Table Of Contents
Release Notes for Cisco Access Registrar 3.5
Contents
Copyright Notice
New Features and Software Changes
Software Enhancements in Cisco AR 3.5.5
Support for Null Service
Support for XML Statistics Using aregcmd
Support for User-Configured Attribute List in Access-Reject
Default Port Type
Software Enhancements in Cisco AR 3.5.4
Retry Sending Accounting-Request
Reverse DDNS Zone Name Synthesis
Invalid EAP Packet Processing
Proxying Session Keys
Trusted Identity Authorization
New Features in Cisco AR 3.5.3
Session Timeout Feature
Support for Solaris 9
New Features in Cisco AR 3.5
Identity Caching
Linux Support
aregcmd
Extensible Authentication Protocols
Dynamic DNS
Packet of Disconnect
Oracle Accounting
New RemoteServers
Related Documentation
System Requirements
Cisco AR 3.5 Full Installation
Cisco AR 3.5 Configuration-Only Installation
Co-Existence With Other Network Management Applications
Cisco AR Performance
Cisco AR on Solaris
Primary Performance Test Results
Cisco AR on Linux
Downloading Cisco Access Registrar Software
Cisco AR 3.5 Licensing
Licensed Features
Getting Cisco AR 3.5 Feature Licenses
Installing Cisco AR 3.5 Licenses
Upgrading Your Cisco AR 3.5 License File
Sample License File
Displaying License Information
aregcmd Command-Line Option
Launching aregcmd
Installing Cisco AR 3.5 Software on Solaris
Deciding Where to Install
Installing Cisco AR Software from CD-ROM
Installing Downloaded Software
Common Installation Steps
RPC Bind Services
Installing Cisco AR 3.5 Software on Linux
Deciding Where to Install
Installing Downloaded Software
Preparing to Use SNMP
Upgrading to Cisco AR 3.5 Software
Upgrade Overview
Disabling Replication
Using pkgrm to Remove Cisco AR Software
Removing the AICar1 Package
Removing the CSCOar Package
Install the License File
Installing Upgrade Software
Restarting Replication
Caveats
Known Anomalies in Cisco AR 3.5.5
Anomalies Fixed in Cisco AR 3.5.5
Anomalies Fixed in Cisco AR 3.5.4
Anomalies Fixed in Cisco AR 3.5.3
Anomalies Fixed in Cisco AR 3.5.2
Anomalies Fixed in Cisco AR 3.5.1
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Access Registrar 3.5
Cisco Access Registrar (AR) 3.5 provides RADIUS authentication, authorization, and accounting (AAA) services for the service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco AR 3.5 is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
Cisco AR 3.5 supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco AR 3.5 supports the latest wireless authentication protocols such as Extensible Authentication Protocol and Protected EAP used in wireless LAN deployments. Cisco AR 3.5 also is able to make real-time AAA requests to billing systems to support prepaid applications.
Note 
This version of Cisco Access Registrar 3.5 can be used with Solaris 8, Solaris 9, or the Red Hat 7.3 Linux operating system using kernel version 2.4.20-24.7, glibc version 2.2.5-42.
CCO Date: May 28, 2004
Revised: March 17, 2008
Note Cisco AR 3.5 uses a different licensing mechanism than the license key used in earlier releases of Cisco AR. Before you upgrade your Cisco AR server to Cisco AR 3.5 software, you must install a license file. Refer to Cisco AR 3.5 Licensing for detailed information about Cisco AR 3.5 licensing. Installing Cisco AR 3.5 Licenses provides information about how to install the license file.
Contents
This release note contains the following sections:
•New Features and Software Changes
•Related Documentation
•System Requirements
•Cisco AR Performance
•Downloading Cisco Access Registrar Software
•Cisco AR 3.5 Licensing
•Installing Cisco AR 3.5 Software on Solaris
•Preparing to Use SNMP
•Upgrading to Cisco AR 3.5 Software
•Caveats
Copyright Notice
This product contains copyrighted programs that are used with permission and are the property of the following respective owners.
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
NAI copyright notice (BSD) Copyright © 2001, NAI Labs. All rights reserved.All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
•Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
•Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
•Neither the name of the NAI Labs nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
New Features and Software Changes
This section lists the new features and software changes in Cisco AR 3.5.
Software Enhancements in Cisco AR 3.5.5
Cisco AR 3.5.5 includes the following enhancements:
•Support for Null Service
•Support for XML Statistics Using aregcmd
•Support for User-Configured Attribute List in Access-Reject
•Default Port Type
Support for Null Service
Cisco AR 3.5.5 adds a new null service type. You can use a null service for pass-through authentication, authorization, or accounting (AAA).
When using the Cisco AR identity cache engine (ICE), the null service enables you to use ICE purely as a caching engine based on the RADIUS accounting messages. In this environment, the null service runs only optional incoming and outgoing scripts, maximizing performance and minimizing file system overhead.
The null service can also be used in AA to create an authentication or authorization pass through service. The null service must be configured to bypass (or skip) any of the phases in authentication, authorization or accounting. You can use the null type service to set any of AuthenticationService, AuthorizationService, or AccountingService. In other words, if you do not have to perform authentication, a null service can be used to skip authentication.
Example Configuration
The following shows an example configuration of a null type service:
[ //localhost/Radius/Services/Null-Service ]
Trace Messages
When a null type service bypasses any AAA phase, a trace message is printed when trace is enabled (at trace level 1). For example, when bypassing authentication, the null service will print a trace message like the following:
"01/24/2005 5:11:22: P100: Service Null-Service is bypassing authentication"
Support for XML Statistics Using aregcmd
Cisco AR 3.5.5 provides a collection of statistics specific to XML requests in the output of the aregcmd stats command when used in an identity cache engine environment with an AR-ADD-CACHE license. Table 1 lists the XML statistics supported by this enhancement and their descriptions.
Table 1 Supported XML Statistics
XML Statistic
|
Description
|
totalXMLPacketsInPool
|
Size of the XML Packet Pool i.e the value of /Radius/Advanced/MaximumNumberOfXMLPackets
|
totalXMLPacketsReceived
|
Total number of XML packets received by the server since the server start or since the last reset-stats command.
|
totalXMLRequests
|
Each XML packet may contain more than one request. This counter indicates the total number of XML requests received by the server since the server start or since the last reset-stats command.
|
totalXMLResponses
|
Total number of XML responses sent by the server since the server start or since the last reset-stats command.
|
totalXMLPacketsInUse
|
Total number of XML packets that are currently being processed.
|
totalXMLPacketsDrained
|
Total number of XML packets that have been dropped because the XML packet pool is full.
|
totalXMLPacketsDropped
|
Total number of XML packets dropped, since the server start or since the last reset-stats command due to reasons other than XML Packet Pool is full. This counter also includes the packets dropped due to parse failures.
|
totalXMLPacketParseFailures
|
Total number of XML packets dropped due to XML packet parse failure error.
|
Following is an example of the output of the stats command when no XML statistics are found:
Global Statistics for Radius:
serverStartTime = Thu May 26 01:28:13 2005
serverResetTime = Thu May 26 01:28:14 2005
totalPacketsInPool = 1024
totalAccessChallenges = 0
totalAccountingRequests = 0
totalAccountingResponses = 0
totalStatusServerRequests = 0
totalAscendIPAAllocateRequests = 0
totalAscendIPAAllocateResponses = 0
totalAscendIPAReleaseRequests = 0
totalAscendIPAReleaseResponses = 0
totalUSRNASRebootRequests = 0
totalUSRNASRebootResponses = 0
totalUSRResourceFreeRequests = 0
totalUSRResourceFreeResponses = 0
totalUSRQueryResourceRequests = 0
totalUSRQueryResourceResponses = 0
totalUSRQueryReclaimRequests = 0
totalUSRQueryReclaimResponses = 0
totalPayloadDecryptionFailures = 0
Global Statistics for XML:
No XML packets were received by the server
Following is an example of the output of the stats command when XML statistics are found:
Global Statistics for Radius:
serverStartTime = Thu May 26 01:28:13 2005
serverResetTime = Thu May 26 01:28:14 2005
totalPacketsInPool = 1024
totalAccessChallenges = 0
totalAccountingRequests = 0
totalAccountingResponses = 0
totalStatusServerRequests = 0
totalAscendIPAAllocateRequests = 0
totalAscendIPAAllocateResponses = 0
totalAscendIPAReleaseRequests = 0
totalAscendIPAReleaseResponses = 0
totalUSRNASRebootRequests = 0
totalUSRNASRebootResponses = 0
totalUSRResourceFreeRequests = 0
totalUSRResourceFreeResponses = 0
totalUSRQueryResourceRequests = 0
totalUSRQueryResourceResponses = 0
totalUSRQueryReclaimRequests = 0
totalUSRQueryReclaimResponses = 0
totalPayloadDecryptionFailures = 0
Global Statistics for XML:
totalXMLPacketsInPool = 1024
totalXMLPacketsReceived = 2
totalXMLPacketsDrained = 0
totalXMLPacketsDropped = 0
totalXMLPacketParseFailures = 0
Support for User-Configured Attribute List in Access-Reject
Cisco AR 3.5.5 enables Cisco-AV Pair vendor-specific attributes (VSAs) to be sent in the Access-Reject packet. Prior to Cisco AR 3.5.5, only the RFC listed attributes such as Reply-Message and Proxy-State could be included in the packet.
A new object has been introduced in /Radius/Advanced called RFCCompliance. It is used to denote a placeholder for something that might make the product RFC non-compliant. The RFCCompliance object has a single property called AllowRejectAttrs. If it set to FALSE, attributes will not be passed through a reject packet. If AllowRejectAttrs is set to TRUE, attributes will be allowed to pass through a reject packet.
You add attributes to the response packet using a script. Cisco recommends that you check that you are inserting only attributes when the response is a reject. It is also advisable that you empty the response dictionary before adding attributes so that there is no confusion about attributes that will be returned.
[ /Radius/Advanced/RFCCompliance ]
If you reset the value of RFCCompliance, you must reload the Cisco AR server.
Default Port Type
Cisco AR 3.5.5 has been enhanced to set a default port type to radius when you add a new port to your Cisco AR server configuration. In previous releases, after adding a port, you had to set its type to the desired type.
Software Enhancements in Cisco AR 3.5.4
Cisco AR 3.5.4 includes the following enhancements:
•Retry Sending Accounting-Request
•Reverse DDNS Zone Name Synthesis
•Invalid EAP Packet Processing
•Proxying Session Keys
•Trusted Identity Authorization
Retry Sending Accounting-Request
Cisco AR 3.5.4 has been enhanced to retry sending Accounting-Requests to a remote server until a response is received or the value set in Maxtries is reached.
Prior to the release of Cisco AR 3.5.4, if the ACKAccounting property of a remote UDP server was set to FALSE, the Cisco AR server would proxy Accounting-Requests to the remote server only once, regardless of the value configured for the server's Maxtries property. The Cisco AR server would not perform any retries even if it was configured to do so.
With ACKAccounting set to FALSE, AR will always send the Accounting-Response to the client immediately, without waiting for a response from the remote server. This behavior remains the same.
Reverse DDNS Zone Name Synthesis
Cisco AR 3.5.4 has been enhanced to enable DDNS Resource Managers to perform reverse zone synthesis based on the IP address and netmask. This enhancement enables you to configure multiple DDNS Resource Managers in a single Session Manager. Each DDNS Resource Manager can handle a different reverse zone and be used for a different Internet Protocol technology.
Invalid EAP Packet Processing
Cisco AR 3.5.4 has been enhanced to implement fatal error packet handling for Extensible Authentication Protocol (EAP) messages as described in section 2.2 of Internet RFC 3579 which states the following:
A RADIUS server determining that a fatal error has occurred must send an Access-Reject containing an EAP-Message attribute encapsulating EAP-Failure.
Because this enhancement is a deviation from various EAP specifications, you must explicitly enable this feature through a new configuration property in /Radius/Advanced named EapBadMessagePolicy.
You can set the EapBadMessagePolicy property to one of two values: SilentDiscard (the default) or RejectFailure. When set to SilentDiscard, the Cisco AR server silently discards and ignores bad EAP messages unless the protocol specification explicitly requires a failure message. When set to RejectFailure, the Cisco AR server sends RADIUS Access-Rejects messages with embedded EAP-Failure in response to bad EAP messages as described in Internet RFC 3579.
The implementation of EAP authentication methods in Cisco AR 3.5.3 (and earlier releases) behaves as described in Internet RFC 2284 (EAP) and related EAP method specifications. These specify silent discard as the standard way to handle all EAP error conditions. Any EAP response message from the client that contains an error or is received in an invalid authenticator state is discarded and there is no error response.
In a configuration where EAP requests are proxied between RADIUS servers using RADIUS messages (EAP over RADIUS), the silent discard of an EAP message means that no RADIUS response message is sent back to the originating RADIUS server. Because of this, the RADIUS server originating the request eventually declares the destination RADIUS server dead and fails over to a backup server (if so configured).
