExecRealmRule

Added /Radius/Rules/myrule

ls myrule

[ myrule ]
    Name = myrule
    Description = ExecRealmRule
    Script~ = ExecRealmRule
    Attributes/ 

CSCeb19955

Changing name of pre-existing administrator requires you to delete the previous name

Symptoms: Unable to change the name of an existing administrator.

Conditions: The name of an existing administrator may be changed, but will remain unchanged the next time aregcmd is used.

Workaround: If the name of a administrator must be changed, delete it and add a new administrator.

CSCeb37136

totalPacketsinUse goes negative after reset

Symptoms: The value for totalPacketsInUse may be briefly negative.

Conditions: After using the reset command, the value for totalPacketsInUse might be negative briefly.

Workaround: Ignore the value for totalPacketsInUse immediately after a reset command is issued.

CSCeb40158

Confusing error message for sendto

Symptoms: Log messages about the results of sendto include inconsistent numbers.

Conditions: This occurs in conditions of high stress.

Workaround: Ignore the numeric values in these messages.

CSCeb46227

Down service messages are displayed while servers appear up

Symptoms: The message "Service name has no active remote servers available" appears frequently in the log.

Conditions: This message appears occasionally in high load conditions, even when the associated servers are responding to requests.

Workaround: Ignore these messages.

CSCeb46418

Misleading aregcmd error when swap space consumed

Symptoms: aregcmd indicates that it was unable to read the internal configuration.

Conditions: This might occur when all swap space on a machine is in use.

Workaround: Redistribute applications so there is adequate swap space on the machine.

CSCeb80164

Retrace-Packet prints erroneous trace information

Symptoms: The trace shows two response packets to a single request. The first response trace shows an invalid length, as shown in this example:

07/30/2003 20:52:32: P712: Tcl: environ put Retrace-Packet TRUE -> OK
07/30/2003 20:52:32: P712: Using Client: localhost (127.0.0.1)
7/30/2003 20:52:32: P712: Using NAS: localhost (127.0.0.1)
07/30/2003 20:52:32: P712: Request is directly from a NAS: TRUE
07/30/2003 20:52:32: P712: Trace of Access-Request packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70
07/30/2003 20:52:32: P712: reqauth =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: User-Name = user1@domain1.com

07/30/2003 20:52:32: P712: User-Password =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: NAS-Port = 1
07/30/2003 20:52:32: P712: NAS-Identifier = localhost
07/30/2003 20:52:32: P712: Authenticating and Authorizing with Service aalocal
07/30/2003 20:52:32: P712: Getting User user1@domain1.com's UserRecord from UserList local
07/30/2003 20:52:32: P712: User user1@domain1.com's password matches07/30/2003 20:52:32: P712: Merging BaseProfile 1 into response dictionary
07/30/2003 20:52:32: P712: Merging attributes into the Response Dictionary:
07/30/2003 20:52:32: P712: Adding attribute Cisco-AVPair, value = ip:addr-pool=public
07/30/2003 20:52:32: P712: No default Remote Session Service defined.
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70 <====== INCORRECT
07/30/2003 20:52:32: P712: reqauth =
53:a3:5b:73:3d:58:3b:2c:f2:3c:59:7d:c9:dc:78:0d
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 47
07/30/2003 20:52:32: P712: reqauth =
02:7d:9c:1f:d9:c5:be:9a:0b:7d:6d:70:96:6a:21:16
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Sending response to 127.0.0.1

Conditions: The Retrace-Packet AR environment variable has been set to TRUE and the trace level has been set to four or above.

Workaround: None

CSCeb86676

Error message for malformed packet wrong with LDAP.

Symptoms: Trace messages indicate that poorly-formatted packets were rejected due to unknown user names or incorrect passwords.

Conditions: This might occur when LDAP is used for authentication or authorization.

Workaround: In some cases, it may be necessary to turn trace levels up and examine the contents of packets. Generally this will not be required.

CSCec11705

An error message for ODBC and FDS is confusing

Symptoms: ODBC is configured properly, but the following message appears in the log:

/opt/CSCOar/logs/name_radius_1_log:08/22/2003  9:35:29 name/radius/1 Error
Server 0 ODBC client (Connection 30): SQLConnect failed: IM002
[unixODBC][Driver Manager]Data source name not found, and no default driver specified

Conditions: This might occur when the number of open file descriptors exceeds the system limit.

Workaround: Increase the number of open file descriptors permitted, or ignore the message when it occurs.

CSCec21944

AR HTTP digest and Cisco SPS are incompatible

Symptoms: Cisco AR and Cisco SIP Provisioning Server will not inter-operate.

Conditions: This might occur if the algorithm is md5-sess or if the QOP in use is none.

Workaround: None.

CSCec22061

OutagePolicy of AcceptAll leads to strange responses

Symptoms: An Access-Accept for an HTTP Digest message does not contain an MS-MPPE-Recv key attribute or a Session-Timeout.

Conditions: This might occur if the authentication or authorization service is down and the outage policy is set to AcceptAll.

Workaround: Set the outage policy to RejectAll.

CSCec25472

After restarting the SNMP agent, SNMP walk no longer works

Symptoms: SNMP traps are still seen, but there is no response to SNMP walk commands.

Conditions: This might occur after the SNMP Master Agent crashes and is restarted.

Workaround: Restart the Cisco AR server using /etc/init.d/arservagt restart command.

CSCec42756

Memory growth occurs with replication stress test

Symptoms: Memory grows slowly while replication is enabled.

Conditions: This might occur under conditions of significant stress.

Workaround: None necessary; the increase in memory is slow enough not to cause any system problems.

CSCec53453

Parse errors appear in Replication messages

Symptoms: The message parse failed \<unknown user\> appears in the log.

Conditions: This might occur with replication configured.

Workaround: Ignore these messages; the server should recover without intervention.

CSCec63780

Apparent deadlock in master on replication test

Symptoms: The Radius server stops responding to Radius packets.

Conditions: This situation occurs extremely rarely when the configuration is being updated after an Accounting-On message is received.

Workaround: Kill the Radius server using kill -9. The AR server will be automatically restarted by the server agent.

CSCec66825

Replication documentation does not mention RADIUS port configuration.

Symptoms: Cannot get replication to work.

Conditions: The AR replication documentation does not mention the fact that the UDP port used for replication must be also be configured as a RADIUS port on each master and slave.

Workaround: Configure the port number used in replication under /Radius/Advanced/Ports on the master and all slaves as shown below:

cd /Radius/Advanced/Ports

add 2000

save

reload

CSCec68801

Documentation: MaximumNumberOfRadiusPackets equal to or greater than 8192 for replication

Symptoms: Incorrect and unsupported replication configuration

Conditions: Default MaximumNumberOfRadiusPackets setting is too low for Cisco AR server replication.

Workaround: Set the value to at least 8192 on each Cisco AR server configured for replication as follows:

set /Radius/Advanced/MaximumNumberOfRadiusPackets 8192

save

reload

CSCin19437

Changing Service type from file to group generates error in Replication

Symptoms: In the replication slave, the modified service will not be available for authentication and reload of the replication slave will fail.

Conditions: Changing the service type from file to group in Replication Master

Workaround: In slave delete the group service created by replication, and recreate it manually through aregcmd and reload the slave server.

CSCin26428

Accounting file rolling fails when reloading Cisco AR server at RolloverSchedule

Symptoms: Accounting file rollover occasionally does not occur.

Conditions: Performing reload of the Cisco AR server at the configured rollover time.

Workaround: Do not reload the Cisco AR server at the configured rollover time.

CSCin29894

Replication fails after changing the user name

Symptoms: User name change is not replicated to slave.

Conditions: Changing just the user name and issuing a save in the Replication master.

Workaround: None

CSCin43901

Accounting file rollover not happening at daylight savings time (DST)

Symptoms: Accounting file rollover will not happen at DST but it will happen one hour before or after the DST change.

Conditions: The configured rollover schedule is same as DST and the system time reaches the configured rollover schedule.

Workaround: None

CSCin45016

Session Manager hangs while changing the system date

Symptoms: The release-session command of aregcmd hangs and also the RADIUS does not give response for access-requests and hangs in session management.

Conditions: Changing the system date to some time in previous and not restarting the server.

Workaround: Restart the Cisco AR after changing the system date/time.

CSCin46551

RADIUS server is reloaded when enabling SNMP and doing restart immediately thereafter.

Symptoms: RADIUS gets reloaded automatically.

Conditions: Enabling SNMP in Cisco AR and restarting the server immediately.

Workaround: None.

CSCin49558

Cisco AR server accepts the user, when AuthenticationScript rejects

Symptoms: Cisco AR accepts the user, when the UserGroups AuthenticationScript sets the Response-Type as Reject.

Conditions: Occurs when ODBCToEnvironmentMapping is used to set the User-Group.

Workaround: Set the script which rejects the user in some other scripting point.

CSCin53226

On heavy load odbc.ini file becomes empty

Symptoms: The log reports that the ODBC datasource cannot be found.

Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.

Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.

CSCin57842

LEAP challenge not sent when setting Response-Type to accept

Symptoms: User accepted without sending EAP challenge.

Conditions: Setting the Response-Type to accept using rex or java script.

Workaround: None

CSCin59303

Replication fails when using interactive set

Symptoms: The memory usage of the Radius process increases.

Conditions: This might occur when the IP address range of an ip-dynamic resource manager is set to a range greater than an entire class C network.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R5

This section describes the anomalies fixed in Cisco Access Registrar, Release 3.0R5.

Table 12 Anomalies Fixed in Cisco AR 3.0R5 

Bug
Description

CSCdx52831

radius cores while establishing ODBC connections

Symptoms: AR restarts with reload command when ODBC connections to the database are being established.

Conditions: Reloading AR while ODBC connections to the database are getting established.

Workaround: reload AR after all the ODBC connections to the database are established.

CSCdy87006

Session management fails on central resource server

Symptoms: The central resource AR server rejects session management requests from front-line AR servers.

Conditions: On the central resource AR server, the DefaultAuthenticationService and DefaultAuthorizationService are set to an LDAP service.

Workaround: Set the DefaultAuthenticationService and DefaultAuthorizationService to something other than an LDAP service.

CSCeb45577

Rapid and irregular memory growth with SNMP traps

Symptoms: The memory required for the Radius server is very large, and increases continually.

Conditions: This might occur if an extremely large volume of SNMP traps (greater than 3 per minute) are being sent.

Workaround: Reset the values InputQueueHighThreshold and InputQueueLowThreshold to their default values to reduce the number of SNMP traps.

CSCeb56975

ODBC mappings should not override attributes

Symptoms: ODBC mappings will not map all the values returned from database.

Conditions: When more than one database column is mapped to the same attribute.

Workaround: None.

CSCin48864

Stale ODBC remoteserver threads across reloads.

Symptoms: Radius server is reloaded.

Conditions: Add and delete ODBC configuration, then reload when Oracle server is unreachable (via network) from Cisco AR.

Workaround: Restart AR.


Anomalies Fixed in Cisco Access Registrar 3.0R4

This section describes the anomalies fixed in Cisco Access Registrar, Release 3.0R4.

Table 13 Anomalies Fixed in Cisco AR 3.0R4 

Bug
Description

CSCdp91753

Logging does not work for files equal to or greater than 2GB

Symptoms: After any log file size exceeds 2 GB, logging to that file stops.