Proxying Session Keys
When previous versions of Cisco AR were configured to proxy the Microsoft Point-to-Point Encryption (MPPE) attributes used as session keys in many types of EAP, the proxy server was occasionally unable to re-encrypt the session keys received from a RADIUS peer. The failure was accompanied with the following generic error message that did not indicate where the failure occurred:
"Unable to proxy MS-MPPE session keys"
Cisco AR 3.5.4 has been enhanced to eliminate the cause of this type of failure. Additionally, the text of all relevant error messages has been modified to enable technical support to determine exactly where an error of this type occurred. Additional tracing and logging statements have been added to Cisco AR 3.5.4 that provide detailed error information, including a dump of the RADIUS packet in case an error is detected during the handling of MPPE attributes.
Trusted Identity Authorization
Cisco AR 3.5.4 can be used in a Service Selection Gateway (SSG) - Cisco Subscriber Edge Services Manager (SESM) deployment to enable the Trusted ID Authorization feature.
The Trusted ID feature provides transparent login capabilities for users based on a trusted ID instead of the user's name, enabling end users of an SSG to maintain an always-on connection without the need to authenticate on each connect. Using SSG's Transparent Auto-Login (TAL) feature, a TAL access-request packet contains a Trusted ID, such as a MAC address, that identifies the user without the user's real username and password.The SESM Profile Management Guide provides detailed information about Trusted ID authorization in SESM.
For detailed information about Trusted ID, including software requirements and how to configure the Cisco AR server to use Trusted ID with SESM, see the online documentation in the Cisco AR User Guide:
Using Trusted ID Authorization with SESM
New Features in Cisco AR 3.5.3
Cisco AR3.5.3 includes a new session timeout feature and support for running Cisco AR on the Solaris 9 operating system.
Session Timeout Feature
Cisco AR 3.5.3 provides a session timeout feature. Stale sessions have been a common issue for Cisco AR users. A stale session occurs when a user disconnects from the network, but the Cisco AR server does not receive the information and is unable to delete the session's records. Stale sessions cause an inaccurate picture of network resources and can lead to denied network access if resources become depleted or access rejection for users exceeding their session limit. Stale sessions can increase costs due to unnecessary support calls to manually delete sessions.
The session timeout feature in Cisco AR 3.5.3 provides timeout for sessions. After the timeout has expired, a session will be considered stale by the Cisco AR server, and all resources allocated to that stale session will be released. Two new properties support the session timeout feature:
•SessionPurgeInterval
•SessionTimeOut
If the SessionPurgeInterval property is set, the Cisco AR server will check SessionManagers with a SessionTimeOut value set for timed-out sessions at the time interval specified by the SessionPurgeInterval property and release the timed-out sessions and their resources. Both properties must be set to use the session timeout feature.
SessionPurgeInterval
The SessionPurgeInterval is a new property under /Radius/Advanced that determines the time interval at which to check for timed-out sessions. If no value is set, the feature is disabled. The checks are performed in the background when system resources are available, so checks might not always occur at the exact time set.
This is an optional property. The minimum recommended value for SessionPurgeInterval is 60 minutes. The SessionPurgeInterval value is comprised of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
SessionTimeOut
The SessionTimeOut property is a new SessionManager property that allows you to enable or disable the session timeout feature for specific session managers. If the SessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for timeouts at each SessionPurgeInterval. If any sessions have timed out, they will be released, and all resources associated with those sessions are also released.
The SessionTimeOut property determines the timeout for a session. If the time difference between the current time and the last update time is greater than this property's value, the session is considered to be stale. The last update time of the session is the time at which the session was created or updated.
The SessionTimeOut property is optional; no value for this property means the session timeout feature is disabled. The minimum recommended value for SessionTimeOut is 60 minutes. The SessionTimeOut value is comprised of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
Support for Solaris 9
You can install and run Cisco AR 3.5.3 on a workstation running the Solaris 9 operating system. Cisco provides separate Cisco AR installation packages for Solaris 8 and Solaris 9.
New Features in Cisco AR 3.5
This section lists the new features and software changes in Cisco AR 3.5 and includes the following:
•Identity Caching
•Linux Support
•aregcmd
•Cisco AR 3.5 Licensing
Cisco AR 3.5 uses a different licensing mechanism than the license key used in earlier releases of Cisco AR. Before you upgrade your Cisco AR server to Cisco AR 3.5 software, you must install a license file. Installing Cisco AR 3.5 Licenses provides information about how to install the license file.
•Extensible Authentication Protocols
Cisco AR 3.5 includes the following new EAP authentication methods:
–PEAP Version 0 (Microsoft PEAP)
–PEAP Version 1 (Cisco PEAP)
–EAP-MSChapV2
–EAP-Negotiate
–EAP-GTC
–EAP-Transport Level Security (TLS)
•Dynamic DNS
•Packet of Disconnect
•Oracle Accounting
•New RemoteServers
Identity Caching
Cisco Access Registrar 3.5.2 (and above) software includes the identity caching feature. Identity caching provides subscriber identity resolution services with fast access to associated subscriber identity data for service providers, enabling them to offer new services to their customers based on identity caching and context information management.
Linux Support
Cisco AR 3.5.2 (and above) runs on Red Hat 7.3, kernel version 2.4.20-24.7, glibc version 2.2.5-42.
aregcmd
Cisco AR 3.5 adds two new command line options to aregcmd, -l and -V. Entering the command line aregcmd -l <$INSTALL/license> provides licensing information. Entering the command line aregcmd -V starts the session in view-only mode even if the administrator is not a view-only administrator.
"General Command Syntax" section on page 1 in Chapter 2, "Using the aregcmd Commands," provides more detailed information. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/users.html
Extensible Authentication Protocols
The Extensible Authentication Protocol (EAP) provides for support of multiple authentication methods. Cisco AR 3.5 adds support for the following EAP authentication methods:
•PEAP Version 0 (Microsoft PEAP)
•PEAP Version 1 (Cisco PEAP)
•EAP-MSChapV2
•EAP-Negotiate
•EAP-GTC
•EAP-Transport Level Security (TLS)
Chapter 7, "Extensible Authentication Protocols," provides detailed information about the EAP authentication methods. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/eap.html
Dynamic DNS
Cisco AR 3.5 supports the Dynamic DNS protocol providing the ability to update DNS servers. The dynamic DNS updates contain the hostname/IP Address mapping for sessions managed by Cisco AR.
You enable dynamic DNS updates by creating and configuring new Resource Managers and new Remote Servers, both of type dynamic-dns. The dynamic-dns Resource Managers specify which zones to use for the forward and reverse zones and which Remote Servers to use for those zones. The dynamic-dns Remote Servers specify how to access the DNS Servers.
Dynamic DNS in Chapter 13, "Using Cisco Access Registrar Server Features," provides more detailed information. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/features.html
Packet of Disconnect
Cisco AR 3.5 adds support for the Packet of Disconnect (POD). The POD feature enables Cisco AR to send disconnect requests (PODs) to a NAS so that all the session information and the resources associated with the user sessions can be released. Cisco AR can also determine when to trigger and send the POD.
For example, when a PDSN handoff occurs during a mobile session, the new PDSN sends out a new access-request packet to Cisco AR for the same user. Cisco AR should detect this handoff by the change in NAS-Identifier in the new request and trigger sending a POD to the old PDSN if it supports POD. Cisco AR also provides an option for administrator to initiate sending POD requests through the command-line interface (CLI) for any user session. Cisco AR forwards POD requests from external servers to the destination NAS.
Packet of Disconnect in Chapter 13, "Using Cisco Access Registrar Server Features," provides more information about using Packet of Disconnect. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/features.html
Note If you have been using the PoD feature in Cisco AR 3.5.1, you are affected by a change made in Cisco AR 3.5.2. In Cisco AR 3.5.1, the attributes NAS-Port and Acct-Session-Id were sent in a POD packet by default. In Cisco AR 3.5.2, these attributes are no longer sent by default. If you require attributes NAS-Port and Acct-Session-Id in a disconnect request, you must configure them in the corresponding attribute group in /Radius/Advanced/PODAttributes/.
Oracle Accounting
Previous releases of Cisco AR supported accessing user data from Oracle database using Open Database Connectivity (ODBC), but this feature was limited to performing authentication and authorization (AA). You could only write the accounting records to local file or proxy to another RADIUS server. Cisco AR 3.5 supports writing accounting records into Oracle database enabling integration between billing systems and Oracle.
Oracle Accounting in Chapter 6, "RADIUS Accounting," provides detailed information about Oracle Accounting. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/accountg.html
New RemoteServers
Previous releases of Cisco AR supported only three types of RemoteServer: radius, ldap, and odbc. Cisco AR 3.5 adds five new types of RemoteServer objects including the following:
•Dynamic DNS
•Map-Gateway
•ODBC-Accounting
•Prepaid-CRB
•Prepaid-IS835C
Remote Servers in Chapter 3, "Cisco Access Registrar Server Objects," provides detailed information about the new RemoteServer objects. See the Cisco CNS Access Registrar User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/objects.html
Related Documentation
The following is a list of the documentation for Cisco Access Registrar 3.5 3.5. You can access the URLs listed for each document at www.cisco.com on the World Wide Web. We recommend that you refer to the documentation in the following order:
•Cisco Access Registrar 3.5 Installation and Configuration Guide (OL-5983-02)
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/installation/guide/install_1.html
•Cisco Access Registrar 3.5 User's Guide (OL-5984-02)
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/user/guide/users.html
•Cisco Access Registrar 3.5 Concepts and Reference Guide (OL-2683-01)
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/3.5/concepts/guide/concepts.html
System Requirements
This section describes the system requirements for installing the Cisco AR 3.5 software.
Cisco AR 3.5 Full Installation
Table 2 lists the system requirements for a full installation of Cisco AR 3.5.
Table 2 Cisco Access Registrar 3.5 Full Installation Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC (Solaris 8, Solaris 9) or x86 (Linux)
|
Minimum RAM
|
64 MB
|
Recommended RAM
|
128 MB
|
Recommended Disk Space
|
175 MB
|
Cisco AR 3.5 Configuration-Only Installation
Table 3 lists the system requirements for installing the configuration-only component of Cisco AR 3.5.
Table 3 Cisco AR 3.5 Configuration-only Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC
|
OS Version
|
Solaris 8 or Solaris 9
|
Minimum RAM
|
32 MB
|
Recommended RAM
|
64 MB
|
Recommended Disk Space
|
50 MB
|
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco AR 3.5 disk. If Cisco AR 3.5 runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Cisco Access Registrar should be the only application running on a single machine. You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure Cisco AR 3.5 to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no another application can be configured to use SNMP on the Cisco AR machine.
Note Cisco Network Registrar and Cisco AR 3.5 cannot co-exist on the same workstation.
Cisco AR Performance
This section provides information about Cisco AR performance results for Cisco AR on Solaris and Cisco AR on Linux.
Cisco AR on Solaris
The Cisco AR 3.5.5 performance tests were run on a Sun Fire V210 with two GB RAM, two 1000 MHz UltraSPARC-3i processors, one 36GB SCSI-UW disks, and Solaris 8 64-bit kernel. Further platform tests were done to compare across multiple platforms. The reported numbers are an average of 100 test runs with results outside of the second deviation dropped.
Note The platform used for these performance tests differs from previous platforms.
The LDAP servers run on an HP Kayak XU with 256 MB RAM, two 500 MHz Pentium 3 processors, a 9.1 GB SCSI-UW disk, and Windows 2000 with Service Pack 4. No special performance tuning was made to the servers or to Cisco AR. All LDAP tests were run with three proxy servers in a round-robin configuration. The Oracle servers run on the same platform and number of servers in round robin.
The LDAP vendor was the iPlanet Directory Server 4.11. The Oracle server used was version 9.2.0.1. Both data stores have at least 10,000 users.
For the ODBC with Oracle Accounting tests, Oracle 9.2.0.5 was installed on a Sun Fire 280R with 8 GB RAM, two 1200 MHz UltraSPARC-3+ processors, one 36 GB FC-AL disk and the Solaris 8 64-bit kernel.
Numbers of transactions are given in RADIUS Pairs Per Second (RPPS). In general, one transaction is one RADIUS request and response pair (for example, an access-request and an access-accept). The specific pair usage for each test type is as follows:
•One AA transaction uses one RADIUS pair
•One AAA transaction uses three RADIUS pairs
•One accounting-only transaction uses two RADIUS pairs
Primary Performance Test Results
Table 4 lists performance test results for Cisco AR 3.5.5 when using a local database.
Table 4 Local Database Performance Test Results
Transaction Type
|
Results
|
AA
|
2404 RPPS
|
AAA
|
2433 RPPS
|
Accounting only
|
2690 RPPS
|
AA plus Session Management
|
910 RPPS
|
AAA plus Session Management
|
1047 RPPS
|
AA Latency
|
1.012 ms
|
Accounting Latency
|
100.01 ms
|
AA plus Session Management Latency
|
122.429 ms
|
Table 5 lists performance test results for Cisco AR 3.5.5 when used with a proxy server and a local database.
Table 5 Proxy Server with Local Database Performance Test Results
Transaction Type
|
Results
|
AA
|
2184 RPPS
|
AAA
|
1788 RPPS
|
Accounting only
|
1854 RPPS
|
AA plus Session Management
|
778 RPPS
|
AAA plus Session Management
|
945 RPPS
|
AA Latency
|
1.947 ms
|
Accounting Latency
|
108.98 ms
|
AA plus Session Management Latency
|
125.022 ms
|
Table 6 lists performance test results for Cisco AR 3.5.5 when used with an LDAP server.
Table 6 LDAP Server Performance Test Results
Transaction Type
|
Results
|
AA
|
1386 RPPS
|
AAA
|
1335 RPPS
|
AA plus Session Management
|
224 RPPS
|
AAA plus Session Management
|
990 RPPS
|
Table 7 lists performance test results for Cisco AR 3.5.5 when used with an ODBC server.
Table 7 ODBC Server with Local Accounting Performance Test Results
Transaction Type
|
Results
|
AA
|
1270 RPPS
|
AAA
|
1893 RPPS
|
AA plus Session Management
|
836 RPPS
|
AAA plus Session Management
|
1254 RPPS
|
Table 8 lists performance test results for Cisco AR 3.5.1 when used with an ODBC server and Oracle accounting.
Table 8 ODBC Server with Oracle Accounting Performance Test Results
Transaction Type
|
Results
|
AA
|
451.68 RPPS
|
AAA
|
952.05 RPPS
|
Accounting only
|
1719.40 RPPS
|
AA plus Session Management
|
224.86 RPPS
|
AAA plus Session Management
|
788.07 RPPS
|
Cisco AR on Linux
Table 9 lists performance test results for Cisco AR 3.5.2 on Linux when using a local database. The platform used to obtain these results consisted of an IBM x335 dual-processor Pentium Xeon with 2.60 GHz clock and 2 GB memory.
Table 9 Linux Local Database Performance Test Results
Transaction Type
|
Results
|
AA
|
3220.17 RPPS
|
AAA
|
3155.19 RPPS
|
Accounting only
|
4621.54 RPPS
|
AA plus Session Management
|
2604.90 RPPS
|
AAA plus Session Management
|
2547.69 RPPS
|
Downloading Cisco Access Registrar Software
Cisco AR 3.5 software is available for download from http://www.cisco.com at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release
The page at this URL lists all available versions of Cisco AR software available for download. The current Solaris 8 version is named CSCOar-3.5.5-sunos58-k9.tar.gz. The current Solaris 9 version is named CSCOar-3.5.5-sunos59-k9.tar.gz. The current RedHat Linux version is named CSCOar-3.5.5-linux2420-install-k9.sh.
Complete the following steps to download the software.
Step 1 Create a temporary directory, such as /tmp, to hold the downloaded software package.
Step 2 Enter the URL to the Cisco.com web site for Cisco AR software:
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release
Step 3 Click on the link for Cisco AR 3.5 software package you want to download:
CSCOar-3.5.5-sunos58-k9.tar.gz for the Solaris 8 version, or
CSCOar-3.5.5-sunos59-k9.tar.gz for the Solaris 9 version, or
CSCOar-3.5.5-linux2420-install-k9.sh for the Linux version.
The Encryption Software Export Distribution Authorization page displays. Pay special attention to the information in the Important Notice which includes the following:
Cisco strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end-user eligible to receive and use Cisco encryption solutions are limited. As a result of this limitation, Cisco requires all Cisco.com users to complete this form and accept the terms and conditions as set forth below in order to establish eligibility for software updates.
Cisco records and reports all downloads of strong encryption solutions to participating governments of the Wassenaar Arrangement.
Please visit the encryption web page for a control summary, or contact Cisco's Regulatory Affairs for further information.
Step 4 Provide the information required in the Encryption Software Export Distribution Authorization fields.
Step 5 Answer the nine questions that follow the authorization form to apply for eligibility to download strong encryption software images, then click Submit.
A second Encryption Software Export Distribution Authorization page displays. This page explains the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy.
Step 6 Read the information about Cisco's Encryption Software Usage Handling and Distribution Policy, and if you agree to the terms, click I Accept.
Note After you provide the information required for the three preceding steps, you will not have to do it for subsequent downloads. If you have already signed Cisco's Encryption Software Export Distribution Authorization forms, only the final authorization page is displayed, described in the following.
A third Encryption Software Export Distribution Authorization page displays. This page provides the Cisco Systems Inc. Encryption Software Export/Distribution Form and instructions about download, resell, transfer, export or re-export conditions for software images with strong encryption capabilities.
Step 7 Check whether the software image is for use by you or your organization, then click Submit.
The Software Download page displays with a link to the Cisco AR 3.5 software package you selected for download.
Step 8 Click the link for the selected software to proceed with the software download.
A File Download dialog box displays indicating the file you are about to download.
Step 9 Click Save and indicate where to save the file on your computer, such as /tmp, then click Save again.
Cisco AR 3.5 Licensing
Cisco AR 3.5 uses a licensing mechanism that enables you to activate different features in Cisco AR using a combination of different license keys. During system initialization, the Cisco AR server sets up the licensing data model and activates any features that are properly licensed.
Licensed Features
Table 10 lists the Cisco AR 3.5 names of the features that require licenses. As new licensed features are added to Cisco AR, new license files will also be required.
Table 10 Cisco AR 3.5 Licensed Features
Feature Name
|
Description
|
AR-STANDARD
|
Standard Cisco AR feature set
|
AR-HLR
|
HLR Proxy feature for EAP-SIM service
|
AR-PREPAID
|
Prepaid Billing feature for Prepaid service
|
AR-ADD-CACHE
|
Identity Caching feature
|
AR-CPU
|
Standard Cisco AR feature set for Cisco AR servers with multiprocessors
|
Getting Cisco AR 3.5 Feature Licenses
When you order the Cisco AR 3.5 product, a text license file will be sent to you in EMail. If you are evaluating the software, Cisco will provide you with an evaluation license.
If you decide to upgrade your Cisco AR 3.5 software and add a feature, a new text license file will be sent to you in EMail when you order the upgrade.
If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs:
•www.cisco.com/go/license
Use this site if you are a registered user of Cisco Connection Online.
•www.cisco.com/go/license/public
Use this site if you are not a registered user of Cisco Connection Online.
Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in email.
Installing Cisco AR 3.5 Licenses
You must have a license in a directory on the Cisco AR machine before you attempt to install Cisco AR 3.5 software. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.
You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.
The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Cisco AR license file, you can copy and paste the text into a file, or you can simply save the file you receive in EMail to an accessible directory.
Upgrading Your Cisco AR 3.5 License File
If you add additional features that require licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix.
If you upgrade your Cisco AR license for additional features, you must restart the Cisco AR server for the new license to take effect. To restart the Cisco AR server, enter the following on the server command line:
/opt/CSCOar/bin/arserver restart
Sample License File
The following is an example of a Cisco AR 3.5 license file.
INCREMENT AR-CPU cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>7</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>1</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-STANDARD cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>2</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=654321FEDCBA
INCREMENT AR-HLR cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>3</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=GHIJKL123456
INCREMENT AR-PREPAID cisco 3.5 permanent uncounted \
VENDOR_STRING=<count>5</count> HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID>4</LicLineID> \
<PAK>dummyPak</PAK>" SIGN=654321LMNOPQ
Displaying License Information
Cisco AR 3.5 provides two ways of getting license information using aregcmd:
•aregcmd command-line option
•Launching aregcmd
aregcmd Command-Line Option
Cisco AR 3.5 provides a new -l command-line option to aregcmd. The syntax is:
aregcmd -l directory_name
where directory_name is the directory where the Cisco AR license file is stored. The following is an example of the aregcmd -l command:
aregcmd -l /opt/CSCOar/license
Licensed Application: Cisco Access Registrar (Standard Version)
Following are the licensed components:
NAME VERSION EXPIRY_INFO
==== ======= ===========
AR-Standard 3.5 permanent
AR-CPU 3.5 permanent
AR-HLR 3.5 permanent
AR-Prepaid 3.5 permanent
Following components are present but unlicensed (disabled):
NAME VERSION EXPIRY_INFO
==== ======= ===========
AR-Cache 3.5 N/A
Launching aregcmd
The Cisco AR 3.5 server displays license information when you launch aregcmd, as shown in the following:
aregcmd
Cisco Access Registrar 3.5.5 Configuration Utility
Copyright (C) 1995-2004 by Cisco Systems, Inc. All rights reserved.
Cluster:
User:
Password:
Logging in to localhost
[ //localhost ]
LicenseInfo = AR-Standard + AR-CPU + AR-HLR + AR-Prepaid
Radius/
Administrators/
Server 'Radius' is Running, its health is 10 out of 10
Installing Cisco AR 3.5 Software on Solaris
This section describes the software installation process when installing Cisco AR 3.5 software on a Solaris workstation for the first time.
Note This version of Cisco Access Registrar 3.5 can be used with Solaris 8, Solaris 9, or the Red Hat 7.3 Linux operating system using kernel version 2.4.20-24.7, glibc version 2.2.5-42.
This section includes the following subsections:
•Deciding Where to Install
•Installing Cisco AR Software from CD-ROM
•Installing Downloaded Software
•Common Installation Steps
Tips Before you begin to install the software, check your workstation's /etc/group file and make sure that group staff exists. The software installation will fail if group staff does not exist before you begin.
Deciding Where to Install
Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco AR 3.5 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Installing Cisco AR Software from CD-ROM
The following steps describe how to begin the software installation process when installing software from the Cisco AR 3.5 CD-ROM. If you are installing downloaded software, proceed to Installing Downloaded Software.
Note Before you begin the software installation, ensure that you have installed a license file as described in Installing Cisco AR 3.5 Licenses.
Step 1 Place the Cisco AR 3.5 software CD-ROM in the Cisco AR workstation CD-ROM drive.
Step 2 Log in to the Cisco AR workstation as a root user, and enter the following command line:
pkgadd -d /cdrom/cdrom0/kit/solaris-2.8 CSCOar
Note Cisco AR software for Solaris 9 is not available on CD-ROM.
Step 3 Proceed to Common Installation Steps.
Installing Downloaded Software
This section describes how to uncompress and extract downloaded Cisco AR 3.5 software and begin the software installation.
Note Before you begin the software installation, ensure that you have installed a license file as described in Installing Cisco AR 3.5 Licenses.
Step 1 Log in to the Cisco AR workstation as a root user.
Step 2 Change directory to the location where you have stored the uncompressed tarfile.
cd /tmp
Step 3 Use the following command line to uncompress the tarfile and extract the installation package files.
zcat CSCOar-3.5.5-sunos58-k9.tar.gz | tar xvf -
Note The instructions provided here are for the Solaris 8 package. There is no difference in download or installation procedures for Solaris 8 or Solaris 9 other than the package name.
Step 4 Enter the following command to begin the installation:
pkgadd -d /tmp CSCOar
where /tmp is the temporary directory where you stored and uncompressed the installation files.
Step 5 Proceed to Common Installation Steps.
Common Installation Steps
This section describes the installation process immediately after you have issued the pkgadd command installing from CD-ROM or from downloaded software.
Processing package instance <CSCOar> from </tmp>
Cisco Access Registrar 3.5.5 [SunOS-5.8, official]
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written consent.
This package contains the Cisco Access Registrar Server and the
Cisco Access Registrar Configuration Utility. You can choose to
perform a Full installation or just install the
What type of installation: Full, Config only [Full] [?,q]
Step 6 For a full install, press Enter.
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 7 Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as the base installation directory.
Access Registrar requires FLEXlm license file to operate. A list
of space delimited license files or directories can be supplied as
input; license files must have the extension ".lic".
Where are the FLEXlm license files located? [/opt/CSCOar/license] [?,q]
Step 8 Enter the directory where you have stored the Cisco AR 3.5 license file.
Access Registrar provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime
Environment (JRE) is required.
If you are not using Java, press Enter/Return to skip this step.
If you already have a JRE installed, please enter the directory
where it is installed. If you do not, the JRE can be downloaded
You may specify or modify the location of the JRE later by
entering the following command then restarting the AR server.
# ln -s <java-root> /opt/CSCOar/j2re1.4
Where is the JRE installed? [?,q]
Step 9 If you plan to use Java, enter the directory location where the JRE is installed, otherwise press Enter.
If you are not using ORACLE, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script
Where is ORACLE installed? [] [?,q]
Step 10 If you are using Oracle, enter the location where it is installed; otherwise press Enter.
If you want to learn about Access Registrar by following the
examples in the Installation and Configuration Guide, you need to
populate the database with the example configuration.
Do you want to install the example configuration now [n] [y,n,?,q]
You can add the example configuration at any time by
/opt/CSCOar/bin/aregcmd -f /opt/CSCOar/examples/cli/add-example-configuration.rc
Step 11 When prompted whether to install the example configuration now, reply Yes to continue.
Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.
The selected base directory </opt/CSCOar> must exist before
installation is attempted.
Do you want this directory created now [y,n,?,q] y
Step 12 Enter Y to enable the installation process to create the /opt/CSCOar directory.
## Executing checkinstall script.
Using </opt/CSCOar> as the package base directory.
## Processing package information.
## Processing system information.
8 package pathnames are already properly installed.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
The following files are being installed with setuid and/or setgid
/opt/CSCOar/.system/screen <setuid root>
/opt/CSCOar/bin/aregcmd <setgid staff>
/opt/CSCOar/bin/radclient <setgid staff>
/opt/CSCOar/bin/xmlclient <setgid staff>
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to install these as setuid/setgid files [y,n,?,q] y
Step 13 Enter Y to install the setuid/setgid files.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSCOar> [y,n,?]
Step 14 Enter Y to continue with the software installation.
No further interaction is required; the installation process should complete successfully and the arservagt is automatically started.
## Installing part 1 of 1.
/opt/CSCOar/.system/screen
/opt/CSCOar/bin/nasmonitor
/opt/CSCOar/bin/share-access
/opt/CSCOar/java/javadoc.tar.gz
/opt/CSCOar/lib/getopts.tcl
/opt/CSCOar/ucd-snmp/share/snmp/snmpconf-data/snmptrapd-data/traphandle
/opt/CSCOar/ucd-snmp/share/snmp/snmpd.conf
[ verifying class <snmp> ]
## Executing postinstall script.
# setting up product configuration file /opt/CSCOar/conf/car.conf
# linking /etc/init.d/arserver to /etc/rc.d files
# setting ORACLE_HOME variable in arserver
# removing old session information
# flushing old replication archive
# creating initial configuration database
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Fri May 14 13:23:32
2004
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Fri May 14 13:23:32
2004
# installing example configuration
Starting Access Registrar Server Agent..completed.
The Radius server is now running.
If SNMP needs to be reconfigured please follow the following
(1) stop AR: /opt/CSCOar/bin/arserver stop
(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf
(3) restart AR: /opt/CSCOar/bin/arserver start
Installation of <CSCOar> was successful.
RPC Bind Services
The Cisco AR server and the aregcmd CLI requires RPC services to be running before the server is started. If the RPC services are stopped, you must restart rpc services, then restart the Cisco AR server. Use the following commands to restart RPC services:
/opt/CSCOar/bin/arserver stop
/etc/init.d/rpc start
/opt/CSCOar/bin/arserver start
If RPC services are not running, the following message is displayed when you attempt to start aregcmd:
Login to aregcmd fails with the message:
Installing Cisco AR 3.5 Software on Linux
This section describes the software installation process when installing Cisco AR 3.5 software on a Linux workstation for the first time. This section includes the following subsections:
Deciding Where to Install
Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco AR 3.5 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Installing Downloaded Software
This section describes how to install the downloaded Cisco AR 3.5 software for Linux and begin the software installation.
Note The Cisco AR Linux installation automatically installs aregcmd and radclient as setgid programs in group adm.
Step 1 Log in to the Cisco AR workstation as a root user.
Step 2 Change directory to the location where you have stored the CSCOar-3.5.5-linux2420-install-k9.sh file.
cd /tmp
Step 3 Enter the name of the script file to begin the installation:
CSCOar-3.5.5-linux2420-install-k9.sh
CSCOar-3.5.5-linux2420-install-k9.sh
Name : CSCOar Relocations: /opt/CSCOar
Version : 3.5.5 Vendor: Cisco Systems, Inc.
Release : 1089750252 Build Date: Tue Jul 13 14:17:55 2004
Install date: (not installed) Build Host: muggle.cisco.com
Summary : Access Registrar, a carrier-class RADIUS server
build_tag: [Linux-2.4.20, official]
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written consent.
This package contains the Access Registrar Server and the Access
Registrar Configuration Utility. All the Client, Server, and
Configuration utilities will be installed.
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 4 Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as the base installation directory.
Access Registrar requires FLEXlm license file to operate. A list
of space delimited license files or directories can be supplied as
input; license files must have the extension ".lic".
Where are the FLEXlm license files located? [/opt/CSCOar/license] [?,q]
Step 5 Enter the directory where you have stored the Cisco AR 3.5 license file.
Access Registrar provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime Environment
If you are not using Java, press Enter/Return to skip this step.
If you already have a JRE installed, please enter the directory
where it is installed. If you do not, the JRE can be downloaded from:
http://java.sun.com/products/archive
You may specify or modify the location of the JRE, later on, by
entering the following command then restart the AR server.
# ln -s <java-root> /opt/CSCOar/j2re1.4
Where is the JRE installed? [] [?,q]
Step 6 If you plan to use Java, enter the directory location where the JRE is installed, otherwise press Enter.
(If you decide to use Java extensions after you have installed Cisco AR, you can specify the JRE location by entering the following at the Unix prompt:
ln -s <java-root> /cisco-ar/j2rel.4
After entering the link command, restart the Cisco AR server.)
If you are not using ORACLE, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script
Where is ORACLE installed? [] [?,q]
Step 7 If you are using Oracle, enter the location where it is installed; otherwise press Enter.
If you want to learn about Access Registrar by following the examples
in the Installation and Configuration Guide, you need to populate
the database with the example configuration.
Do you want to install the example configuration now? [n]: [y,n,?,q] y
Step 8 When prompted whether to install the example configuration now, reply Yes to continue.
Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.
Preparing... ########################################### [100%]
1:CSCOar ########################################### [100%]
# setting ORACLE_HOME variable in arserver
# creating initial configuration database
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Wed Jul 14 15:17:28
2004
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Wed Jul 14 15:17:28
2004
# installing example configuration
Starting Access Registrar Server Agent..completed.
The Radius server is now running.
Preparing to Use SNMP
If you plan to use the SNMP features of Cisco Access Registrar, complete the following steps:
Step 1 Become root user by entering su, then the root password.
Step 2 Enter the following commands to disable the Sun SNMP daemon and allow Cisco AR's SNMP daemon to function:
/etc/rc3.d/S76snmpdx stop
/etc/rc3.d/S77dmi stop
Step 3 Enter the following commands to prevent the Sun SNMP daemon from restarting after a reboot by entering the following:
mkdir /etc/rc3.d/.disabled
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled
mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled
Upgrading to Cisco AR 3.5 Software
This section describes the process of upgrading from your previously installed Cisco AR software while preserving your existing configuration database.
Note Configuration for Prepaid billing servers in Cisco AR 3.0 will no longer work in Cisco AR 3.5. If you have been using a Prepaid billing server in Cisco AR 3.0 and are upgrading your software to Cisco AR 3.5, you must remove the Prepaid billing server configuration before installing the Cisco AR 3.5 software.
Upgrade Overview
The following steps describe what you must do to perform the software upgrade process:
Step 1 Ensure that replication is disabled.
Refer to Disabling Replication.
Step 2 Remove the old software using the pkgrm command.
Refer to Using pkgrm to Remove Cisco AR Software.
Step 3 If you plan to use the Cisco AR SNMP features, disable the current Sun SNMP daemon and prevent the Sun SNMP daemon from restarting after a reboot.
Step 4 Install the new Cisco AR 3.5 license file by copying the license file to a directory such as /tmp on the Cisco AR 3.5 workstation.
Note Cisco AR 3.5 uses a different licensing mechanism than the license key used in earlier releases of Cisco AR. Before you upgrade your Cisco AR server to Cisco AR 3.5 software, you must install a license file. Refer to Cisco AR 3.5 Licensing for detailed information about Cisco AR 3.5 licensing. Installing Cisco AR 3.5 Licenses provides information about how to install the license file.
Step 5 Decide where to install the Cisco AR 3.5 software.
The default installation directory for Cisco AR 3.5 software is /opt/CSCOar. If you are upgrading from Cisco AR version 1.7 or earlier, the default installation directory was /opt/AICar1.
Step 6 Decide if you want to preserve your existing configuration database.
Preserving your existing configuration database is a compelling reason to upgrade rather than to start anew. The upgrade procedures in this chapter assume you want to preserve your existing configuration.
If you are upgrading from Cisco AR 1.7 or an earlier version, the default installation directory is /opt/AICar1. The default installation directory for Cisco AR 3.0 and above is /opt/CSCOar.
If your previous install directory was /opt/AICar1, you should use that directory to install Cisco AR 3.5. You might also rename the old directory, as in the following:
cd /opt
mv AICar1 CSCOar
Step 7 Copy the Cisco AR 3.5 license file to a location on the Cisco AR workstation directory such as /tmp.
Step 8 Use the pkgadd command to install the Cisco AR 3.5 software.
Disabling Replication
If you are using the Cisco AR replication feature, you must disable it before you begin the upgrade process of the upgrade will fail. When completed, refer to Restarting Replication for the correct way to restart replication.
To ensure that replication is disabled, complete the following steps:
Step 1 Launch aregcmd.
Step 2 Change directory to /radius/replication and examine the RepType property.
cd /radius/replication
[ //localhost/Radius/Replication ]
RepType = None
RepTransactionSyncInterval = 60000
RepTransactionArchiveLimit = 100
RepIPAddress = 0.0.0.0
RepPort = 1645
RepSecret = NotSet
RepIsMaster = FALSE
RepMasterIPAddress = 0.0.0.0
RepMasterPort = 1645
Rep Members/
Make sure that RepType is set to None.
Step 3 If you made changes, issue the save command, then exit the aregcmd command interface.
Using pkgrm to Remove Cisco AR Software
There are two different Cisco AR software packages, AICar1 and CSCOar. The AICar1 package was used for Cisco AR 1.7 and earlier versions. The CSCOar package has been used for Cisco AR 3.0 and later versions.
Removing the AICar1 Package
The following steps describe how to remove the AICar1 software package.
Step 1 Log in to the Cisco AR workstation as a root user, and enter the following command line:
pkgrm AICar1
The following package is currently installed:
AICar1 Access Registrar 1.7R7 [SunOS-5.8, ns40, gcc-O, official]
Do you want to remove this package?
Step 2 Enter y or yes to continue removing the AICar1 package.
## Removing installed package instance <AICar1>
This package contains scripts which will be executed with super-user
permission during the process of removing this package.
Do you want to continue with the removal of this package [y,n,?,q]
Step 3 Enter y to continue removing the AICar1 package.
After you enter y, the AICar1 package should be removed without further interaction.
## Verifying package dependencies.
## Processing package information.
## Executing preremove script.
Waiting for these processes to die (this may take some time):
AR MCD lock manager (pid: 2971)
AR MCD server (pid: 2967)
AR RADIUS server (pid: 2973)
AR Server Agent (pid: 2965)
2971: terminated, wait status 0x000f
Access Registrar Server Agent shutdown complete.
# removing /etc/rc.d files
## Removing pathnames in class <snmp>
/opt/AICar1/ucd-snmp/share/snmp/snmpd.conf
. <several hundred lines deleted>
## Removing pathnames in class <none>
## Updating system information.
Removal of <AICar1> was successful.
Removing the CSCOar Package
The following steps describe how to remove the CSCOar software package.
Step 1 Log in to the Cisco AR workstation as a root user, and enter the following command line:
pkgrm CSCOar
The following package is currently installed:
CSCOar Cisco Access Registrar 3.0R7 [SunOS-5.8, official]
Do you want to remove this package?
Step 2 Enter y or yes to continue removing the CSCOar package.
## Removing installed package instance <CSCOar>
This package contains scripts which will be executed with super-user
permission during the process of removing this package.
Do you want to continue with the removal of this package [y,n,?,q]
Step 3 Enter y to continue removing the CSCOar package.
After you enter y, the CSCOar package should be removed without further interaction.
## Verifying package dependencies.
## Processing package information.
## Executing preremove script.
Waiting for these processes to die (this may take some time):
AR Server Agent (pid: 28352)
AR MCD server (pid: 28354)
AR RADIUS server (pid: 28372)
AR MCD lock manager (pid: 28355)
28354: terminated, wait status 0x0000
28372: terminated, wait status 0x0000
28355: terminated, wait status 0x000f
28352: terminated, wait status 0x0000
Access Registrar Server Agent shutdown complete.
# removing /etc/rc.d files
## Removing pathnames in class <snmp>
/opt/CSCOar/ucd-snmp/share/snmp/snmpd.conf
/opt/CSCOar/ucd-snmp/share/snmp/snmpconf-data/snmptrapd-data/traphandle
. <several hundred lines deleted>
/opt/CSCOar/.system/screen
## Removing pathnames in class <none>
## Updating system information.
Removal of <CSCOar> was successful.
Install the License File
Install the new Cisco AR 3.5 license file in a directory such as /tmp. During the installation process, you will be asked for the location of the license file. The license file must have a .lic suffix.
Installing Upgrade Software
If you are upgrading from Cisco AR version 1.7 or earlier, Cisco recommends that you rename the installation directory to the new default installation directory before proceeding, as described in Step 5 of Upgrade Overview.