Conditions: Size of log file exceeds 2GB.

Workaround: Rotate the log files. If you are using a version of Cisco AR earlier than 1.6R0, stop the server before moving any log files.

CSCdt63165

aregcmd allows all administrative users to be deleted

Symptoms: No administrators appear in /Administrators in aregcmd.

Conditions: An administrator deleted all the administrators, effectively causing a lockout.

Workaround: None

CSCdu43140

In aregcmd query /r the colon character (:) is used some places, but not others

Symptoms:

When a query-sessions is done in aregcmd, the output will look something like the following:

Sessions for /Radius:
  Sessions for /Radius/SessionManagers/session-mgr-2:
    S1 Key: localhost:1, NAS: localhost, NAS-Port: 1, User-Name: bob, \
	Time: 00:41:58, IP 10.0.1.128, HA 10.10.1.0

Note that Key, NAS, NAS-Port, User-Name and Time are all followed by a colon character and that IP and HA are not. This is obviously inconsistent. It appears that the dynamic resources (IP, IPX, GSL, USL, USR-VPN, and HA) will not be followed by a colon character while the rest will be.

Workaround: Do not write scripts that depend on finding a colon character after or between the type of dynamic resource (such as IP) and its value.

CSCdu77687

ExecTimeRule script does not run correctly

Symptoms: The ExecTimeRule does not match times correctly.

Conditions: The valid time range for an instance of the ExecTimeRule rule is more complicated than just a time range (multiple time ranges or days are specified).

Workaround: None

CSCdv54419

SNMP reports average RTT instead of the RTT of the last request

Symptoms: SNMP query reports the average round trip time instead of the round trip time for the last request.

Conditions: This occurs any time you make an SNMP request.

Workaround: Cisco AR is incorrectly reporting the average RTT. To obtain the RTT of the last request, you will need to arithmetically determine it from the previous average RTT, the current average RTT, and the total number of requests sent to the remote server.

CSCdw13633

ExecTimeRule script never denies access.

Symptoms: Time of Day rule does not work as specified in the user documentation.

CSCdw87985

Acct-Delay-Time attribute in Accounting-On requests ignored

Symptoms: AR ignores the Acct-Delay-Time attribute and can remove all sessions after a resend of the Accounting-On packet.

Conditions: The problem is basically that when the NAS is rebooted, it sends out an Accounting-On that Cisco AR does not see. 15 seconds later it sends out its first ODAP request, receiving a subnet and creating a session on Cisco AR to record it. 15 seconds after that it resends the Accounting-On (since the first one timed out). Cisco AR receives this second Accounting-On and proceeds to delete all of the sessions associated with the NAS (including the just-received ODAP session). This causes problems because Cisco AR will then go ahead and re-use the subnet for a subsequent request, but as far as the NAS is concerned it is still in use. The second Accounting-On does contain an Acct-Delay-Time attribute with a value of 30 (seconds), so it's possible for Cisco AR to only delete sessions associated with the NAS that were created over 30 seconds ago. We've never paid attention to the Acct-Delay-Time attribute, but it's probably time we did so.

Workaround: None

CSCdx27007

aregmcd gives a segmentation fault with a particular sequence of commands

Symptoms: Under certain circumstances, if a save command is issued at the aregcmd prompt when no changes have been made, a segmentation fault occurs.

Conditions: Since no data changes have been made, this problem will not result in any loss of data.

Workaround: Do not issue a save command if no changes have been made to the configuration.

CSCdx76512

Cannot rename users

Symptoms: The administrator changed a user name by setting the Name attribute of the user record.

On the save, aregcmd gives a 310 error with no other info in the logs.

Conditions: Rename a user using the following aregcmd command line:

set Name NewName

Workaround: Delete the old user and create a new one. However, this does lose the user's password.

CSCdy11292

aregcmd command ls returns 307 error on properties

Symptoms: An administrator uses aregcmd command ls on a property and gets a 307 error.

Conditions: Running ls directly on a property and not a directory (ls /Radius/Version) results in a 307 error by aregcmd.

Workaround: None, but this is not a functional error.

CSCdy17353

Session-Service not allowed to set in Rule Engine

Symptoms: Session-service is not set through Rule engine

Conditions: Configure a Rules and policies to set Session-Service

Workaround: Use scripts to set Session-Service.

CSCdy20675

aregcmd set username/password password should not query

Symptoms: The aregcmd command line set username/password should not prompt for password verification if it is already passed on the command line. The current behavior is:

set bob/password foo

Retype password to confirm:

Set bob/Password <encrypted>

The confirmation should only happen if user enter the password with echo off. There is no reason to do this when the password is passed on the command line.

Conditions: When adding a password with the set password command to give to a user .

Workaround: None.

CSCdy56082

Server crashes on reload using AdvancedDuplicateDetection

Symptoms: After a reload is issued in aregcmd, the following error message appears:

401 Unable to access server

Conditions: The system may crash when Advanced Duplicate Detection is enabled and the server is reloaded.

Workaround: If Advanced Duplicate Detection is in use, avoid reloading the Cisco AR server during peak load times.

CSCea35594

Cannot reload server after enum with large maximum defined

Symptoms: The RADIUS server stops working. Logging in via aregcmd no longer completes successfully.

Conditions: An enumerated attribute with a very large (greater than 65535) maximum value has been defined.

Workaround: Do not define enumerated attributes with extremely large maximum values.

CSCea37697

Name change for attributes (26,9,37) and (26,9,38)

Symptoms: Administrator cannot find Cisco VSA when doing per-user policies for Catalyst 10000.

Conditions: The administrator wants to use per-user policies with their Catalyst 10000 box.

Workaround: Change Cisco-Input-Policy to Cisco-Policy-Up and Cisco-Output-Policy to Cisco-Policy-Down.

CSCea40782

Oracle stored functions are not working with ODBC

Symptoms: ODBC will fail to perform mappings.

Conditions: When aliasing or stored function is used inside select statement in ODBC sql select statement.

Workaround: None

CSCea50767

Cisco AR vulnerable to CERT CA-2003-10

Symptoms: Random crash after a hack attempt using malformed RPC calls.

Conditions: An RPC attack based on CERT CA-2003-10 is used.

Workaround: None

CSCea51887

Abrupt shutdown of VHG causes release of newly allocated subnets

Symptoms: Cisco AR sersver ignores the Acct-Delay-Time attribute and can remove all sessions after a resend of the Accounting-On packet.

Conditions: When the NAS is rebooted, it sends out an Accounting-On that Cisco AR does not see. Fifteen seconds later it sends out its first ODAP request, receiving a subnet and creating a session on Cisco AR to record it. Fifteen seconds after that, it resends the Accounting-On (since the first one timed out). Cisco AR receives this second Accounting-On and proceeds to delete all of the sessions associated with the NAS (including the just-received ODAP session). This causes problems because Cisco AR will then go ahead and re-use the subnet for a subsequent request, but as far as the NAS is concerned it is still in use. The second Accounting-On does contain an Acct-Delay-Time attribute with a value of 30 (seconds), so it is possible for Cisco AR to only delete sessions associated with the NAS that were created over 30 seconds ago. Cisco AR has never paid attention to the Acct-Delay-Time attribute, but it is probably time we did so.

Workaround: None

CSCea55223

Unknown client creates extraneous messages in trace

Symptoms: The name_radius_1_trace file shows extraneous messages (last two lines):

03/24/2003 17:58:30: P336: Packet received from 10.107.132.106
03/24/2003 17:58:30: Log: Packet from 10.107.132.106: that address is not in the Clients list 
<unknown user>
03/24/2003 17:58:30: P336: Dropping packet: packet was from an unknown client
03/24/2003 17:58:30: handleServerCounters: pClient=0
03/24/2003 17:58:30: handleServerCounters: pServerPerClientStats=0

Condition:

Tracing is turned on and Access Registrar receives a request from an unknown RADIUS client

Workaround: None

CSCea58066

Replication slave reload gives core when SNMP enabled is set TRUE

Symptoms: Access Registrar does not start and RADIUS process killed.

Conditions: Reload of Replication slave before the SNMP subagent started and /Radius/Advanced/SNMP/Enabled is set TRUE.

Workaround: Restart the Cisco AR server.

CSCea61809

Cisco AR is handling concurrent requests serially

Conditions: Cisco AR 3.0R2 might handle concurrent requests serially.

Symptoms: Cisco AR is configured to use an Oracle data store for user lookup.

Workaround: None

CSCea65350

Cisco AR does not proxy EAP requests correctly

Symptoms: The remote RADIUS server drops EAP requests, received from Access Registrar, due to missing Message-Authenticator.

Conditions: Access Registrar is configured to forward( RADIUS proxy ) EAP RADIUS requests to a remote RADIUS server.

Workaround: None.

CSCea76982

Checkitem to be applied for usergroup mapped to LDAP or ODBC users

Symptoms: Checkitem is applied to only at user level for LDAP or ODBC users. It will not execute the checkitem configured in the user-group which is mapped to the users.

Conditions: When LDAP or ODBC users are mapped with local user-group

Work Around: None

CSCea77045

Cisco AR checks neither Group checkitems nor authorizationscript

Symptoms: Group checkitems are not verified and authorizationscript is not executed for certain user groups during authorization phase.

Conditions: This problem is observed only if a user is authenticated remotely. For users that are authenticated locally checkitems are verified correctly.

Workaround: Define new object in LDAP which will be used as CheckItem through LDAPToCheckItemMappings. There is no workaround for authorizationscript.

CSCea83966

Member replication server resynchronizes for no reason

Symptoms: The member server of a replication network resynchronizes with the master when there is zero or little delay.

Conditions: Two servers in a replication network operate normally except for an occasional (every 90-180 second) resynchronization.

Workaround: None.

CSCea84291

An 8 KB memory leak occurs after 25 log file rollovers

Symptoms: Cisco AR continually uses more memory over time.

Conditions: There are log files being rolled. This mainly impacts accounting log files, but the effect may be seen with other log files.

Workaround: None

CSCea88967

SNMP Agent is not sending carServerStop trap when stopping the agent

Symptoms: SNMP Agent is not sending carServerStop trap when we shutdown Cisco AR Server Agent using /etc/init.d/arserver stop command line.

Conditions: Occurs only when we shutdown server agent. Trap carServerStop is normally sent when Cisco AR Server Agent is running and RADIUS server is stopped.

Workaround: Start the snmpd server externally. To do the following:

1. set /Radius/Advanced/SNMP/MasterAgentEnabled to FALSE.

2. stop Cisco AR via /etc/init.d/arserver stop

3. run /cisco-ar/ucd-snmp/sbin/snmpd -f

4. start Cisco AR via /etc/init.d/arserver start

CSCea90431

snmpTrapEnterprise should have Cisco-specific value

Symptoms: CAR trap message does not have the enterprise specific value in SNMPv2-MIB::snmpTrapEnterprise.0.

Conditions: When snmptrap is configured in Cisco AR.