After you have completed the preceding steps, you can install Cisco AR 3.5 software as described in Installing Cisco AR 3.5 Software on Solaris.
When the installation process asks where to install the Cisco AR 3.5 software, accept the default location if you have renamed the $INSTALL directory /opt/CSCOar. Otherwise, enter the directory you have been using to store your configuration.
The installation process will detect the existing configuration and ask if you want to preserve the existing database. To properly upgrade your software and preserve your existing configuration, you must answer Yes to preserve your existing configuration. When you do so, you will be required to provide an administrator userID and password to proceed.
Restarting Replication
Before you enable replication, you must first upgrade all replication slave servers to the same version of Access Registrar software as the master server. Do not enable replication on the master server until all slave servers have been upgraded.
Use the same process you used to upgrade the master server to upgrade any slave servers. If you retained your configuration on the master, retain the configuration on the slaves, too.
After the same version of Cisco AR software has been installed on all slave servers, you can enable replication on the master server again. After enabling replication on the master server, you can enable replication on each of the slave servers.
Caveats
This section provides information about known anomalies in Cisco AR 3.5 and anomalies (from previous versions of Cisco AR) that have been fixed in Cisco AR 3.5.
Known Anomalies in Cisco AR 3.5.5
This section describes the known anomalies in Cisco AR 3.5.5.
Table 11 Known Anomalies in Cisco AR 3.5.5
Bug
|
Description
|
CSCdw74227
|
Increasing the maximum number of file descriptors in /etc/system causes aregcmd to stop working
Symptoms: aregcmd cannot login to the server, even on a fresh install.
Conditions: The has raised the maximum number of file descriptors in /etc/system to increase the maximum number of open file handles.
Workaround: Remove the maximum number of file descriptors lines and reboot the Cisco AR server.
|
CSCeb05384
|
Memory leak in third-party libraries while reloading
Symptoms: Memory leaks found in TCL and nramia while analyzing with Purify.
Conditions: While reloading Cisco AR software.
Workaround: Restart the Cisco AR processes.
|
CSCec53453
|
Parse errors appear in Replication messages
Symptoms: The message parse failed \<unknown user\> appears in the log.
Conditions: This might occur with replication configured.
Workaround: Ignore these messages; the server should recover without intervention.
|
CSCec56101
|
After lock manager killed, all servers die
Symptoms: After the lock manager is killed, all other servers die.
Conditions: This might occur if the lock manager is manually killed on busy multi-processor machines.
Workaround: None
|
CSCed61132
|
Down server, reload after deletion times out and no deletion occurs
Symptoms: After a session using dynamic DNS ends, the reverse zone mappings are never deleted from the zone.
Conditions: This might occur if the DNS server is unreachable when the session ends, and the Radius server is reloaded or restarted before the DNS server is available again.
Workaround: Manually delete the names from the zone.
|
CSCee43342
|
CPU utilization of armcdsrver is much higher inCisco AR 3.5
Symptoms: The armcdsrvr process uses approximately twice as much CPU as it did in Cisco AR 3.0.
Conditions: This will only be noticeable if there are frequent command shell logins, for example as part of a test script.
Workaround: None. This process does not use a large amount of CPU under normal operating conditions.
|
CSCef63044
|
The Cisco AR server crashes if the wrong feature line given in a separate license file
Symptom: The Cisco AR server crashes when an invalid prepaid feature line with a wrong value is specified in a separate license file.
Condition: This occurs when an invalid prepaid feature line with a wrong value is specified in a separate license file.
Workaround: Specify valid feature lines in all license files.
|
CSCeg18369
|
Cisco AR version 1.7 REX Library Issue
Symptom: Cisco AR REX Library Issue
Condition: The algorithm used does not always run as expected, but rare failures do occur.
Workaround: None
|
CSCeh61488
|
Request-Type not set in remote server OutgoingScript
Symptoms: Request-Type environment variable always empty.
Conditions: A script on a remote server's OutgoingScript is attempting to read the Request-Type environment variable.
Workaround: If possible, try to use the server's IncomingScript. Otherwise, there is no workaround.
|
CSCeh61503
|
Request-Type, Response-Type same for remote server IncomingScript
Symptoms: Request-Type and Response-Type environment variables always have the same result.
Conditions: A script on a remote server's IncomingScript is attempting to read the Request-Type environment variable.
Workaround: If possible, try to use the server's OutgoingScript. Otherwise, there is no workaround.
|
CSCei11177
|
xtail is missing from the linux version of Cisco AR 3.5.
Symptom: You cannot find the xtail utility.
Condition: This occurs when using the linux version of Cisco AR 3.5.
Workaround: Use other utilities such as tail, or download and compile your own version of xtail.
|
CSCei28338
|
Query-Mapping of Session-cache resource manager requires XML mapping validation
Symptom: XML QueryMapping validation error is not displayed for wrong format.
Condition: A session-cache resource manager's QueryMappings are configured to map XML attributes to attributes other than the QueryKey Radius attribute with RADIUS attributes on the left hand side and XML attributes on the right hand side.
Workaround: Use proper configuration.
|
Anomalies Fixed in Cisco AR 3.5.5
This section describes the anomalies from previous releases of Cisco AR that have been fixed in Cisco AR 3.5.5.
Table 12 Anomalies Fixed in Cisco AR 3.5.5
Bug
|
Description
|
CSCai02102
|
Session backing store can become corrupted if the disk partition becomes full
Symptoms: aregcmd fails while logging in or aregcmd fails while saving with an error message similar to "500 Internal Error / Checking to see if we needed to synchronize with external changes to database failed" or after a reload, Cisco AR's knowledge of user sessions is missing information that was present before the reload.
Conditions: The disk partition upon which Cisco AR is installed is full.
Workaround: Make more space available on the partition. You might need to restart Cisco AR.
|
CSCdw23443
|
Cisco AR stats do not count packets dropped by outage policies
Symptoms: Some dropped packets are not counted by AR stats. This is apparent when looking at the stats from aregcmd or SNMP.
Conditions: This occurs when packets are dropped as a result of an outage policy.
Workaround: None.
|
CSCdy51365
|
Java services not hot-configured properly
Symptoms: Java services do not work until the server is reloaded.
Conditions: A Java service is added and saved, and the server is not reloaded.
Workaround: Reload the server on adding a Java service.
|
CSCdy71586
|
Class file not located if classpath set after java script configuration
Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.
Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.
Workaround: Set the classpath for Java extensions before configuring the script or restart the server.
|
CSCdz21344
|
Concurrency control problem with user attributes
Symptoms: Attributes in a user's attributes or check-items directory are deleted in two different aregcmd sessions. Only one of the two attributes shows up as deleted in subsequent aregcmd sessions.
Conditions: This only occurs when these attributes are deleted in two different aregcmd sessions.
Workaround: Remove the attribute which was not deleted a second time.
|
CSCdz57329
|
LDAP server loses some parameters after concurrent check-item save operation
Symptom: After a configuration save, some of the LDAP server configuration parameters are lost.
Condition: This might occur when LDAP to Check Item mappings are saved in two concurrent
aregcmd sessions.
Workaround: Do no edit LDAP to Check Item mappings in concurrent aregcmd sessions.
|
CSCdz57354
|
User mappings parameters remain after concurrent aregcmd delete commands
Symptom: After editing user attributes, changes are lost.
Condition: This might occur when user attributes are changed in two concurrent aregcmd sessions.
Workaround: Do not edit user attributes in simultaneous aregcmd sessions.
|
CSCdz57386
|
Only one user is present after concurrent save operations.
Symptom: A created user is no longer visible.
Condition: This might occur when a new userlist is created, and only one new user is added to that list in two simultaneous aregcmd sessions.
Workaround: Do not add new users to empty userlists in concurrent aregcmd sessions.
|
CSCea18102
|
Incorrect output when setting case sensitive flag
Symptoms: The output message is incorrect:
set ""
Conditions: The flag /Radius/Advanced/ARisCaseInSensitive has been set.
Workaround: None.
|
CSCeb80164
|
Retrace-Packet prints erroneous trace information
Symptoms: The trace shows two response packets to a single request. The first response trace shows an invalid length, as shown in this example:
07/30/2003 20:52:32: P712: Tcl: environ put Retrace-Packet TRUE -> OK
07/30/2003 20:52:32: P712: Using Client: localhost (127.0.0.1)
7/30/2003 20:52:32: P712: Using NAS: localhost (127.0.0.1)
07/30/2003 20:52:32: P712: Request is directly from a NAS: TRUE
07/30/2003 20:52:32: P712: Trace of Access-Request packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70
07/30/2003 20:52:32: P712: reqauth =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: User-Name = user1@domain1.com
07/30/2003 20:52:32: P712: User-Password =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: NAS-Port = 1
07/30/2003 20:52:32: P712: NAS-Identifier = localhost
07/30/2003 20:52:32: P712: Authenticating and Authorizing with Service aalocal
07/30/2003 20:52:32: P712: Getting User user1@domain1.com's UserRecord from UserList local
07/30/2003 20:52:32: P712: User user1@domain1.com's password matches07/30/2003 20:52:32: P712: Merging BaseProfile 1 into response dictionary
07/30/2003 20:52:32: P712: Merging attributes into the Response Dictionary:
07/30/2003 20:52:32: P712: Adding attribute Cisco-AVPair, value = ip:addr-pool=public
07/30/2003 20:52:32: P712: No default Remote Session Service defined.
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70 <====== INCORRECT
07/30/2003 20:52:32: P712: reqauth =
53:a3:5b:73:3d:58:3b:2c:f2:3c:59:7d:c9:dc:78:0d
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 47
07/30/2003 20:52:32: P712: reqauth =
02:7d:9c:1f:d9:c5:be:9a:0b:7d:6d:70:96:6a:21:16
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Sending response to 127.0.0.1
Conditions: The Retrace-Packet AR environment variable has been set to TRUE and the trace level has been set to four or above.
Workaround: None
|
CSCec22061
|
OutagePolicy of AcceptAll leads to strange responses
Symptoms: An Access-Accept for an HTTP Digest message does not contain an MS-MPPE-Recv key attribute or a Session-Timeout.
Conditions: This might occur if the authentication or authorization service is down and the outage policy is set to AcceptAll.
Workaround: Set the outage policy to RejectAll.
|
CSCed03397
|
USR VSAs have incorrect format
Symptoms: 3Com PDSN complains about the USR VSAs being returned to it from AR
Conditions: Cisco AR is configured to use USR VSAs. Cisco AR uses the normal VSA format of:
type, length, vendor, vendor type, length, data
instead of the USR format:
type, length, vendor, vendor type, data
Workaround: Use an extension point script to configure the USR VSAs.
|
CSCed12389
|
Attribute Text-Ascend-Data-Filter found in configurations upgraded to 3.5.1
Symptoms: The attribute Text-Ascend-Data-Filter is present in configurations upgraded to AR 3.5 from previous versions.
Conditions: This might occur after an upgrade to Cisco AR 3.5 from a previous version of Cisco AR.
Workaround: None.
|
CSCed26188
|
Incorrect error message when null attribute set under AttributesToBeCached
Symptoms: The error message displayed when a null attribute is set under AttributesToBeCached is incorrect.
Conditions: A null attribute name is set under AttributesToBeCached.
Workaround: None.
|
CSCed28632
|
Able to change Radius server name
Symptoms: The save command succeeds when the name of the Radius server is modified.
Conditions: The name of the Radius server is modified.
Workaround: None.
|
CSCed55165
|
Set port type to default value on port addition
Symptom: Port type is set to null when a new port is added.
Condition: This might occur when a new port is added.
Workaround: None.
|
CSCed65041
|
The stats command always indicates no messages sent to prepaid server
Symptoms: The stats command output always indicates that no messages have been sent to a prepaid server.
Conditions: This will occur when a prepaid server is configured.
Workaround: Ignore the output of the stats command for prepaid servers.
|
CSCed77005
|
Response-Type not read at ServiceOutgoing scripting point
Symptoms:Cisco AR ignores the Response-Type environment variable at the service outgoing scripting point.
Conditions: An LDAP service was in use for authentication and authorization. An outgoing script on this service checked if the request was rejected. If it was, the script changed the Response-Type to Access-Accept.
Workaround: If the same script is placed at the server outgoing scripting point, the script successfully accepts the user.
|
CSCed82478
|
Minor memory leak with ODBC failure connect attempts with myodbc
Symptoms: Radius process memory size increases.
Conditions: When invalid myodbc datasource is configured in remote odbc server and ReactivateTimeInterval is configured to very low value.
Workaround: None.
|
CSCed82514
|
Remote server statistics are displayed for POD-enabled clients
Symptoms: The stats command displays remote server statistics for POD-enabled clients.
Conditions: Clients with POD-enabled exist in the configuration.
Workaround: None.
|
CSCed88582
|
Some trace messages need to be updated
Symptoms: Some trace messages that are displayed during creation and sending of disconnect-requests are inaccurate.
Conditions: Disconnect-requests are created and sent to clients.