Workaround: None

CSCea92157

Corrupted database - unable to save changes

Symptoms: Attempts to change AR's configuration using aregcmd produces the following error in config_mcd_1_log file:

04/10/2003 234713 config/mcd/1 Error System 0 Assertion failed rdmcode == S_OKAY; file 
mdb_obj.c, line 583, data 0x3

Conditions: Under very rare circumstances AR's database will become inconsistent. Although the database can be read, attempts to write to the database fail. This is because an internal database key was specified as being unique but the database was put in to a state where it no longer was.

Workaround: Create a backup of the existing database. The following procedure will overwrite it with a new database that will contain the same data but will not contain the invalid database key.

Backup the existing database with the following:

cp <CSCOar_install_directory>/data/db/* <tempdir>

Export the database with the following:

mcdadmin -e <tempfile>

Then recreate the database with the following:

mcdadmin -c -o -l -i <tempfile>

CSCeb02746

A minor memory leak occurs while reloading

Symptoms: Minor memory leaks found while analyzing with purify.

Conditions: While reloading Cisco AR.

Workaround: Restart the Cisco AR processes.

CSCeb12681

ODBC timeout does not work for unreachable remote servers

Symptoms: Cisco AR appears to hang when sending an ODBC request to a server that is not

reachable over the network (pings fail).

Conditions: ODBC is setup, but the Oracle server is down or otherwise unreachable.

Workaround: None

CSCeb12686

ODBC outage policy has no effect until all threads down

Symptoms: Cisco AR does not use the outage policy after the timeout expires. The outage policy does not appear until all threads are down.

Conditions: The ODBC server does not send a response to the ODBC request within the timeout period. The server should mark the thread down and use the outage policy, but it uses another thread.

Workaround: None

CSCeb12712

Low or high packet pool water mark traps not using configuration numbers

Symptoms: The queue full and queue not so full traps are not sent according to the levels configures in /Radius/Advanced/SNMP.

Conditions: During normal operation, it appears that the traps are being sent with low or high settings of 70/100 instead of the configured settings.

Workaround: None

CSCeb12850

Remote servers are not marked as down after flapping network

Symptoms: The memory footprint of the RADIUS process grows by 25 MB per day.

Conditions: Unknown

Workaround: None

CSCeb17808

Setting User-Password to NULL in TCL can fail

Symptoms: When setting User-Password to NULL using tcl script can fail.

Conditions: Setting User-Password to NULL in a tcl script rejects when two access-requests are sent back to back.

Workaround: None

CSCeb21400

Sessions lost on upgrade from 1.7R5, 1.7P10

Symptoms: Sessions active prior to the upgrade no longer appear using query-sessions after the upgrade.

Conditions: Cisco AR was upgraded from a release prior to 1.7R6 to 1.7R6 and the administrator did not clear existing sessions either in aregcmd or the installer.

Workaround: While it is not possible to retrieve the old sessions, the effect of the problem may be minimized by upgrading Cisco AR with few open sessions. It is highly recommended to upgrade to 1.7R6 during a maintenance period or low traffic time since all open sessions will be lost. Also, to avoid the possibility of double allocating an IP address, any devices with users who have an IP address allocated by Cisco AR should have the user sessions manually removed.

CSCeb29224

Deadlock from accounting-* plus multiple requests

Symptoms: The RADIUS server uses most of the available CPU and does not respond to requests.

Conditions: A deadlock may occasionally appear on systems where there is a lot of accounting activity.

Workaround: Restart all servers.

CSCeb37355

Log indicates a user has been rejected due to script when a proxy server rejected the request

Symptoms: The log indicates that a proxied request was rejected due to OutgoingScriptRejectedRequest.

Conditions: This might occur when a proxy server rejects a request.

Workaround: Verify that the user in question is acceptable to the proxy server.

CSCeb38271

Cisco AR reload gives core when it proxies high volume of packets

Symptoms: Cisco AR gives a core file when it is reloaded.

Conditions: While Cisco AR is heavily loaded with high volume of packets to proxy those, reload of Cisco AR will give a core file.

Workaround: None

CSCeb42908

Replication master sends two transaction-synchronization packets on startup

Symptoms: Cisco AR server crashed on startup, but no core file appears.

Conditions: Replication is setup and the member starts; on rare occasions the member crashes.

Workaround: None

CSCeb53214

ODBC performance is seriously degraded

Symptoms: ODBC performance severely lacking.

Conditions: The Cisco AR server has a normal ODBC configuration. The same configuration for 3.0R2 runs significantly faster.

Workaround: None

CSCeb54419

Replication fails when interactive set is done directories

Symptoms: Changes not replicated when an interactive set is done on a directory (set directory_name or cd directory_name; set) and a few property values are changed and saved.

Conditions: Interactive 'set' done on a directory to change some properties under it.

Workaround: Enter into the directory and set the property values individually.

CSCin46346

Cisco AR continues to send requests to RemoteServers

Symptoms: Cisco AR sends requests to the remote servers indefinitely.

Conditions: Two or more Radius remote servers are used in a service and each remote server is configured with less ReactivateTimeInterval.

Workaround: Configure the remote servers such that the ReactivateTimeInterval of each server is greater than the time that Cisco AR retries other remote servers. For example, if there are two remote servers and each has an InitialTimeout of 40 seconds and MaxTries as 3. Then ReactivateTimeInterval of each server should be greater than 280 seconds (40 + 80 + 160).

CSCin47621

Radius server cores on changing configuration while proxying packets to remoteserver

Symptoms: Radius process gets reloaded automatically.

Conditions: This occurs while changing the configuration when Cisco AR is sending requests to the Radius remote server.

Workaround: None

CSCin50569

ODBC threads takes two periods of ReactivationTimeInterval to reconnect

Symptoms: ODBC performance is low for few minutes (for the configured ReactivationTimerInterval).

Conditions: Oracle server goes down and comes back again.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R2

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R2.

Table 14 Known Anomalies in Cisco AR 3.0R2 

Bug
Description

CSCai03178

Multiple query commands results in RADIUS server not responding

Symptoms: In one of multiple aregcmd sessions open on the same configuration, the command query-sessions will not work.

Conditions: More than one aregcmd sessions submits a query-sessions command to the same session table simultaneously.

Workaround: None.

CSCdp91753

Logging does not work for files equal to or greater than 2GB

Symptoms: After any log file size exceeds 2GB, logging to that file stops.

Conditions: Size of log file exceeds 2GB.

Workaround: Rotate the log files. If you are using a version of Cisco AR earlier than 1.6R0, stop the server before moving any log files.

CSCdt00784

Cisco AR server may core dump when the disk is full for long time

Symptoms: RADIUS process cores and messages generated about server not being able to write to session backing store.

Conditions: Server is processing AAA requests, but partition with Cisco AR is full.

Workaround: Free more disk space.

Note In previous versions of Cisco AR, the server would stop processing AAA requests under full partition conditions. This bug seems to indicate that this stopped behavior is no longer in the product. Also, any core files are incomplete due to lack of free disk space. The server will not core immediately when the partition fills.

CSCdt63165

aregcmd allows all administrative users to be deleted

Symptoms: No administrators appear in /Administrators in aregcmd.

Conditions: An administrator deleted all the administrators, effectively causing a lockout.

Workaround: None

CSCdu77687

ExecTimeRule script does not run correctly

Symptoms: The ExecTimeRule does not match times correctly.

Conditions: The valid time range for an instance of the ExecTimeRule rule is more complicated than just a time range (multiple time ranges or days are specified).

Workaround: None

CSCdv54419

SNMP reports average RTT instead of the RTT of the last request

Symptoms: SNMP query reports the average round trip time instead of the round trip time for the last request.

Conditions: This occurs any time you make an SNMP request.

Workaround: Cisco AR is incorrectly reporting the average RTT. To obtain the RTT of the last request, you will need to arithmetically determine it from the previous average RTT, the current average RTT, and the total number of requests sent to the remote server.

CSCdv54469

radiusAccClientUnknownTypes counter never increases

Symptoms: The radiusAccClientUnknownTypes is never incremented. Instead, the radiusAuthClientUnknownTypes is incremented.

Conditions: An Accounting Response for an Accounting Request has its type changed to unknown and sent back. The radiusAccClientUnknownTypes counter should be incremented on the proxying 78-14556-09 server. The radiusAuthClientUnknownTypes counter is incremented instead.

Workaround: The radiusAuthClientUnknownTypes counter is incremented for any responses that have their types set to unknown. Treat it as the total number, and ignore the radiusAccClientUnknownTypes. If you have a specific server set aside for accounting, then any accounting responses that have unknown types would be marked for that specific remote server's radiusAuthClientUnknownTypes counter.

CSCdv76718

arlockmgr is not automatically restarted by the RADIUS process

Symptoms: Cisco AR stops authenticating local users.

Conditions: If the arlockmgr process dies, the RADIUS process does not restart it automatically. Running arstatus shows only three of the four required processes running.

Workaround: Run aregcmd to restart the process.

CSCdw52741

Cannot use replication in NAT environments

Symptoms: The master and member servers of a replication network complain that they either do not know about each other or they cannot communicate with each other.

Conditions: Cisco AR is deployed in a NAT network environment and the customer wants to use server replication to keep the configuration in synchronized.

Workaround: Run Cisco AR on a non-NAT network.

CSCdw74227

Increasing maximum file descriptors in /etc/system stops aregcmd from working

Symptoms: aregcmd cannot login to the server, even on a fresh install.

Conditions: The administrator has raised the maximum file descriptors via /etc/system to increase the maximum number of open file handles.

Workaround: Remove the maximum file descriptor lines and reboot the server.

CSCdx24841

mcdadmin gives no error message if a null file is imported

Symptoms: Running the mcdadmin command with an empty import file will not display an error. Cisco AR will not function after this import occurs.

Conditions: This symptom occurs when the mcdadmin command imports an empty file. This will not occur if the documented procedures which use this command are followed.

Workaround: Do not use mcdadmin to import files that are not Cisco AR configuration files.

CSCdx27007

aregmcd gives a segmentation fault with a particular sequence of commands

Symptoms: Under certain circumstances, if a save command is issued at the aregcmd prompt when no changes have been made, a segmentation fault occurs.

Conditions: Since no data changes have been made, this problem will not result in any loss of data.

Workaround: Do not issue a save command if no changes have been made to the configuration.

CSCdx52831

Cisco AR server cores while establishing ODBC connections

Symptoms: Cisco AR restarts with reload command when ODBC connections to the database are being established.

Conditions: Reloading Cisco AR while ODBC connections to the database are getting established.

Workaround: reload Cisco AR after all the ODBC connections to the database have been established.

CSCdy04282

Cisco AR may not handle non-tagged attributes correctly from proxy

Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.

Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.

Workaround: Have the downstream server return tagged attributes instead of untagged ones.

CSCdy11292

aregcmd command ls returns 307 error on properties

Symptoms: An administrator uses aregcmd command ls on a property and gets a 307 error.

Conditions: Running ls directly on a property and not a directory (ls /Radius/Version) results in a 307 error by aregcmd.

Workaround: None, but no functional error.

CSCdy15425

The command cd Profiles takes a long time to return the list

Symptoms: When doing cd Profiles, it takes more then four to five minutes to get the list back.

Conditions: This happens when the list is long because Cisco AR needs to sort it first.

Workaround: The workaround is to go to one object lower, such as cd Profiles/<profile-name>, but this is not always possible as it might occur that we do not know the Profile's name and need to look for it.

CSCdy20675

aregcmd set username/password password should not query

Symptoms: The aregcmd command line set username/password should not prompt for password verification if it is already passed on the command line. The current behavior is:

set bob/password foo

Retype password to confirm:

Set bob/Password <encrypted>

The confirmation should only happen if user enter the password with echo off. There is no reason to do this when the password is passed on the command line.

Conditions: When add password for given user with the set password command.

Workaround: None.

CSCdy29522

Access Registrar trap MIB not on CCO nor MIB-police submitted

Problem description: The Access Registrar MIB referenced at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/referenc/snmp.htm#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.

Workaround: None.

CSCdy40001

The aregcmd command set fails when path specified with single letter

Symptoms: aregcmd command set fails.

Conditions: The path for the property whose value is being set is specified with a single letter. (For example:
set r/DefaultSessionManager session-mgr-1

Workaround: Use at least two letters when specifying a single-level path for the set command. For example:
set ra/DefaultSessionManager session-mgr-1

CSCdy46148

Cisco AR cores when java extension without required interface is used

Symptoms: Cisco AR cores when a Java extension script that does not implement the interface required for such scripts is used.

Conditions: A Java extension script that does not implement the interface required for such scripts is added, set as the server IncomingScript, saved but not reloaded, and an access request is then sent.

Workaround: Reload Cisco AR on adding the Java extension script.

CSCdy51365

Java services not hot-configured properly

Symptoms: Java services do not work until the server is reloaded.

Conditions: A Java service is added and saved, and the server is not reloaded.

Workaround: Reload the server on adding a Java service.

CSCdy56082

Server crashes on reload using AdvancedDuplicateDetection

Symptoms: After a reload is issued in aregcmd, the following error message appears:

401 Unable to access server

Conditions: The system may crash when Advanced Duplicate Detection is enabled and the server is reloaded.

Workaround: If Advanced Duplicate Detection is in use, avoid reloading the Cisco AR server during peak load times.

CSCdy57104

Java example accounting script causes core when not initialized

Symptoms: Cisco AR cores when the example Java accounting script is created but not initialized, saved and reloaded.

Conditions: The example Java accounting script is not initialized.

Workaround: Specify the initialization parameter when creating the service.

CSCdy59596

arserver script should set umask to 113

Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.

Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.

Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.

CSCdy71586

Class file not located if classpath set after java script configuration

Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.

Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.

Workaround: Set the classpath for Java extensions before configuring the script or restart the server.

CSCdy72758

After restart of Cisco AR server agent, SNMP MIB walk stops working

Symptoms: SNMP MIB walk stops working

Conditions: When Cisco AR server agent dies and trampoline restarts server

Workaround: restart Cisco AR server by using the following command:
/etc/init.d/arservagt restart

CSCdy84713

Replication of /Radius/Script object logs error message in Slave

Symptoms: Replication of /Radius/Script object logs error message in slave name_radius_log when it is replicated.

Conditions: Configure single master-slave replication, add a script object under /Radius/script to master host

Workaround: None

CSCdy87006

Session management fails on central resource server

Symptoms: The central resource Cisco AR server rejects session management requests from front-line Cisco AR servers.

Conditions: On the central resource Cisco AR server, the DefaultAuthenticationService and DefaultAuthorizationService are set to an LDAP service.

Workaround: Set the DefaultAuthenticationService and DefaultAuthorizationService to something other than an LDAP service.

CSCdy87379

Script with invalid class requires restart even after correction

Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.

Conditions: The class configured for the script is not valid.

Workaround: Restart the server.

CSCdz36245

Alternate threading library causes AX_EWOULDBLOCK messages

Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.

Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.

Workaround: Use the default library in /usr/lib rather than the alternate one.

CSCdz71935

insufficient trace message when password incorrect

Symptoms: Local user is rejected but trace does not explain.

Conditions: The user's AllowNullPassword property is set to TRUE and the user's password is incorrect in the access request.

Workaround: Check the log file for explanation.

Log: Request from HA2 (10.8.15.45): User bob rejected (UserPasswordInvalid)

CSCdz82064

aregcmd does not timeout when initial connection fails

Symptoms: aregcmd hangs when trying to login to a remote Cisco AR server.

Conditions: The remote server does not exist.

Workaround: None; use CTRL-C to exit aregcmd.

CSCea06535

Service outgoing script fails to run when Authenticate Only is service type

Symptoms: Service outgoing script fails to run.

Conditions: The request contains the attribute, Service-Type = Authenticate-Only.

Workaround: None

CSCin09949

ExecTimeRule creates core file when using space in TimeRange

Symptoms: Setting the TimeRange attribute to a space containing value and sending a packet for processing generates core file.

Conditions: Setting TimeRange to a space containing value.

Workaround: Use a comma to separate day and time when setting the TimeRange as in the following: thu,00:00-23:59

CSCin17561

Cisco AR server cores while sending access-request for user with a VSA.

Symptoms: Cisco AR server reloads automatically.

Conditions: Changing a client vendor type and adding a VSA to the user and sending an access-request with a non-RFC compliant vendor specific attribute.

Workaround: None

CSCin19437

Changing Service type from file to group generates error in Replication

Symptoms: In replication slave, the modified service will not be available for authentication and reload of the replication slave will fail.

Conditions: Changing the service type from file to group in Replication Master

Workaround: In slave delete the group service created by replication, and recreate it manually through aregcmd and reload the slave server.

CSCin26428

Accounting file rolling fails when reloading Cisco AR server at RolloverSchedule

Symptoms: Accounting file rollover occasionally does not occur.

Conditions: Reloading the Cisco AR server at the configured rollover time.

Workaround: Do not reload the Cisco AR server at the configured rollover time.

CSCin29894

Replication fails while changing the user name

Symptoms: User name change is not replicated to slave.

Conditions: Changing just the user name and issuing a save in the Replication master.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R2

This section describes the known anomalies in Cisco Access Registrar, Release 3.0R2.

Table 15 Anomalies Fixed in Cisco AR 3.0R2 

Bug
Description

CSCai03674

Call get*byType() REX functions with null might cause unexpected system failure

Symptoms: The RADIUS server performs an unexpected system reload.

Conditions: A script called a get*ByType API function with a null instead of a pointer.

Workaround: Recompile the script to call the function with a valid pointer, then reload the server.

CSCai03864

Erroneous bad password log in Agent Server from aregcmd

Symptoms: An error message appears in the file agent_server_1_log about a bad password, even though the password was correct.

Conditions: An administrator successfully logs in to aregcmd.

Workaround: None.

CSCdk82488

Adding a VSA with the same name as a standard attribute should not work

Symptoms: No error message is produced, yet one should be.

Conditions: A VSA has been added with the same name as an existing attribute; this should produce an error.

Workaround: Visually inspect the attribute dictionary to confirm the uniqueness of all attribute names.

CSCdp21838

The command string ls -R is inconsistent in certain objects

Symptoms: An ls -R command on a list of address ranges (within an ip-dynamic Resource Manager) only shows 20 address ranges.

Conditions: The list of address ranges has more than 20 ranges defined.

Workaround: Use next and prev to see all the address ranges.

CSCdu41754

No trace messages for LDAP to environment mappings

Symptoms: Cisco Access Registrar does not display any trace information when it sets environment variables through the ldap to environment mapping feature.

Conditions: LDAP to environment mappings exist in an ldap remoteserver object.

Workaround: None

CSCdu80329

User allowed more sessions than configured when using LDAP for AA

Symptoms: The administrator allowed more sessions than configured when using LDAP for AA

Conditions: If authentication is done against an LDAP server which does not treat user names as case-sensitive strings and Session Management is used, Per-User session limits and other resource tracking may not behave correctly.

If you attempt to login with two user names which are the same when compared in a case-insensitive manner (for example, "joe" and "JOE"), an LDAP server might treat these as the same user (this is determined by the LDAP schema). However, Access Registrar's Session Management, which tracks resources and session limits by User-Name treats these as two distinct users.

Workaround: Normalize the username by using the form stored in the LDAP server. To do this, use the LDAPToEnvironmentMapping feature on the LDAP RemoteServer definition to map the version of the user-id stored in the LDAP server to the User-Name Environment Dictionary variable.

CSCdv58227

Bad username causes AR to mark LDAP server as temporarily disabled

Symptoms: When using LDAP for authentication, sending an invalid username can cause Cisco AR to temporarily mark the LDAP server as disabled. This can cause users to fail authentication. Service is restored after the ReactivateTimerInterval timer expires (default is 300000 milliseconds, or 5 minutes).

Conditions: An invalid username is anything that contains any of these special characters: *, (,), and \

Workaround: Set EscapeSpecialCharInUserName to TRUE in the LDAP server profile (default is FALSE).

CSCdw13692

Maximum and Minimum Values of VSA not validated to set within limits

Symptoms: When maximum and minimum value of VSA type Enum/String is set larger than 7FFFFFFF, the command line interface does not do the validation. But an Cisco AR server reload fails.

Conditions: VSA maximum and minimum value is set larger than 7FFFFFFF.

Workaround: None

CSCdw24553

Cisco AR fails when file handle limit is reached

Symptoms: Cisco AR may stop processing RADIUS requests and fail to start.

The Cisco AR log file, name_radius_1_log, may display messages like:
12/14/2001 17:30:20 name/radius/1 Error System 0 Assertion failed:
IS_VALID_SOCKET( f ); file af_iasocket.h, line 113, data 0x0
 12/14/2001 17:30:20 name/radius/1 Info Server 0 Received signal 6
 12/14/2001 17:30:20 name/radius/1 Error Server 0 Give up on signal 6
 12/14/2001 17:30:20 name/radius/1 Error System 0 Assertion failed: 0;
file rexcontext.cpp, line 249, data 0x0

If tracing is enabled, the Cisco AR trace file, name_radius_1_trace, may display messages like:

12/14/2001 17:24:30: Log: RemoteServer 1137remser (15.136.87.44:1645):
af_socket() failed with -2147418088

*** 'af_iasocket.h':113 ASSERTION 'IS_VALID_SOCKET( f )' failed
 12/14/2001 17:30:20: Log: Received signal 6
 12/14/2001 17:30:20: Log: Give up on signal 6
 *** 'rexcontext.cpp':249 ASSERTION '0' failed

Conditions: In the Cisco AR configuration utility, aregcmd, when trying to start or reload the server, the following message may be displayed:

310 Command failed

Trying to execute a command in aregcmd may display the following message:

401 Unable to access server

Workaround: Avoid reaching the file descriptor limit by using no more than 700 file descriptors through configuration.The following list shows which objects consume file descriptors and how many:

Interfaces, Ports: for each network interface, Cisco AR will open a file descriptor for each port it listens on. Include the loopback interface in the calculation. For example, a machine with one network interface will consume 4 file descriptors if listening on ports 1645 and 1646 Services (type file): 1 file descriptor each

RemoteServers (type RADIUS): 1 file descriptor each
RemoteServers (type LDAP): 1 file descriptor each

CSCdw53470

ExecRealmRule causes SIG11 when user-name does not contain @ or # characters

Symptoms: Cisco AR logs show that ExecTimeRule caused an exception.

Conditions: The ExecRealmRule is used in a policy and the user-name attribute does not contain the # or @ delimiter. If the other checks pass (value is long enough), the check causes an invalid pointer.