Workaround: None.
|
CSCee36083
|
EAP-nak iterates all services in the middle of authentication exchange
Symptoms: All services in the service list of an EAP-Negotiate service are iterated through again if an EAP-Nak is received in the middle of an authentication exchange.
Conditions: An EAP-Nak is received when authentication using a specific EAP protocol has already commenced.
Workaround: None.
|
CSCee40054
|
Unable to club -C switch of aregcmd with other switches
Symptoms: When the -C switch of aregcmd is clubbed with other switches, aregcmd prompts for the cluster.
Conditions: The -C switch of aregcmd is clubbed with other switches.
Workaround: Use the -C switch separately from other switches.
|
CSCee70452
|
aregcmd asks to save when no changes have been made
Symptoms: aregcmd asks to save when no changes made.
Conditions: After login, the looked at a client object, but did not change anything. On exit, aregcmd asks if the wishes to save changes.
Workaround: None
|
CSCee88854
|
The unset 0 command causes decrement of entry index in indexed lists
Symptom: The unset 0 command causes the entry indices in indexed lists to be decremented by one, and aregcmd segmentation faults on subsequent commands with valid indices.
Condition: The unset command is used with index 0.
Workaround: Use the unset command with valid indices only.
|
CSCee92924
|
No license or invalid license should show correct error message in command-line interface (CLI)
Symptom: Invalid Default Authentication service error message displayed and Cisco AR stopped after a server reload.
Condition: Invalid or empty license file is available at /opt/CSCOar/license directory.
Workaround: Copy the valid license file to the license directory.
|
CSCee93258
|
Cannot change value of enumerated attributes
Symptom: After changing the value of an enumerated attribute, it is not possible to save the configuration.
Condition: This might occur when the value of an enumerated attribute is changed.
Workaround: Use the unset command to delete the enumeration, then add it again.
|
CSCef06185
|
The aregcmd gives a segmentation fault during validation in cache session
Symptoms: Setting the QueryKey to the wrong case in a session-cache identity resource manager will produce a segmentation fault during a save.
Conditions: aregcmd segmentation fault while saving the configuration.
Workaround: None
|
CSCef07321
|
Query-sessions with-Age with only units succeeds
Symptom: The query-sessions command succeeds when only units are specified with the with-Age option.
Condition: The query-sessions command is invoked with only units specified with the with-Age option.
Workaround: None.
|
CSCef07329
|
No disconnect-NAK sent if proxied POD times out
Symptom: Cisco AR does not send a disconnect-NAK to the remote server if the disconnect-request forwarded to a client from the remote server times out.
Condition: A disconnect-request forwarded to a client from a remote server times out.
Workaround: None.
|
CSCef10229
|
XML request with format modifier in wrong case should be discarded
Symptoms: XML request document us processed when the format modifier in the <Address> tag is in capital "Format."
Conditions: This occurs when the modifier attributes are in wrong case, and the XML request document is not discarded.
Workaround: None
|
CSCef15010
|
Stale session not removed for accounting start
Symptoms: When querying for an identity, Cisco AR responds with the previous user on NAS IP and Port.
Condition: The previous user's accounting stop was lost or was not sent so the session manager did not remove the session for the same NAS-IP and Port. The next user logs in, but the system does not clean up the stale session nor does it replace the old data with the new data.
Workaround: None
|
CSCef20109
|
Session management performance degradation
Symptom: Performance peaks at about 500 requests per second.
Condition: Session management is in use.
Workaround: None.
|
CSCef34635
|
Problems with BADTIME log message
Symptom: A message appears in the log that a DNS update has been rejected due to BADTIME. This message states that the DNS and DHCP server times are identical.
Condition: This might occur when updates are rejected due to time skews between the DNS and Radius systems. Note that the times are given in GMT format.
Workaround: Ignore the message which indicates that the times match. Use tracing to view the DNS Update message itself. The message will indicate the time skew between the two machines.
|
CSCef53005
|
Request with authorize only requested if no authentication service
Symptom: A packet with a Service-Type of Authorize Only is rejected.
Condition: This might occur if no Authentication Service is specified.
Workaround: Set a default Authentication Service (it will be ignored).
|
CSCef54940
|
The Linux version of Cisco AR starts in port 1812, but all port defaults show port as 1645
Symptoms: aregcmd assumes default port values of 1645 and 1646
Condition: When services configuration specifies a radius port value, Cisco AR server takes it as default and listens there. But aregcmd will still show 1645 and 1646 as the default ports.
Workaround: None
|
CSCef61137
|
aregcmd synchronization error message
Symptom: In a second aregcmd session, the following message appears during a save:
Synchronizing with external changes to database... done.
Synchronizing with external changes to database failed
Condition: Two aregcmd commands sessions are editing the same object.
Workaround: Enter save again, and the error message will not appear.
|
CSCef81989
|
Hot-configuration of session-cache resource manager broken
Symptoms: Implicit authentication requests fail or the server becomes unstable after making a modification to a server with a Trusted ID service.
Conditions: A trace of the Trusted ID feature indicates that the query key cannot be found in the request packet, but the trace clearly shows that the key is there. Also, when the Trusted ID objects were added, no reload was given. The server will become unstable if any object is touched when there is a Trusted ID service is configured. The server can core after a hot configure of any server object.
Workaround: Reload the server after adding the Trusted ID configuration or changing any configuration when a Trusted ID service is configured.
|
CSCef83845
|
CHAP request without CHAP-Challenge attribute is not cached properly
Symptoms: Trusted ID implicit authentication requests are failing when using CHAP.
Conditions: The identity was cached using a CHAP request that did not contain the CHAP-Challenge attribute. The implicit authentication request might or might not contain the CHAP-Challenge attribute.
Workaround: Always send the CHAP-Challenge attribute in the explicit authentication request or only use PAP.
|
CSCef86758
|
The aregcmd save and reload commands generate a crash with myodbc
Symptoms: Cisco AR server restarted by itself, when save and reload commands are issued consecutively after adding a MYODBC remoteserver.
Condition: Occurs after adding a MYODBC remote server and executing save and reload commands consecutively.
Workaround: None
|
CSCef86899
|
In Linux, Java vendor outgoing script occasionally causes crash
Symptom: Server cores on Linux when a Java extension script is executed at the Vendor outgoing script point.
Conditions: This problem only occurs on the Linux version of Cisco AR when the java_extnpoints script is run immediately after the java_methods script. Scripts set at all scripting points other than the Vendor outgoing scripting point work fine.
Workaround: If possible, use another extension script point or another scripting language.
|
CSCef90638
|
Cisco AR log files need to check log size at startup and roll if needed
Symptoms: The aregcmd log does not roll when it gets to the configured rolling size.
Conditions: The aregcmd log grows to a size that is larger than the LogFileSize property, but it does not roll.
Workaround: An aregcmd session must have 25 commands after reaching the roll size before the log will roll.
|
CSCef96916
|
When Algorithm is other than md5, md5sess, or http-digest, Cisco AR server accepts the user
Symptoms: User is accepted when a http-digest request is sent with Algorithm value other than MD5/MD5-sess.
Condition: Sending an http-digest request with unknown Algorithm value.
Workaround: None
|
CSCef97167
|
Changing MySQL server name does not reflect after Cisco AR server reload
Symptoms: For some requests, Cisco AR server uses the previously configured MySQL server name.
Condition: Modifying the MySQL server name in ODBCDataSources and doing a reload.
Workaround: Perform a complete restart of the Cisco AR server.
|
CSCeg19502
|
Reverse zone name synthesis should use Framed-IP-Netmask
Symptoms: Dynamic DNS (DDNS) remove requests appear to be ignored by the DNS server after a session manager with multiple DDNS resource managers completes releasing resrources.
Conditions: The server is setup with multiple DDNS resource managers each containing the same forward zone, but a different reverse zone to handle multiple, discrete IP pools in the network. When the accounting stop appears for a user, the forward zone still contains the mapping.
Workaround: Split the DDNS resource managers such that you have one DDNS resource manager per session manager. Multiple session managers and a script to set the Session-Manager environment variable to use the correct pool are required.
|
CSCeg27967
|
Cannot set Response-Type to Accept in TCL script
Symptom: A TCL script which sets the response type to Access-Accept ceases to work.
Condition: This might occur after an upgrade to Cisco AR 3.0R3 or later.
Workaround: Define a Rex service which sets the response type to Access-Accept. This might be combined with another authentication service in a group service if necessary.
|
CSCeg30580
|
Unable to proxy session keys
Symptoms: Proxy is occasionally unable to re-encrypt session keys.
Conditions: Cisco AR is configured to proxy the MPPE attributes used as session keys in many EAP types.
Workaround: None
|
CSCeg36153
|
The number of entries in radiusAccServerTable is less than the actual number of existing entries
Symptoms: With SNMP, the number of radiusAccServerTable entries are less than actual.
Condition: Enabling SNMP and querying for radiusAccServerTable entries of RADIUS-ACC-CLIENT-MIB.
Workaround: None
|
CSCeg40898
|
The stats command fails when issued on Solaris aregcmd to Linux configuration
Symptoms: The stats command in aregcmd fails to execute.
Condition: When logged into Linux machine's configuration from an aregcmd session running on Solaris macine (using -C option of aregcmd)
Workaround: Run aregcmd from a Linux machine
|
CSCeg43945
|
Cisco AR authenticates the user although the username ends with slash character (/).
Symptom: A username that ends with the slash character authenticates successfully.
Condition: A user attempts to authenticate with a username ending with a slash still authenticates successfully.
Workaround: None
|
CSCeg63826
|
is835c_ebs_return_quota and is835c_ebs_reauthorize_quota not working
Symptom: These two API library calls do not occur.
Condition: This will occur if you have IS 835C billing configured.
Workaround: None.
|
CSCeg73910
|
DDNS update missed in SIP hand-off with Reverse zone server
Symptom: DNS will not contain an entry for the mobile node.
Condition: When the reverse zone is configured and SIP hand-off takes place.
Workaround: None.
|
CSCeg88981
|
Implicit login flag change does not have immediate effect
Symptoms: In the Trusted ID data flow, a user who has been cached by a previous explicit login will pass the next implicit login request after changing Implicit-Auth-Enabled to FALSE.
Conditions: The Trusted ID flow is in use and the user's Implicit-Auth-Enabled has been changed from TRUE to FALSE. If the user is in the cache from previously passing explicit login, the first implicit login request following the flag change will pass, but every one after will fail.
Wordaround: After changing the flag, manually remove the user from the cache using the release-sessions command in aregcmd.
|
CSCeg90796
|
AuthenticationTimeout property not validated for EAP-Negotiate
Symptom: The AuthenticationTimeout property of EAP-Negotiate services is not validated.
Condition: An erroneous value is set for AuthenticationTimeout property of an EAP-Negotiate service.
Workaround: Set only valid values for the AuthenticationTimeout property. Only numeric values between 10 and 600 are valid.
|
CSCeh04214
|
TLS session not destroyed for invalid IMSI for EAP-SIM with PEAP
Symptom: The TLS session does not seem to be destroyed when an invalid IMSI is specified for PEAP authentication using the EAP-SIM inner method.
Condition: An invalid IMSI is specified in the authentication request.
Workaround: Specify only valid IMSIs in authentication requests.
|
CSCeh49841
|
If not found in DNS, Cisco AR server does not start
Symptom: The Cisco AR server fails to start.
Condition: This might occur if a host name, rather than an IP address, is specified for a LDAP server and the DNS server indicates that the name is not found. It might also occur if the DNS server is down or unreachable.
Workaround: Make sure the host name is included in the DNS database and that the DNS server is up and reachable.
|
CSCeh50039
|
Packets that are not acknowledged are not logged
Symptom: The log does not indicate that accounting packets have been dropped.
Condition: This might occur if ACKAccounting is set to FALSE in the Radius remote server.
Workaround: Monitor the dropped packets statistic for this remote server closely.
|
CSCeh50083
|
totalRequestsOutstanding decremented after packet dropped
Symptom: The totalRequestsOutstanding counter is inaccurate.
Condition: This might occur if ACKAccounting is set FALSE on a Radius accounting server, and the server is down.
Workaround: None.
|
CSCeh51007
|
Session created when key is NULL
Symptom: Sessions created with no key.
Conditions: A script is used to set the Session-Key environment variable, but it sometimes sets the key to NULL rather than a unique value. A query-sesssions output would contain a session that looks like this:
S1 Key: , NAS: localhost, NAS-Port: 1, User-Name: bob, Time: 00:00:13, USL: 1
Note the lack of value after Key field. This problem can create havoc with caching setups if a script sets the NULL key and multiple sessions match or a session that should match is not found.
This condition is usually caused by a script problem and an error case the script does not handle correctly.
Workaround: Modifying the script is the only way to stop setting NULL keys.
|
CSCeh52128
|
Invalid pointer values in rexusr.cpp after uninitialization
Symptom: Server crashes on incoming requests after a config change that triggers a hot configure.
Condition: rexusr.cpp is configured as the USRIncomingScript.