Workaround: None

CSCdx03796

Accounting logs do not roll each minute

Symptoms: Accounting files do not roll on exact time when using cron style rollover.

Conditions: The local accounting service has a cron style rollover schedule. However, the file rolls sometime around the specified time instead of exact time.

Workaround: None

CSCdx16371

Replication not using DB transactions, may corrupt DB

Symptoms: Unknown

Conditions: Replication was took place during configuration changes in another instance of aregcmd.

Workaround: None

CSCdx27041

aregcmd segmentation faults for the command set p <prot> under /Radius/RemoteServers

Symptoms: aregcmd cores after you try to set the protocol of a remote server.

Conditions: The administrator tried to set the protocol of a remote server using set p.

Workaround: Use more than the letter p when setting the protocol property of a remote server, such as:
set pr <protocol>

CSCdx32329

AR fails to rollover accounting files after daylight savings time changes

Symptoms: After daylight savings time change, the Access Registrar server does not adjust to the new time properly. Although the accounting logs have the correct timestamps, the file rollover occurs using the old time.

Conditions: A time change occurs, such as during daylight savings time starting or ending, but AR still rolls accounting logs at the time set prior to the time change. All the date stamps are correct in logs, but log rollover occurs at the wrong time.

Workaround: After a daylight savings time change, stop then restart the Cisco AR server.
arserver stop
arserver restart

CSCdx36034

aregcmd history is not working for commands of length greater than 98

Symptoms: History does not work in aregcmd

Conditions: When an administrator configures any attribute with length greater than 98.

Workaround: You must manually type the commands again.

CSCdx48648

Session is not cleaned up after an error

Symptoms: The following error message is displayed:

<date> <time> name/radius/1 Error Protocol 0 Session Manager <name> was unable to process 
accounting start since the packet did not contain the Acct-Session-Id field. This must be 
present in an accounting start packet. 

Conditions: Clean install will examples. Set AllowAccountingStartToCreateSessions to TRUE in default session manager. Submit an Accounting-Start packet that has no Acct-Session-Id attribute.

Workaround: Remove the session.

CSCdy43556

Cisco AR server cores with reload after particular sequence of commands

Symptoms: Cisco AR cores when reload is given after a particular sequence of commands in aregcmd non-interactive mode.

Conditions: In aregcmd non-interactive mode, a dummy remote server is added and saved, a RADIUS service with the dummy remote server is added and saved, a tcl script is added and set as the incoming script for the new RADIUS service, saved and reloaded.

Workaround: Allow some time delay after saves.

CSCdy51974

lastRequestTime in stats output not updated

Symptoms: The lastRequestTime of the aregcmd stats output always displays "<no requests have been received>" even when confirmed requests were sent.

Conditions: For a RADIUS remote server, the lastRequestTime is never updated when the trace shows a packet being sent. Also, the display seems backwards since a request would be sent, not received, through a remote server.

Workaround: None

CSCdy71500

Word validation misspelled from trace log

Symptoms: When working on replication, the trace log showed a CRC mismatch message such as "09/23/2002 19:53:09 name/radius/1 Warning Server 0 Transaction data block element failed validatation - CRC mismatch."

Conditions: The word validation is misspelled.

Workaround: None

CSCdy71517

Word committed misspelled in trace log for replication

Symptoms: Once the slave synchronizes with the master for replication, the slave's trace log shows elements being committed with the following message:

09/23/2002 19:45:47 name/radius/1 Info Server 0 Replication Transaction #5 With 1 Elements 
Commited.

Conditions: The message occurs when the elements are being replicated and committed onto the slave machines.

Workaround: None

CSCdy72744

Trampoline will not restart if SNMP agent dies by itself

Symptoms: Trampoline will not restart SNMP agent if it dies

Conditions: SNMP agent dies by itself

Workaround: restart AR server using the following command:
/etc/init.d/arservagt restart

CSCdy84757

Incomplete error message when a port with wrong Type is added

Symptoms: Incomplete path in the error message displayed by aregcmd when a new port with an invalid Type is added.

Conditions: A new port is added with an invalid type.

Workaround: None.

CSCdz06157

totalPacketsInUse value can become corrupted

Symptoms: The totalPacketsInUse value never goes down, even when there are no packets being processed by the server. When the server proxies its requests, the name_radius_1_log file may contain these messages: 10/18/2002 4:54:55 name/radius/1 Error Server 0 RADIUS has used 1662 of its 1024 request buffers: the server is dropping 1 request; 1056 packets dropped total.

You can see that the server has used more packets than configured for the packet pool.

Conditions: The server was reloaded (using the aregcmd reload command) while processing packets.

Workaround: Completely restart the Cisco AR server using the /etc/init.d/arscript.

CSCdz09230

enum 6 for Tunnel-Medium-Type incorrect in mcdConfig.txt

Symptoms: Cannot set the Tunnel-Medium-Type to 802, which is in RFC2868.

Conditions: The server did not have this defined correctly.

Workaround: Manually add the value to //localhost/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums using the following commands:

cd //localhost/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums

set 6 806

CSCdz19468

OBDC does not handle JOIN and DISTINCT SQL queries

Symptoms: The ODBC fails when setting an SQL join query with more than one 'and' condition. When setting such query the ODBC returns an empty row and Cisco AR rejects the existing users.

Conditions: The SQL queries with 'distinct' keyword is not working. The packet processing stops in the authentication stage.

Workaround: Change the SQL join query to use one 'and' condition.

CSCdz21901

LDAP connections can lose packets

Symptoms: The totalPacketsInUse and totalRequestsPending stick at a value above zero with no traffic going through the server.

Conditions: At least two LDAP servers are in use and the network begins to flap randomly. The problem seems to appear more often with DNSLookupAndLDAPRebindInterval activated.

Workaround: Completely reload the server using the /etc/init.d/arserver script.

CSCdz34402

OutageScript not invoked when RemoteServer outage occurs

Symptoms: The outage script is not invoked when a remote server outage occurs.

Conditions: Remote server outage occurs.

Workaround: None.

CSCdz36359

aregcmd incorrectly saves integer values of an ENUM

Symptoms: The administrator added a new ENUM to an attribute in the attribute dictionary, but it does not appear in the list on the next aregcmd instance after saving.

Conditions: The administrator added a new ENUM to an attribute in the attribute dictionary whose value is purely an integer (an example of this is Tunnel-Medium-Type and enum 6).

Workaround: Change the attribute type to an integer instead of ENUM and use the attribute according to the raw enum number instead of the string value (in the above attribute, use a value of 6 instead of 802).

CSCdz36374

Cisco AR does not start when AV pair ENUM value an integer

Symptoms: Cisco AR does not start properly after setting an AV pair in an attribute list to use an attribute of type ENUM to an integer value.

Conditions: The attribute (such as Tunnel-Medium-Type) is an ENUM type and one of the enums is an integer (for example, 6 = 802). The administrator used this AV pair in an attribute list for a profile, group, or user.

Workaround: Change the attribute to an UINT32 and use the raw integer value of the enum (6 in the above example).

CSCdz41072

The attributes list in a user not clearing dirty bit after save

Symptoms: aregcmd asks if you wish to save changes immediately after a successful save.

Conditions: An attribute was deleted from the attributes list in the user object.

Workaround: None

CSCdz60623

Multiple policies not invoked when ARIsCaseInsensitive FALSE

Symptoms: Default SelectPolicy alone will be invoked even multiple policies are configured.

Conditions: When /Rad/Adv/ARIsCaseInsensitive is set to FALSE and multiple policies have been configured, Cisco AR invokes only default SelectPolicy alone.

Workaround: None

CSCdz62333

Install does not allow JRE 1.4.1_01

Symptoms: Administrator is trying to use Sun JRE 1.4.1_01 with Cisco AR 3.0, but the install fails.

Conditions: The JRE is not the original 1.4.1, but a patch (like 1.4.1_01).

Workaround: None

CSCdz64180

rexservice.cpp is not Year 2000 compliant

Symptoms: An accounting log file has date stamps that do not have the correct year (they are 3 digits).

Conditions: The server is using the rexservice.cpp without any changes to it.

Workaround: None.

CSCdz68565

Manual changes file gives 310 error on import

Symptoms: Applying the manual changes file via aregcmd results in a 310 error.

Conditions: The administrator attempted to complete the upgrade process by importing the manual changes file.

Workaround: Remove the line that sets enum 6 in the Tunnel-Medium-Type attribute and reimport. If enum 6 is required, it is necessary to completely remove the attribute, then manually add it again.

CSCdz69474

RolloverSchedule produces many files after new year

Symptoms: Any filename prefixes associated with a file service setup with a RolloverSchedule produces lots of files after the new year change.

Conditions: A file service is set to rollover using a specific schedule (via the RolloverSchedule) and the new year has just passed (such as 01/01/2003).

Workaround: Reload the server just after midnight on the first day of the new year. However, cleanup of files already present may be difficult to resolve.

CSCdz71686

ar-status log does not honor car.conf LOGDIR location

Symptoms: Cisco AR continues to write to the default ar-status log file.

Conditions: The car.conf LOGDIR has been modified.

Workaround: Create a symbolic link to the default ar-status file.

CSCdz81589

Cisco AR processes crashes

Symptoms: Cisco AR processes crashes.

Conditions: Unknown

Workaround: Unknown

CSCea11274

ODBC to environment mapping does not handle strings greater than 256 bytes

Symptoms: Value of an ODBC mapped environment variable is truncated.

Conditions: An environment variable is used to store information from an ODBC mapping.

Workaround: Split the ODBC value into smaller chunks (use multiple columns) or use multi-row value returns.

CSCea20731

REX put method may give wrong error in log

Symptoms: The server gives an error that it is out of memory while in a REX script (not TCL).

Conditions: An attempt was made to put an invalid value into an attribute in either the request or response dictionaries. For example, a string was the value to the Framed-IP-Address attribute.

Workaround: Ensure that all values are correct for the attribute type.

CSCea20752

Upgrade Cisco AR with a large configuration database can fail

Symptoms: Upgrade fails with a "400 Login failed" error even though the credentials supplied are correct.

Conditions: On large configuration databases that cause Cisco AR to take more than 30 seconds to start, the Cisco AR server is not yet ready to accept MCP connections. This causes aregcmd to fail, which causes the upgrade process to fail. Repeated tries usually does not affect the success rate, unless aregcmd runs just after the server starts (race condition).

Workaround: None

CSCea26379

Upgrade process gives warning message

Symptoms: While upgrading, the following message appears:

Warning: missing newline at end of file /var/sadm/pkg/CSCOar/install/release.batch

Conditions: The administrator is upgrading from a previous version of AR and wishes to keep the config.

Workaround: None

CSCea28869

The preremove script can delete all files in /lib

Symptoms: All the files in /lib gone.

Conditions: There was an error in the pkgrm, usually because the administrator improperly deleted an installation directory. This causes the preremove script to improperly handle the error.

Workaround: None

CSCin10556

Cisco AR server cores while setting huge value for database

Symptoms: Reload of the server fails.

Conditions: While adding a remote server of type odbc and inside DataSource setting a huge value to DataBase attribute.

Workaround: None

CSCin13784

aregcmd should validate tunnel-password length for 239 characters

Symptoms: aregcmd accepts a value with 253 characters for tunnel-password attribute. But the maximum allowed value for this attribute is 239 characters only.

Conditions: Configure a tunnel-password_tag1 attribute with a value having more than 239 characters.

Workaround: None

CSCin16951

manual.changes file generated in upgrade is not proper

Symptoms: After upgrade, applying the /opt/CSCOar/temp/*manual-changes batch file through aregcmd will throw an error message.

Conditions: Upgrading Cisco AR from 3.0R1 version and using the manual-changes batch file to update the VSAs.

Workaround: In manual-changes file change the lines

cd "/Radius/Advanced/Attribute Dictionary/Vendor-Specific/Vendors/3GPP2/SubAttribute 
Dictionary/CDMA-Release-Ind/Enums/1" PPP/"
set "Service-Timeout"

to

cd "/Radius/Advanced/Attribute Dictionary/Vendor-Specific/Vendors/3GPP2/SubAttribute 
Dictionary/CDMA-Release-Ind/Enums/"
set 1 "PPP/Service-Timeout" 

CSCin18750

Incorrect validation for RADIUS attributes under LDAPToRadiusMapping

Symptoms: Vendor names are allowed to configure as valid RADIUS attributes under LDAPToRadiusMappings and LDAPToCheckItemMappings.

Conditions: Vendor name is configured as a valid attribute in RHS of LDAPToRadiusMappings or LDAPToCheckItemMappings.

Workaround: None

CSCin21474

aregcmd cannot store numbers greater than INT_MAX properly

Symptoms: aregcmd fails to show the correct value entered after saving.

Conditions: When numbers greater than INT_MAX(2147483647) are given as value to a numeric property.

Workaround: Use value less than INT_MAX (2147483647).

CSCin22310

Accounting files always use UTC timestamp

Symptoms: The Cisco AR uses UTC time stamp in the accounting file, irrespective of UseLocalTimeZone property.

Conditions: Set the UseLocalTimeZone property to True.

Workaround: None.

CSCin34840

Set command from aregcmd command line fails

Symptoms: The aregcmd will give 'Bus Error'

Conditions: Executing the aregcmd command set, as follows:

aregcmd -s set /Radius/Advanced/ReplyMessages/Default Abc

Workaround: Use the set command in aregcmd interactive mode or write the commands to file and use:

aregcmd -sf filename

CSCin36001

Accounting file rollover creates empty files

Symptoms: Cisco AR creates many empty accounting rollover files.

Conditions: Setting only the minutes part in RolloverSchedule.

Workaround: None


Anomalies Fixed in Cisco Access Registrar 3.0R1

This section describes anomalies in Cisco Access Registrar 3.0R0 that have been fixed in Cisco Access Registrar, Release 3.0R1.

Table 16 Anomalies Fixed in Cisco AR 3.0R1 

Bug
Description

CSCdm06836

SessionManager should release a session created by other Session Manager

Symptoms: Cisco AR logs that it could not release a session created by another session manager.

Conditions: A stale session exists in the session table. The next packet on the same NAS ID and port as the stale session triggers a different session manager than the stale session, but the server refuses to clean the stale session.

Workaround: Use release-sessions to manually release the stale session.

CSCdt85018

No validation for booleans in userlists when run from script

Symptoms: Boolean in a user object set to FALSE when it should be true.

Conditions: The user object was added using a batch file and the value was not set to TRUE (the username might have been misspelled). The validation in batch mode does not cause an error in this case.

Workaround: Manually set the value to TRUE.

CSCdu28101

Once a session manager added, cannot query sessions on slave

Symptoms: After a SessionManager is configured on an Cisco Access Registrar system using the Single Master Database Replication feature, it is no longer possible to use the query-sessions and release-sessions commands on slave systems.

Workaround: None

CSCdu55631

NAS-Port is still required even if Session-Key is set

Symptoms: A recent feature allowed an extension point to specify the session key that would be used for session management. When Session-Key is set, it will be used instead of the default combination of NAS-Identifier (or NAS-IP-Address, if NAS-Port is still required even if Session-Key is set

Conditions:

Workaround: Ensure that NAS-Port is present in every request that involves session management.

CSCdu78618

Cisco AR core dumps under load and proxy down

Symptoms: Cisco Access Registrar can core and restart

Conditions: A remote server object is configured with InitialTimeout = 100 and ACKAccounting = false. The remote server that it represents is down and Access Registrar is receiving accounting requests, to be sent to the remote server, under load.

Workaround: Unknown

CSCdw17676

Configuration-only install does not produce a working install

Symptoms: aregcmd cores after a configuration-only install.

Conditions: The administrator installed AR with just the configuration pieces. After it is done, running aregcmd results in a core file and an error that it could not find the car.conf file.

Workaround: Manually create the logs directory and car.conf file.

CSCdw52859

ACK account defaults to FALSE in non-interactive aregcmd

Symptoms: The server does not wait for an accounting-response from a RADIUS proxy server.

Conditions: When the administrator uses batch mode to add remote RADIUS servers, the ACKAccounting field is set to FLASE.

Workaround: Either add the remote server manually or insert a second line into the batch file that explicitly sets ACKAccounting to TRUE.

CSCdw67893

Error loading second service with DNS timer via script

Conditions: Under certain circumstances, loading a second LDAP server with the DNSLookupAndLDAPRebindInterval parameter set using the -f option of aregcmd will cause the RADIUS server to crash.

Symptoms: The response to aregcmd is 401 Unable to access server.

Workaround: Manually restart the server using the start command, or configure additional LDAP servers manually.

CSCdw86578

EAP with userservice set to a RADIUS proxy crashes

Symptoms: After setting the UserService to an EAP service to reference a RADIUS service, the server cores on any packet processed by the EAP service.

Conditions: Either an EAP-LEAP or EAP-MD5 conversation starts. The EAP service references a RADIUS service to proxy the packet to another server. This causes AR to core with the server begins to process the packet.

Workaround: None

CSCdx03064

Cisco-avpair with tag gives core instead of Validation failed

Symptoms: When cisco-avpair with tag number is configured in the Profile attributes, AR gives a core instead of Validation.

Conditions: Adding Tagged cisco-avpair to Profile attribute

Workaround: cisco-avpair_tag1 is not supported and you should only use s. cisco-avpair

CSCdx27477

32 bit sub attributes are not validated

Symptoms: The administrator can add a 32-bit subattribute using an attribute number higher than (2^32)-1.

Conditions: Validation does not correctly find this configuration error and the server may not work properly.

Workaround: Remove the offending attribute or correct the configuration.

CSCdx28240

No Validation for many properties and object under /radius/advanced

Symptoms: Invalid values may be configured into /Radius/Advanced properties.

Conditions: Validation does not work for these properties. Reloading AR with the invalid values causes it to fail to start.

Workaround: Ensure that only valid values appear for each property.

CSCdx29529

Unable to reload AR after sending an EAP Identity response packet

Symptoms: AR does not correctly reload after processing EAP packets.

Conditions: You configure AR to process EAP packets. On the next aregcmd reload command, the server hangs and requires a Ctrl-C before you can issue another reload command.

Workaround: Use Ctrl-C after the reload command, then reload the server again.

CSCdx34244

Large number of Cisco vendor-specific attributes (VSA) is not replicated to slave

Symptoms: Replication fails after adding a large number of attributes to an MVA or a long SQL search string.

Conditions: Configure single master slave replication and add a large number of values to an MVA where the total number of characters for all values exceeds 255. The same can be done with a SQL search string over 255 characters.

Workaround: Make all modifications on the master, then perform a full resynchronization.

CSCdx36437

Packet pool leak after pool is full for a while

Symptoms: The server writes log messages which state that it has used all of its request buffers and is now dropping a request. The server therefore fails to process new incoming requests until it is restarted using arserver  restart.

Conditions: Enough request packets are being sent to the server that network conditions cause the packet pool to be filled for a period of time. The network conditions that might cause this include speed of the hardware, response time of remote servers, retry interval of clients, and other network variables.

Workaround: Increase the packet pool size and modify network conditions to alleviate the packet flow problem. For example, try increasing the timeout intervals on clients.

CSCdx38777

aregcmd log has trouble with long strings

Symptoms: Extremely long strings entered in aregcmd (approximately 1024 or more characters) appear as invalid characters in aregcmd_log. The command still takes effect.

Conditions: A long string has been entered in aregcmd.

Workaround: There is no workaround, but note that the problem does not impact the configuration or operation of the server.

CSCdx39907

ODBC select does not see multi-row returns

Symptoms: The administrator configures a user in Oracle to pass back a number of RADIUS Attribute/Value pairs as multiple rows. However, AR sees only one row in the return set.

Conditions: User profile data is stored in ODBC, which returns in a multi-row format from the SQL select statement.

Workaround: Use a BLOB field in Oracle and a script in AR to parse the returned BLOB.

CSCdx41457

Server should not allow eap-sim service as UserService under eap-md5/leap

Symptoms: Services of type eap-sim are accepted as valid entries for the UserService property under eap-md5 and eap-leap services.

Conditions: eap-sim service is specified as UserService under eap-md5 and eap-leap services.

Workaround: Configure only non-eap services as UserService under eap-md5 and eap-leap services.

CSCdx43670

ODBC connections do not close with each reload

Symptoms: AR complains that it's out of file handles for ODBC data connections on reload.

Conditions: Administrator reloads the server using aregcmd. The existing ODBC connections should close at this point, but it seems they do not.

Workaround: Completely reload the server using: arserver  restart

CSCdx51895

ODBC RADIUS packet not processed when Null valued column is queried

Symptoms: RADIUS packet will not be processed by Cisco Access Registrar when ODBC remoteserver's SQL is set to query a null valued column.

Conditions: Set ODBC remoteserver's SQL to query a Null value column.

Workaround: None

CSCdx51985

ODBC RADIUSMappings not done for more than one attribute

Symptoms: ODBCRadiusToMapping will not work when the column name is configured in upper case.

Conditions: When column name is configured in upper case under ODBCToRadiusMapping.

Workaround: Configure the column name in lower case under ODBCToRadiusMapping.

CSCdx52688

ODBC logs an error message at startup: SQlFetch() failed

Symptoms: ODBC logs an error message at startup:

"ODBC client SQLFetch() failed"

Conditions: When sql string is given with more than password attribute.

Workaround: None.

CSCdx55196

Cisco specific Traps not working when AR start/stop/restart

Symptoms: Cisco specific traps not generated

Conditions: Do the following to the Cisco AR server: reload, restart, stop, then start

Workaround: None

CSCdx56952

Cache contents are lost when any property is changed under eap-sim

Symptoms: Cache contents are lost and re-initialized when there is a property change or reload of AWACS. This will result either in requesting new triplets from ITP if the triplet cache is lost or in Access-Rejects with the reason "Authenticator not available" if the authenticator cache is lost.

Conditions: When any property under Services/<servicename> or at /Radius level is changed or when AWACS is reloaded.

Workaround: None.

CSCdx59748

Problem in deleting remote-server, AR replication fails.

Symptoms: In a replicated environment, AR member server does not reload or start when a replication involving an elided index object arrives at the member site, from the master.

If the replicated indexed object is a hot-configured object, the problem appears immediately after the replicated changes have been committed to the member database. The changes made to the master site after this shall not be replicated to the affected member site.