Workaround: Apply the fix given in the description (see line marked with "<<<<< ADD TO FIX") to rexusr.cpp.
|
CSCeh56736
|
Confusing log message: 8692 of 8192 packets in use
Symptom: A message similar to the following appears in the log file (note that the number of used buffer is larger than the number of buffers configured in the buffer pool):
<timestamp> name/radius/1 Error Server 0 Radius has used 8692 of its 8192 request
buffers:
the server is dropping 1 request; 1 packets dropped total.
Conditions: The server is running under heavy load when it generates packet usage statistics. There is no problem with the actual packet handling or buffer management code.
Workaround: No action required; ignore this message.
|
CSCeh56788
|
NULL packet pointer was passed to update stats function
Symptom: Under some high load conditions, the server crashes. The core file points to a crash in RemoteRadiusServer::updateStats().
Conditions: The server has run out of RADIUS packet buffers at the same time that a request to a remote server has timed out. The first condition normally generates a log message like this:
Error Server 0 Radius has used 8192 of its 8192 request buffers:
the server is dropping 1 request; 1 packets dropped total.
Workaround: Reduce the load on the server or increase the size of the RADIUS packet buffer pool by setting /Radius/Advanced/MaximumNumberOfRadiusPackets to a larger value.
|
CSCeh79810
|
Cisco AR rejects packets if DefaultAuthorizationService is not set
Symptom: Access-Requests are rejected if the DefaultAuthorizationService is not set and Authorization-Service environment variable is not set to a valid service name before the Authentication processing starts.
Conditions: Neither the DefaultAuthorizationService nor Authorization-Service environment variable is set to a valid service name before authentication.
Workaround: Set DefaultAuthorizationService to a service name other than the value set for DefaultAuthenticationService if authentication and authorization needs to be done by different services. Otherwise, set same service name for both DefaultAuthenticationService and DefaultAuthorizationService.
|
CSCei10781
|
Cisco AR server reloads when sending request with bad digest attribute
Symptom: Radius process reloads itself
Condition: When sending an http-digest request with digest-attribute having shorter length field than the value, such as "02:01:73:f2:92:45:b0", here length is 01.
Workaround: None
|
CSCei13326
|
With http-digest, algorithm MD5-Sess is rejected
Symptom: Cisco AR rejects the request
Condition: When setting the Digest-attribute algorithm to MD5-Sess and sending the http-digest request.
Workaround: None.
|
CSCin09020
|
Incorrect log message in agent_server_log file when Cisco AR starts up
Symptoms: When Cisco AR is restarted, the message could not get state serial number appears in the log. This message does not indicate any problem and should not be a cause for concern.
Conditions: This message occurs in the log when Cisco AR is restarted.
Workaround: None.
|
CSCin53226
|
On heavy load odbc.ini file becomes empty
Symptoms: The log reports that the ODBC datasource cannot be found.
Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.
Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.
|
CSCin57842
|
LEAP challenge not sent when setting Response-Type to accept
Symptoms: User accepted without sending EAP challenge.
Conditions: This occurs after setting the Response-Type to accept using rex or java script.
Workaround: None
|
CSCin64207
|
Upgrade fails when setting ARIsCaseInSensitive to false
Symptoms: Upgrade fails with the following error message
307 Object not found/Path ambiguous
Conditions: /Radius/Advanced/ARIsCaseInSensitive flag is set to false in Cisco AR.
Workaround: Before upgrading, set /Radius/Advanced/ARIsCaseInSensitive to True. After upgrade revert the /Radius/Advanced/ARIsCaseInSensitive to false.
|
Anomalies Fixed in Cisco AR 3.5.4
This section describes the anomalies fixed in Cisco AR 3.5.4.
Table 13 Anomalies Fixed in Cisco AR 3.5.4
Bug
|
Description
|
CSCef62837
|
Symptoms: NAS does not receive an acknowledge if the remote server has not responded after maximum number of retries.
Condition: This occurs when handling the case where acknowledge is TRUE.
Workaround: None
|
CSCeg19502
|
Symptoms: DDNS remove requests appear to be ignored by the DNS server after a session manager with multiple DDNS resource managers completes releasing resources.
Conditions: The server is setup with multiple DDNS resource managers each containing the same forward zone, but a different reverse zone, to handle multiple, discrete IP pools in the network. When the accounting stop appears for a user, the forward zone still contains the mapping.
Workaround: Split the DDNS resource managers such that you have one DDNS resource manager per session manager. Multiple sessions managers and a script to set the Session-Manager environment variable to use the correct pool are required.
|
CSCeg30580
|
Symptoms: Proxy server is occasionally unable to re-encrypt session keys received from a RADIUS peer.
Conditions: Cisco AR is setup to proxy the MPPE attributes used as session keys in many EAP types.
Workaround: None
|
Anomalies Fixed in Cisco AR 3.5.3
This section describes the anomalies fixed in Cisco AR 3.5.3.
Table 14 Anomalies Fixed in Cisco AR 3.5.3
Bug
|
Description
|
CSCdy09195
|
The aregcmd_log file does not show NULL values
Symptoms: The aregcmd_log file does not show all values that were set.
Conditions: When setting a property to NULL (set property ""), the aregcmd_log file does not change "" into NULL.
Workaround: None
|
CSCdy59596
|
Log rollover code needs to override umask and set permissions
Symptom: The administrator cannot login to aregcmd or read aregcmd_log file.
Conditions: The server has rolled the aregcmd_log file, but the permissions do not allow group read or write.
Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.
|
CSCdz71935
|
Insufficient trace message when password incorrect
Symptoms: Local user is rejected but trace does not explain.
Conditions: The user's AllowNullPassword property is set to TRUE and the user's password is incorrect in the access request.
Workaround: Check the log file for explanation.
Log: Request from HA2 (10.8.15.45): User bob rejected (UserPasswordInvalid)
|
CSCed60493
|
The maximum setting from Event-Timestamp is incorrect
Symptoms: Cisco AR states that Event-Timestamp value is out of range even though it is 2^32-1, the legal range specified in the RFC.
Conditions: Unable to set full range of values allowed by Event-Timestamp, in aregcmd, radclient,
or via extension point scripting.
Workaround: Edit the maximum setting for Event-Timestamp in the Cisco AR attribute dictionary to the legal maximum:
set "/Radius/Advanced/Attribute Dictionary/Event-Timestamp/Max" 4294967295
save
reload
|
CSCed61121
|
Pressing <TAB> in interactive set lists directory files
Symptoms: Files in the current directory are listed when the TAB key is pressed during interactive set.
Conditions: The TAB key is pressed during interactive set.
Workaround: None.
|
CSCef09585
|
Replication fails in Linux when replicating huge transaction
Symptoms: Replication fails with error message "Parse Failed."
Condition: Occurs when doing a huge configuration change in Replication master.
Workaround: None
|
CSCef20156
|
Adding client with ARIsCaseInsensitive FALSE causes segmentation faults in aregcmd
Symptom: aregcmd segmentation faults when adding a new client.
Conditions: The server is setup for case sensitive objects (ARIsCaseInsensitive = FALSE) in /Radius/Advanced. In aregcmd, an attempt to add a new client using a single or multiple commands results in a segmentation fault.
Workaround: Temporarily set ARIsCaseInsensitive to TRUE, add the client, then set ARIsCaseInsensitive back to FALSE. This will turn off case sensitivity after saving the first change. If there is a need to add a client that would match another client name in a case insensitive match, there is no workaround.
|
CSCef20423
|
Access-Request without User-Name attribute causes Cisco AR to drop RADIUS packets
Symptoms: Some Access-Request packets are dropped by Cisco AR as retransmissions. The output of the aregcmd stats command shows that the difference between 'totalAccessRequests' and 'totalAccessResponses' is increasing rapidly, while 'totalPacketsInUse' is higher over time.
The trace log shows more error messages:
Dropping packet: packet is a retransmission of one we are currently working on in
name_radius_1_log:
No User-Name attribute in packet <unknown user>
Conditions: This problem affects only LDAP service types.
Workaround: Reload aregcmd or restart Server Agent.
|
CSCef24217
|
arstatus does not cleanup pattern file
Symptoms: The /tmp directory has many files with names starting with arstatus. followed by an integer.
Conditions: Someone runs the arstatus command to check Cisco AR processes.
Workaround: Use the rm command to remove the temporary data files manually; these files are not needed for normal server operation.
|
CSCed35083
|
Need bypass for accounting broadcast
Symptoms: Accounting-On and Accounting-Off requests are broadcast to every remote server (sometimes more than once).
Conditions: Remote server objects have been defined and accounting broadcast packets are received.
Workaround: None required if local session management is used
|
CSCef37397
|
Generalized Linux rpm -e will erase the database
Symptoms: The directory where the configuration database is stored, $BASEDIR/data, is deleted.
Conditions: The rpm -e command is used to uninstall Cisco AR.
Workaround: Copy the contents of the $BASEDIR/data directory to a safe location before running the
rpm -e command.
|
CSCef41407
|
Empty column filled with leftover from previous query
Symptoms: Data returned from an ODBC query contains information from a pervious query.
Conditions: ODBC is used to store users and their authorization parameters.
Workaround: None
|
CSCef53002
|
Core in AAARexService::callFunction with change to rex service
Symptom: The server cores after a change is saved.
Condition: This might occur when a rex service is modified or deleted.
Workaround: Do not make these changes at peak traffic times.
|
CSCef56220
|
Java extension points are not functional
Symptom: Radius fails to start after configuring a java extension point script or service.
Condition: A java extension point script or service is configured.
Workaround: None.
|
CSCef56498
|
linux install does not use custom java path
Symptom: The install script does not use the custom specified path of the java-location into consideration. After install Cisco AR does not come up. If the link is changed manually, Cisco AR still stays down.
Conditions: linux version of Cisco AR 3.5.2
Workaround: None
|
CSCef60666
|
Error codes for EAP-SIM are not accurate on Linux
Symptom: Error codes received from the ITP map gateway are not accurately reported by Cisco AR.
Condition: An Access-Reject with the relevant error code is received from the ITP map gateway.
Workaround: None.
|
CSCef63397
|
Core in _default_terminate using example Java Accounting Service
Symptom: Intermittent cores occur when a Java AccountingService is used.
Condition: This might occur when the example Java AccountingService is used as an accounting service.
Workaround: None
|
CSCef75797
|
Can not change administrator password in Replication slave
Symptom: Cisco AR Replication slave administrator password can not be changed in the CLI.
Condition: Replication slave configuration.
Workaround: Disable the replication in slave and save the configuration. Open another aregcmd session to change the administrator password, then enable the replication.
|
CSCef82016
|
Running arservagt start command with running processes outputs error
Symptoms: arservagt outputs a "not found" error.
Conditions: arservagt is run with the start parameter and process are already running.
Workaround: It is safe to ignore the error, but you must run the arservagt stop command before starting the server.
|
Anomalies Fixed in Cisco AR 3.5.2
This section describes the anomalies in Cisco AR 3.5.1 that have been fixed in Cisco AR 3.5.2.
Table 15 Anomalies Fixed in Cisco AR 3.5.2
Bug
|
Description
|
CSCdy50196
|
Cisco AR server cores when Java service does not handle stops and starts
Symptoms: Server fails to start when Java service does not handle service starts and stops.
Conditions: You configure then reload a Java service that does not handle service starts and stops.
Workaround: Handle service starts and stops in all Java services.
|
CSCdy84713
|
Replication of /Radius/Script object logs error message in Slave
Symptom: Replication of /Radius/Script object logs error message in slave name_radius_log when it is replicated.
Conditions: Configure single master-slave replication, add an script object under /Radius/script to master host.
Workaround: None
|
CSCea06535
|
Service outgoing script fails to run when the service type is Authenticate Only
Symptoms: Service outgoing script fails to run.
Conditions: The request contains the attribute, Service-Type = Authenticate-Only.
Workaround: None
|
CSCea43192
|
Enum values not validated properly
Symptoms: Enum values outside the specified range are not validated properly.
Conditions: An enum value outside the specified range is set.
Workaround: Restrict enums to be within the specified range.
|
CSCea87237
|
Check-items checked even if a password is incorrect
Symptoms: A user is rejected due to invalid check-items.
Conditions: The user's password is incorrect, therefore check-items are irrelevant.
Workaround: None.
|
CSCeb04281
|
IPX networks displayed in decimal
Symptoms: IPX network numbers are occasionally displayed in decimal format.
Conditions: After a save, IPX network numbers are displayed in decimal format.
Workaround: None.
|
CSCeb04316
|
Command completion not working for resource manager directories
Symptoms: Command completion does not work for resource manager subdirectories.
Conditions: When in a resource manager subdirectory, pressing the tab key will not complete subdirectory names.
Workaround: In most cases, hitting the return key rather than the tab key will perform the desired action.
|
CSCeb19831
|
Cannot reload with enum out of range
Symptoms: The server will not restart or it is not possible to use radclient, and the error messages indicate that an enumeration is outside of specified Minimum and Maximum range.