If it is not a hot-configured object, the issue doesn't appear until a reload or start via aregcmd or a restart of the server. Replication shall continue till the next hot configured object comes to the member site.

Examples of indexed objects afflicted by this issue include the following:

1. RemoteServers configured under a Service

2. ResourceManagers configured under a SessionManager

3. Services configured under a GroupService

name_radius_1_log for case 1 could contain something like the following:

05/27/2002 5:34:42 name/radius/1 Error Configuration 0 Internal Error in 
/Services/nest/RemoteServers/: Required property server2/Server did not exist 
05/27/2002 5:34:42 name/radius/1 Error Configuration 0 Error in property        
//servers/name/radius/1/providers/provider1: Provider Created Was Invalid: 
"Default". Reverting To Original Provider Configuration 
05/27/2002 10:02:13 name/radius/1 Info Server 0 Stopping Server 

name_radius_1_log for case 2 could contain something like the following:

05/27/2002 10:17:09 name/radius/1 Error Configuration 0 Internal Error in       
/Radius/SessionManagers/session-mgr-1/ResourceManagers/: Required property 
resourcemanager3/ResourceManager did not exist 

name_radius_1_log for case 3 could contain something like the following:

05/28/2002  5:15:46 name/radius/1 Error Configuration 0 Error in property 
//servers/name/radius/1/providers/provider1: Provider Created Was Invalid: 
"Default". Reverting To Original Provider Configuration

Conditions: In a replicated environment, when an indexed object is elided via delete from an object in the master, the replication to the member corrupts the database and prevents the member from further processing.

Workaround: Use unset instead of delete to remove the indexed object in question. If the indexed object has already been deleted, do a full manual resynchronization from the master.

CSCdx63195

DevicePassword not checked for VPI/VCI authentication

Symptoms: Cisco AR does not reject a password when the incorrect DevicePassword is used.

Conditions: Cisco AR has been setup to use VPI/VCI authentication, but the wrong shared secret or DevicePassword is in the config. AR happily translates the user name when the DeviceName matches, regardless of the DevicePassword.

Workaround: None

CSCdx64313

Upgrading from Cisco AR from a version prior to version 1.7 will not import SNMP MCD bits

Symptoms: After upgrading from a version of Cisco AR prior to 1.7, such as Cisco AR 1.6, SNMP will not start.

Conditions: Cisco AR was upgraded and the administrator wants to use SNMP. However, the upgrade scripts do not add the MCD bits to start the SNMP daemon.

Workaround: Using the text in the MCD enclosure, use the command: mcdadmin -sli <filename>

CSCdx68361

aregcmd password sent in the clear

Symptoms: aregcmd sends most of its data in clear text.

Conditions: During login, traversing the configuration tree, or changing any configuration, the data sent from aregcmd is in clear text. A hacker could snoop the wire and get passwords during login from a remote system. The only thing encrypted are fields that are shown as <encrypted>, such as user passwords.

Workaround: None

CSCdx71752

Tunnel-Password not re-encrypted properly when proxied

Symptoms: When Cisco AR is used as a proxy server, the downstream proxy sends back tunnel attributes from RFC 2868. However, the client shows garbage characters after decryption.

Conditions: Cisco AR is used as a proxy server. Some or all of the server that Cisco AR proxies to send back RFC 2868 tunnel attributes, namely the tunnel-password. This attribute must be decrypted and re-encrypted using the appropriate shared secrets.

Workaround: None

CSCdx76512

Cannot rename users

Symptoms: The administrator changed a user name by setting the Name attribute of the user record. On the save, aregcmd gives a 310 error with no other info in the logs.

Conditions: Rename a user like this in aregcmd: set Name NewName

Workaround: Delete the old user and create a new one. However, this loses the user password.

CSCdx77270

ODBC retrieves wrong values from Oracle DB

Symptoms: In ODBC configuration, the values retrieved from a NUMBER field by SQL query are different from the original values stored in the table. When the profile_id for a user is stored as 1000 in the table, the retrieval value for the same is 1000.000000000000.

Conditions: Configure the ODBC service with a RADIUS or checkitem mapping.

Workaround: None (unless it's possible to change the column to type string).

CSCdx79284

Shutting down a server with busy remote servers can core

Symptoms: The server occasionally creates a core file while being shut down or reloaded.

Conditions: The server has forwarded one or more requests to external RADIUS servers and is waiting for a response.

Workaround: Wait until the server is not waiting for a response to forwarded requests.

CSCdx85562

Failover outagepolicy in ODBC service should not require reload

Symptoms: Failover outage policy in ODBC service will not switch over automatically from the off-line remoterserver processing to next configured ODBC remoteserver.

Conditions: Configure ODBC service with two or more ODBC remote servers

Workaround: reload the Cisco AR server.

CSCdx86632

Cisco AR proxies an invalid Tunnel-Password when CHAP-Password is used

Symptoms: Cisco AR sends an invalid encrypted Tunnel-Password to NAS when the access-request packet contains CHAP-Password but without CHAP-Challenge attribute.

Conditions: Cisco Access Registrar server is used as a proxy and a user is configured with tunnel-password attribute in the remote server.

Workaround: Use Chap-Challenge attribute along with CHAP-Password.

CSCdy00219

aregcmd does not allow a configuration without service and client

Symptoms: Cisco AR doesn't allow to save a configuration without adding any service and client.

Conditions: If the configuration is being modified for the first time and no service or clients are added to it, aregcmd refuses to save the modified configuration.

Workaround: Include at least one service and one client.

CSCdy02503

Replication of Translationgroup not done properly

Symptoms: Replication of translationgroup object will not be replicated along with the indexed translation object to slave.

Conditions: Configure single master and slave replication and add translation object and translationgroup object to master

Workaround: None

CSCdy06347

Adding an LDAP remote server with all arguments on one line fails

Symptoms: Adding an LDAP remoteserver with all the property values passed as command line parameters under /Radius/RemoterServers gives validation failed error message in aregcmd.

Conditions: Add a LDAP remote server object with all the arguments passed in the same line under /Radius/RemoterServers

Workaround: Set the LDAP remote server properties after issuing the command
cd /Radius/RemoteServers/ladpRemoteServer

CSCdy09191

ACHECK fails for service grouping of session services

Symptoms: Cisco AR stops processing packets and a core file appears in $INSTALLPATH.

Conditions: The session service is configured to use a service grouping of multiple session services.

Workaround: None.

CSCdy09926

Cisco AR cores when two services use the same userlist for AA

Symptoms: Cisco AR restarts while processing the packets and a core file appears in the installation directory.

Conditions: Authentication Service and Authorization service are different with type Local and use the same userlist or different userlists (the user should exist in these userlists).

Workaround: None

CSCdy10934

EAP-MD5 is not functional

Symptoms: EAP-MD5 is not functional

Conditions: When EAP-MD5 is used for authentication with real devices.

Workaround: None

CSCdy15869

Dynamic properties not working for individual users

Symptoms: If a dynamic name is used for a user's authentication or authorization script, or for a user group's authorization script, the dynamically determined name will not be used.

Conditions: Dynamically determined names for a user's authentication and authorization scripts and for a user group's authorization scripts do not work.

Workaround: None.

CSCdy17156

Cisco Access Registrar server cores after receiving Accounting-stop if continued session has different NAS

Symptoms: Cisco Access Registrar server cores occasionally.

Conditions: The product may core if IPX resource management and 3G wireless features are used simultaneously.

Workaround: Do not use IPX resource management if 3G wireless features are also in use.

CSCdy17363

The command ls -R <TAB> should give the list of objects in the present directory

Symptoms: ls - R <TAB> will not work in aregcmd.

Conditions: An administrator issues the command ls -R <TAB> inside aregcmd and expects the list of objects in the present directory to be displayed for selection.

Workaround: None

CSCdy18629

Setting an LDAP service to just authorize fails

Symptoms: Cisco AR rejects a user when LDAP is the user store.

Conditions: The LDAP service is on only the authorization service. A different service is on the authentication service.

Workaround: None

CSCdy22300

Authorization only ODBC service not doing environment mapping

Symptoms: Cisco AR does not do ODBC to environment mappings.

Conditions: The server is configured to use different services for authentication and authorization. The authorization service does ODBC to environment mappings.

Workaround: Use an ODBC to RADIUS mapping.

CSCdy22307

Authorization-only service asserts on NULL returns

Symptoms: Cisco ARcores during authorization.

Conditions: The server is configured to use different ODBC services on authentication and authorization. During authorization, the search key is not found in the RDBMS, which returns a NULL result and causes the server to core.

Workaround: Put a dummy record into the database to ensure a NULL return never occurs.

CSCdy23553

Cisco AR 1.7R3 core dumps when adding large userlist

Symptoms: Adding more than 65536 users with aregcmd causes segmentation fault.

Conditions: Only happens when more than 65536 users are added

Workaround: Issue save command after adding each user if userlist is longer than 65536 users.

CSCdy26403

Server asserts after accounting stop

Symptoms: The server stops processing packets for a short time and a core file appears.

Conditions: An accounting stop released a session with the server under load. There are no known controlled steps to reproduce this error.

Workaround: None

CSCdy30737

Send State attribute only if Termination-Action was set (1)

Symptoms: The state attribute appears in the access-accept when the termination-action attribute is not set to RADIUS-request.

Conditions: The server does this automatically and cannot be turned off. This behavior is not RFC 2865 compliant.

Workaround: Create a script that is able to remove the state attribute.

CSCdy31628

Cisco AR cores on reload when first java extension script is configured

Symptoms: Cisco ARcores on reload when java extension script is configured for the first time.

Conditions: Add a java extension script in AR for the first time.

Workaround: None.

CSCdy33048

Cisco AR asserts modify objects while RADIUS packets are being processed

Symptoms: Cisco AR assertion fails when aregcmd objects are modified while the Cisco AR server is processing RADIUS packets.

Conditions: Configure remoter server and service of type RADIUS and make the remoterserver off line. Send a access-request packets at this point of time modify any user's properties and save.

Workaround: After adding or modifying an object, reload the server after saving.

CSCdy43797

Security Issue: CERT advisory CA-2002-25 Integer Overflow in XDR

See http://www.cert.org/advisories/CA-2002-25.html

CSCdy53733

Cisco AR does not reconnect to Oracle

Symptoms: Cisco AR does not reestablish a broken connection to an Oracle database.

Conditions: Due to a network or other condition, the Oracle connection established through Cisco AR server's ODBC configuration is lost.

Workaround: Reload Cisco AR to re-establish the Oracle connection.

CSCdy57104

Java example accounting script causes core when not initialized

Symptoms: RADIUS cores when the example Java accounting script is created but not initialized, saved and reloaded.

Conditions: The example Java accounting script is not initialized.

Workaround: Specify initialization parameter when creating the service.

CSCdy66900

LEAP authentication asserts server

Symptoms: During LEAP authentication, a core file appears in $INSTALL.

Conditions: The network is doing LEAP authentication.

Workaround: None

CSCdy70256

Incorrect time stamps for accounting records during DST rollover

Symptoms: During Daylight Savings Time (DST) rollover, Cisco AR server uses the past time stamps while writing accounting records. For example, when DST rollover occurs on April 7 from 2am to 3am, accounting records still show 2am.

Conditions: DST rollover changes occur.

Workaround: Issue reload via aregcmd or restart the server.

CSCdy71515

Property values greater than 254 bytes are not replicated properly

Symptoms: We have seen symptoms ranging from CRC Mismatch to outright core files. Reloads may also have errors about a property, then reverting back to the original provider configuration.

Conditions: Replication is in use. A property value has been changed such that it is longer than 253 bytes. On the next reload, CRC mismatches and start problems appear in the log files. Also, the transaction files in the archive are not the same size. At the same time, it is possible to get an object called "/".

Workaround: None

CSCin09397

aregcmd gives ASSERTION failure on concurrent usage

Symptoms: The command aregcmd asserts.

Conditions: Two users are modifying the configuration using the aregcmd command. One user removes an object and saves the configuration, while another user modifies the object. An assertion occurs when the second user saves the configuration.

Workaround: Do not modify objects which have been deleted by administrators using aregcmd concurrently.

CSCin09816

The name of objects should not be allowed to set to /

Symptoms: The aregcmd command allows administrators to name objects with the forward slash character (/). It is not possible to edit these objects.

Conditions: Set an object's name to the forward slash character.

Workaround: Do not use the forward slash character in the name of an object.

CSCin10556

Cisco AR cores while setting huge value for DataBase

Symptoms: Reload of the server will fail.

Conditions: While adding a remote server of type odbc and inside DataSource setting a huge value to DataBase attribute.

Workaround: None

CSCin11474

Cisco AR cores after adding a new script object

Symptoms: The Cisco AR server restarts after adding a new script object and saving the configuration.

Conditions: Install Cisco AR and add a new script object in /Radius/Scripts, then save the configuration.

Workaround: None required.

CSCin12225

Deleting any object with complete path gives failure message

Symptoms: aregcmd will give error message when object is deleted with complete path. Also the non-interactive mode of aregcmd fails, if the configuration contains deletion of an object with complete path.

Conditions: While deleting an object with complete path will delete the object but give an error message.

Workaround: None

CSCin12715

AscendIncomingScript goes into loop

Symptoms: AscendIncomingScript goes into loop and ends with fork failed due to unavailability of memory.

Conditions: Set Client vendor type as Ascend and send an access-request packet with CDMA-HA-Ip-addr attribute.

Workaround: None

CSCin13117

Replication fails while adding a user with attributes and checkitem

Symptoms: The user object will not be replicated and the slave will try to resynchornize and fails continuously.

Conditions: Configuring replication and adding an user object with attributes or checkitems configured in them.

Workaround: None

CSCin14265

Cisco AR fails while changing the name of RADIUS IncomingScript

Symptoms: Cisco AR drops the packets when changing the name of the script which is configured as RADIUS IncomingScript with out giving error.

Conditions: Configure a built-in script as a Incomingscript and change the configured script's name under /Radius/Scripts.

Workaround: None

CSCin14612

UseLocalTimeZone should also be used for RolloverSchedule

Symptoms: Accounting service property UseLocalTimeZone is not used to do rollover based on UTC when the property is set to FALSE. It still rolls over at localtime, however the file names use UTC timing for their naming when the property is set to FALSE.

Conditions: Configure the Rollover schedule to occur in UTC time or Local time.

Workaround: None

CSCin15200

Changing Reply Messages is not working with ODBC

Symptoms: For invalid user, the default reply message 'Access Denied' will come in access-reject packet.

Conditions: Configuring the Reply Message for UnknownUser is not working with ODBC.

Workaround: None

CSCin16358

Cisco AR accepts service of type local as DefaultSessionService

Symptoms: Cisco AR will not give validation error or warning, while setting the service of type 'local' as DefaultSessionService.

Conditions: Set the service of type 'local' as DefaultSessionService

Workaround: None

CSCin17345

Unsetting attribute deletes user from slave during replication

Symptoms: Replication deletes user from slave when attribute or checkitem was unset in the user object at the master.

Conditions: When attribute or checkitem in the user object was unset at the master.

Workaround: Set any property in the user object before saving at the master.

CSCin17380

Login command gives segmentation fault

Symptoms: aregcmd exits, while issuing the login command with cluster and without username and password.

Conditions: Issuing the login command without username and password.

Workaround: None

CSCin18761

Cisco AR should reject Access-Requests that do not contain any NAS information

Symptoms: Cisco AR will not reject Access-Request packets that don't have NAS-IP-Address and NAS-Identifier attributes. These packets are processed by Cisco AR server as normal packets. But RFC2865 enforces the presence of either or both of these attributes in the Access-Request packets.

Conditions: Access-Request packet without NAS-IP-Address AND NAS-Identifier - AR should reject Access-Requests that do not contain any NAS info

Conditions: Cisco AR server receives Access-Request packet without NAS-IP-Address and NAS-Identifier attributes is received at Cisco AR server.

Workaround: Use an extension point script at the server incoming script scripting point that checks for the presence of either of these attributes in the Access-Request packet and reject the packets that don't have any of these attributes.


Anomalies Fixed in Cisco Access Registrar 3.0R0

This section lists and describes the anomalies from previous versions of Cisco AR that have been fixed in Cisco Access Registrar 3.0R0.

Table 17 Anomalies Fixed in Cisco AR 3.0R0

Bug
Description

CSCdv46401

ReplSalve fails to restore configurations when Error in provider

Symptoms: The user added a new object, which was replicated. The member server attempts to hot-configure the new object, but fails to do so with a assertion error. The server appears to not start correctly.

Conditions: In a replication network, the member could not revert to a previous known good configuration after detecting a bad transaction.

Workaround: Follow resynchronization instructions completely.

CSCdw73875

Completion for numbered options does not work

Symptoms: Command completion does not work for list of ordered objects or the ports list.

Conditions: The administrator is trying to use command completion on a list of ordered objects or the ports list.

Workaround: Fully type out the command or enough of it for an unambiguous match (standard 1.x method).

CSCdw73934

Completion for IP addresses and ports does not work

Symptoms: Command completion does not work for IP addresses or ports in /Radius/Advanced.

Conditions: Administrator is trying to use command completion on the IP address or ports list in /Radius/Advanced.

Workaround: Fully type out the command or enough of it for an unambiguous match (standard 1.x method).

CSCdw85663

Validate does not notice EAP without a Userservice

Symptoms: Cisco AR does not operate correctly with an EAP service

Conditions: The EAP service was defined without a UserService set. This is an illegal configuration that validation does not find.

Workaround: Ensure that a UserService is set.

CSCdx08900

Removing /radius/incoming or /radius/outgoing scripts are not hot configured

Symptoms: Removing configured /radius/incoming or /radius/outgoing scripts are not detected by the hot-config.

Conditions: When /radius/incomingscript or /radius/outgoing is removed, hot-config is not recognizing.

Workaround: Perform a reload.

CSCdx11073

Null value for Cisco-AVPair is not validated

Symptoms: Null value for Cisco-AVPair is not validated.

Conditions: When Cisco-AVPair is set to a null value (""), validation passes and the null value is saved successfully. The server fails on reload.

Workaround: Unset Cisco-AVPair instead of setting it to a null value, save and reload.

CSCdx13096

Cannot install Cisco AR to /CSCOar and use SNMP

Symptoms: After installing AR to /AICar1 and enabling SNMP, the server starts in the stopped state.

Conditions: The customer installed AR into the root directory (such as /AICar1) and enabled SNMP. On the next server reload, the server is stopped and the SNMP master agent is not running.

Workaround: Install in a subdirectory, such as the default /opt/CSCOar.

CSCdx15867

pkgadd request script has improper check for non-supported OS

Symptoms: pkgadd fails on an unsupported Solaris version without giving the option to continue.

Conditions: You are trying to install Cisco AR on an unsupported OS, such as Solaris 9, and it doesn't ask you if you want to continue.

Workaround: Modify the request script in CSCOar/install, line 55, but replacing the 2 instances of 5 with a 2.

CSCdx20901

No log messages for ODBC remoteserver connection successful

Symptoms: No log message to indicate a successful connection

Conditions: Configure the 'odbc' remoteserver correctly and perform a reload

Workaround: None

CSCdx23369

No validation for Port under replication member object

Symptoms: No validation for Port property under /Radius/Replication/Rep Members/<rep member name>.

Conditions: Add a new replication member with port property set to ""(NULL) or a string value like "cisco" and do a validate. Validation won't catch this.

CSCdx23947

RADIUS server dies during test resourceAR-test

Symptoms: Cisco AR cores when a packet triggers the use of the AscendIncomingScript script.

Conditions: A client's vendor property is set to Ascend and any packet appearing from that client causes AR to core.

Workaround: Use the Cisco vendor.

CSCdx26222

query-sessions causes 401 and sometimes cores

Symptoms: There is a 401 error in aregcmd after running the query-sessions command. Sometimes there is also a RADIUS core.

Conditions: Default configuration, keep under load for 1-5 minutes, use the customer's packet simulator.

Workaround: Use release-sessions to clear the session table. Of course, the drawback is that the managed resources are released.

CSCdx46297

Environment dictionary cannot handle strings greater than 200 bytes

Symptoms: Values of an environment variable are truncated.

Conditions: An environment variable is used to store information either within the script or from a mapping via LDAP or ODBC.

Workaround: If possible, try to split the value into smaller chunks.

CSCdx48001

ODBC environment mapping drops last character

Symptoms: Reading an environment variable in a script set via an ODBC mapping provides a value that is truncated by at least one character.

Conditions: The administrator has configured AR to perform ODBC to environment mappings. When a script goes to read the variable, the value is truncated by at least one character.

Workaround: None

CSCdx51895

ODBC RADIUS packet is not processed when Null valued column is queried

Symptoms: RADIUS packet will not be processed by AR when ODBC remoteserver's SQL is set to query a null valued column.

Conditions: Set ODBC remoteserver's SQL to query a Null value column.

Workaround: None

CSCin05400

The Replication not happening when Maxfileage is set as 1D

Symptoms: When the Maxfileage is set as 1D in the accounting service the Replication is not happening. The slave is giving CRC error message.

Workaround: Set the MaxFileAge as "1 Day"

CSCin06732

Should not allow / as Cisco AR install directory

Symptoms: Cisco AR will not work when the install directory is given as "/".

Conditions: When install directory is selected as "/".

Workaround: Select the sub-level directory as install directory like/opt/CSCOar.

CSCin08237

Adding service while processing packet with group service cores

Symptoms: When adding a new service while RADIUS is processing a packet with group service the core file is generated.

Workaround: None


Known Problems in Solaris 8

This section provides information about known problems with the Solaris 8 operating system or environment that could affect your Sun server's operating capabilities.

Buffer Overflow in Multiple DNS Resolver Libraries (CERT Advisory CA-2002-19)

This defect is a problem with the Solaris Operating Environment and not with the Cisco Access Registrar source code. The fix will be available from Sun since Cisco Access Registrar does not have device control over the Solaris Operating Environment. For more information about this problem including symptoms, conditions, and workaround, refer to the following:

A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system.

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46042&zone_32=category%3Asecurity

Sun is expected to provide an official Solaris patch to correctly repair this defect in the near future.

Systems affected and applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to:

Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)

Berkeley Software Distribution (BSD) DNS resolver library (libc)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html