Conditions: An attribute of type ENUM has been defined, and one of the enumerated values is not in the range between the minimum and maximum values.
Workaround: Modify the maximum value for the attribute so that all enumerations are included in the allowed range.
|
CSCeb37136
|
totalPacketsinUse goes negative after reset
Symptom: The value for totalPacketsInUse might be briefly negative.
Conditions: After the reset command is used, the value for totalPacketsInUse might be briefly negative.
Workaround: Ignore this value immediately after a reset command is issued.
|
CSCeb40158
|
Confusing error message for sendto
Symptoms: Log messages about the results of sendto include inconsistent numbers.
Conditions: This occurs in conditions of high stress.
Workaround: Ignore the numeric values in these messages.
|
CSCeb54417
|
The aregcmd_log file has different output than what was done in Resource Manager.
Symptom: The aregcmd_log shows a different command than what was issued after changing the IP range of a resource manager.
Conditions: A resource manager that manages an IP range (such as ip-dynamic) was changed such that an existing pool had the start or end address moved.
Workaround: None, however using an explicit set <start IP>-<end IP> will show the correct command. Changing directory into the IP range to use the set end <IP> or set start <IP> commands.
|
CSCeb55990
|
A modified user name is not replicated
Symptom: A user's name is modified on the master replication server. The change is not propagated to the slave server.
Condition: This might occur when user names are modified on the master server.
Workaround: Rather than changing the name of a user, delete the existing user and add it again with the new name.
|
CSCec04235
|
Server crashes with heavy ODBC reconnect and AA traffic
Symptoms: Server crashes with an error in name_radius_1_log about an assert in aheap.cpp.
Conditions: The server is processing at least 250 TPS and is constantly trying to reconnect to the ODBC server.
Workaround: Increase the ODBC timeout value.
|
CSCec21944
|
Cisco AR HTTP digest and Cisco SPS are incompatible
Symptom: Cisco AR and Cisco SIP Provisioning Server will not interoperate.
Condition: This might occur if the algorithm is md5-sess or if the QOP in use is set to none.
Workaround: None.
|
CSCed26186
|
Attributes can be configured multiple times under AttributesToBeCached
Symptom: Validate succeeds when an attribute is configured twice under AttributesToBeCached.
Condition: The same attribute is configured twice under AttributesToBeCached.
Workaround: None.
|
CSCed26190
|
Messages inconsistent between set and add
Symptoms: The messages displayed when the add or set commands are used to add an attribute under AttributesToBeCached are different.
Conditions: Attributes are added under AttributesToBeCached with the add or set commands.
Workaround: None.
|
CSCed26192
|
The Tab completion for cd /Radius/Advanced/Ports/<TAB> does not work
Symptoms: Command completion does not happen for configured ports.
Conditions: The TAB key is pressed from the Ports directory under /Radius/Advanced.
Workaround: None.
|
CSCed27517
|
Units not validated for age in query-sessions and release-sessions commands
Symptoms: The units specified for the age in query-sessions and release-sessions commands are not validated.
Conditions: Invalid units are specified for age in query-sessions and release-sessions commands.
Workaround: None.
|
CSCed38854
|
Path not changed when port is modified
Symptoms: Port path is not modified when the port number is changed from inside the port directory.
Conditions: The port number is changed from inside the port directory.
Workaround: None.
|
CSCed40197
|
Realm names not included in zone name
Symptoms: If ExecRealmRule is in use, it is not possible to include the realm in the DNS name created by a dynamic-dns resource manager.
Conditions: This might occur if the ExecRealmRule script and dynamic DNS are used concurrently.
Workaround: None.
|
CSCed43368
|
IP address and numbers not parsed in query-sessions with-Attribute
Symptom: IP addresses and numbers are not parsed when specified with the with-Attribute option of query-sessions command.
Condition: IP addresses and numbers are specified with the with-Attribute option of query-sessions command.
Workaround: None.
|
CSCed43910
|
Can put too many labels in reverse zone name
Symptoms: The creation of a remote zone with too many labels occurs.
Conditions: This might occur if the user attempts to create a reverse zone like 5.5.55.5.5.in-addr.arpa.
Workaround: Do not create reverse zones with too many labels.
|
CSCed72608
|
Some client mib counters are not updated
Symptoms: Some client mib counters are not updated when relevant packets are received.
Conditions: Packets relevant to the concerned client mib counters are received.
Workaround: None.
|
CSCed83142
|
Scripts not hot configuring
Symptoms: After making script updates, whether to the code or the Cisco AR server configuration, Cisco AR requires a reload to activate the changes.
Conditions: A change to script code, or Cisco AR script objects has been made, followed by a save.
Workaround: None
|
CSCed83165
|
Unsetting DefaultSessionManager two times leads to a replication failure
Symptom: A member replication log indicates that a transaction was not committed.
Condition: This might occur when values such as the DefaultSessionManager are unset multiple times.
Workaround: Perform a full database synchronization.
|
CSCed85497
|
When TrimHostName is changed from False to True, names not deleted
Symptoms: Names are not removed from the zone.
Conditions: This might occur when TrimHostName is changed from True to False, and the Radius server has previously added trimmed names to the DNS zone.
Workaround: Manually remove these names using the tools provided by the DNS server.
|
CSCed91870
|
If RoundRobin, OutagePolicy of AcceptAll not used
Symptoms: Accounting-Responses are not sent when the accounting server is down, even though the outage policy of the accounting service is AcceptAll.
Conditions: This might occur when the MultipleServersPolicy is set to RoundRobin.
Workaround: None.
|
CSCee31083
|
Two unset commands of DefaultSessionManager leads to a replication failure
Symptom: A member replication log indicates that a transaction was not committed.
Condition: This might occur when values such as the DefaultSessionManager are unset multiple times.
Workaround: Perform a full database synchronization.
|
CSCee40052
|
EAP-Nak with type-data zero receives Access-Challenge from server
Symptoms: An EAP-Nak response with type-data zero receives an Access-Challenge from the server.
Conditions: An EAP-Nak response with the value zero (0) as type-data is received by the server.
Workaround: None.
|
CSCee50428
|
MultipleServersPolicy not validated for ODBC accounting
Symptoms: Configuration passes validation but will not start.
Conditions: This might occur when the MultipleServersPolicy of an ODBC service is set to something other than RoundRobin or Failover. Validation will not detect this misconfiguration.
Workaround: Set the MultipleServersPolicy to either RoundRobin or Failover for ODBC services.
|
CSCee59794
|
Cisco AR rejects user with internal error when database package is recompiled
Symptoms: Cisco AR rejects the Access-Request with InternalError.
Condition: When PL/SQL packages at database were recompiled while Cisco AR is running.
Workaround: Reload Cisco AR.
|
CSCee62006
|
License check can have false positive result for default path
Symptoms: The server might not start correctly, especially after a successful upgrade. Also, multi-processor servers have a license warning.
Conditions: The directory $BASEDIR/license was manually created and then given to the pkgadd prompt.
Workaround: Obtain a valid license file and copy it to the $BASEDIR/license directory. If the upgrade process failed, remove the package, copy the original database files from $BASEDIR/temp to $BASEDIR/data/db, and then reinstall the package, specifying the directory containing your license file.
|
CSCee68102
|
No session teardown when CDMA-Reason-Termination-Indicator = 6
Symptoms: A user session on an IS-835-C network is incorrectly removed during an inter-PDSN handoff.
Conditions: Session management with PoD is enabled in AR and an inter-PDSN hand-off occurs. If the accounting stop from the old PDSN gets to AR before the accounting start from the new PDSN, the session will be incorrectly removed.
Workaround: Create a script that checks for the CDMA-Reason-Termination-Indicator attribute set to 6. If so, set the CDMA-Session-Continue-Indicator to 1 to keep the session active.
|
CSCee74431
|
Unloading Java extensions while processing requests leads to an exception
Symptoms: Core file produced when shutting down with traffic.
Conditions: Java extensions are being used while the server is shutting down and traffic is still flowing into the server.
Workaround: None, but server will recover on its own.
|
CSCee74437
|
Radius server cores when GSM triplets time out
Symptom: The Radius server asserts and produces a core during EAP-SIM testing.
Condition: The GSM triplet cache entry expires but is subsequently searched for.
Workaround: None.
|
CSCee83559
|
RemotePODRadiusServer should borrow Clients scripts
Symptoms: PoD requests do not use the IncomingScript, OutgoingScript, or Vendor parameters of the client object.
Conditions: When the parameter is set in the client object and a PoD request is sent to that client, the server does not use those parameters (evident by a lack of AV pair mapping or translation).
Workaround: None
|
CSCee83561
|
NAS-Port should not be sent in a disconnect packet if not configured
Symptoms: A PoD request always contains the and NAS-Port attribute in a request.
Conditions: PoD is setup, but the attribute is not listed in the attributes to be sent within the PoD configuration. According to the RFC, the NAS-Port is an optional attribute and might be used for session identification, but the client might be intolerant of extra attribute-value (AV) pairs.
Workaround: None
|
CSCee88859
|
Upgrade to server only installs fails as aregcmd is not present
Symptom: Upgrade to server-only installs fails.
Condition: Cisco AR is upgraded to a later version and the Server only type of installation is selected.
Workaround: None.
|
CSCee90330
|
Base directory given during install should not be suffixed with CSCOar
Symptom: Install happens in the directory specified by the administrator suffixed by CSCOar.
Condition: Administrator tries to install the Linux kit.
Workaround: None.
|
CSCee91780
|
Custom java Services will not start
Symptoms: A custom service using Java does not start.
Conditions: The server has been configured to use a script as one of the AAA services and the script language is Java. After saving, the restart fails and the server never recovers.
Workaround: None
|
CSCef03772
|
Sending a RADIUS packet that is too big causes Cisco AR server to core.
Symptoms: Cisco AR cores after sending a response packet.
Conditions: The RADIUS response packet is larger than 4KB.
Workaround: Decrease the response packet size to fit in the RADIUS packet (mandated to 4KB by RFC.)
|
CSCin29894
|
Replication fails after changing the user name
Symptoms: User name change is not replicated to slave.
Conditions: Changing just the user name and issuing a save in the Replication master.
Workaround: None
|
CSCin75381
|
Radius cores on reload if certificate files for PEAP service is not found
Symptoms: Radius cores when PEAP service is created with non-existent file names for file properties.
Conditions: Non-existent file names are specified for file properties in PEAP service.
Workaround: None.
|
Anomalies Fixed in Cisco AR 3.5.1
This section describes the anomalies that existed in previous version of Cisco AR that have been fixed inCisco AR 3.5.1.
Table 16 Anomalies Fixed in Cisco AR 3.5.1
Bug
|
Description
|
CSCec21944
|
AR HTTP digest and Cisco SPS are incompatible
Symptoms: Cisco AR and Cisco SIP Provisioning Server will not inter-operate.
Conditions: This might occur if the algorithm is md5-sess or if the QOP in use is none.
Workaround: None.
|
CSCec72065
|
Skewed time results in brief corrupt session time
Symptoms: The session time displayed in the response to query-sessions command is 1193046:28:15.
Conditions: This might occur when aregcmd is run on a remote system, the time on the remote system is behind the time on the system running the server, and the session time is less than the difference between the session times. Note that time refers to Universal Time and that differences in time zones should not cause this problem to occur.
Workaround: Ignore session times of 1193046:28:15. Assume that these session times are less than the difference between the system time on the system running aregcmd and the system time running the RADIUS server. Use a time synchronization server to minimize these discrepancies.
|
CSCed83003
|
Cannot commit change with modifications to session managers or resource managers
Symptoms: A change is not replicated to a member, and the member log indicates "Could not commit transaction".
Conditions: This might occur when deletions and additions of resource managers and session managers are included in a single save operation.
Workaround: Perform full resynchronization as described in the User Guide. More frequent aregcmd save operations might also be beneficial.
|
CSCed84906
|
Cisco AR accounting RollOverSchedule has problem on February 29th (Leap Year).
Symptoms: Accounting logs do not roll over at preconfigured time when using the rollover schedule feature.
Conditions: The administrator has configured the server to rollover accounting files using the schedule rather than a max age or size. Also, this is seen only on the Leap Day (February 29).
Workaround: None
|
CSCin43901
|
Accounting file rollover not happening at daylight savings time (DST)
Symptoms: Accounting file rollover will not happen at DST but it will happen one hour before or after the DST change.
Conditions: The configured rollover schedule is same as DST and the system time reaches the configured rollover schedule.
Workaround: None
|
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation.
The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Cisco will continue to support documentation orders using the Ordering tool:
•Registered Cisco.com users (Cisco direct customers) can order documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
•Instructions for ordering documentation using the Ordering tool are at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•Report security vulnerabilities in Cisco products.
•Obtain assistance with security incidents that involve Cisco products.
•Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•Emergencies — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•Nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
•1 877 228-7302
•1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm
The link on this page has the current PGP key ID in use.
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:
http://www.cisco.com/en/US/products/index.html
•Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
•World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0803R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2004-2008 Cisco Systems, Inc. All rights reserved.
