-
User Guide for Cisco Access Registrar 5.0
-
Preface
-
Chapter 1 Overview
-
Chapter 2 Using the aregcmd Commands
-
Chapter 3 Using the Graphical User Interface
-
Chapter 4 Cisco Access Registrar Server Objects
-
Chapter 5 Using the radclient Command
-
Chapter 6 Configuring Local Authentication and Authorization
-
Chapter 7 RADIUS Accounting
-
Chapter 8 Diameter
-
Chapter 9 Extensible Authentication Protocols
-
Chapter 10 Using WiMAX in Cisco Access Registrar
-
Chapter 11 Using Extension Points
-
Chapter 12 Using Replication
-
Chapter 13 Using On-Demand Address Pools
-
Chapter 14 Using Identity Caching
-
Chapter 15 Using Trusted ID Authorization with SESM
-
Chapter 16 Using Prepaid Billing
-
Chapter 17 Using Cisco Access Registrar Server Features
-
Chapter 18 Directing RADIUS Requests
-
Chapter 19 Wireless Support
-
Chapter 20 Using LDAP
-
Chapter 21 Using Open Database Connectivity
-
Chapter 22 Using SNMP
-
Chapter 23 Enforcement of TPS License
-
Chapter 24 Backing Up the Database
-
Chapter 25 Using the REX Accounting Script
-
Chapter 26 Logging Syslog Messages
-
Chapter 27 Troubleshooting Cisco Access Registrar
-
Appendix A: Cisco Access Registrar Tcl, REX and Java Dictionaries
-
Appendix B: Environment Dictionary
-
Appendix C: RADIUS Attributes
-
Glossary
-
Index
-
Feedback
Table Of Contents
Using the Graphical User Interface
Setting Record Limits per Page
Editing Replication Member Details
Adding Radius Dictionary Details
Editing Radius Dictionary Details
Adding Vendor Dictionary Details
Editing Vendor Dictionary Details
Adding Translation Group Details
Editing Translation Group Details
Adding Session Manager Details
Editing Session Manager Details
Adding Resource Manager Details
Editing Resource Manager Details
Using the Graphical User Interface
Revised: December 07, 2009, OL-20091-01
Cisco Access Registrar (CAR) is a Remote Authentication Dial-In User Service (RADIUS) server that enables multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database.
This chapter describes how to use the standalone graphical user interface (GUI) of CAR to:
•
Configure Cisco Access Registrar
•
•
The following topics help you to work with and understand the CAR GUI:
Launching the GUI
CAR requires you to use Microsoft Internet Explorer 6.0 SP1 (Windows 2000 & Windows XP). You start the GUI by pointing your browser to the CAR server and port 8080, as in the following:
http://ar_server_name:8080
To start a secure socket layer (SSL) connection, use https to connect to the CAR server and port 8443, as in the following:
https://ar_servr_name:8443
By default, both HTTP and HTTPS are enabled. The following sections describe how to disable HTTP and HTTPS:
Note
Disabling HTTP
To disable HTTP access, you must edit the server.xml file in the /cisco-ar/apache-tomcat-5.5.27/conf directory. You must have root privileges to edit this file.
Use a text editor such as vi to open the server.xml file, and comment out lines 96-99. Use the <!-- character sequence to begin a comment. Use the --> character sequence to end a comment.
The following are lines 93-99 of the server.xml file:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --><!-- CHANGE MADE: Note: to disable HTTP, comment out this Connector --><Connector port="8080" maxHttpHeaderSize="8192"maxThreads="150 minSpare/Threads="25" maxSpareThreads="75"enableLookups="false" redirectPort="8443" acceptCount="100"connectionTimeout="20000" disableUploadTimeout="true" />The following example shows these lines with beginning and ending comment sequences to disable HTTP:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --><!-- CHANGE MADE: Note: to disable HTTP, comment out this Connector --><!--<Connector className="org.apache.catalina.connector.http.HttpConnector"port="8080" minProcessors="5" maxProcessors="75"enableLookups="true" redirectPort="8443"acceptCount="10" debug="0" connectionTimeout="60000"/>-->After you modify the server.xml file, you must restart the CAR server for the changes to take effect. Use the following command line to restart the server:
/opt/CSCOar/bin/arserver restart
Disabling HTTPS
To disable HTTPS access, you must edit the server.xml file in the /cisco-ar/apache-tomcat-5.5.27/conf directory. You must have root privileges to edit this file.
Use a text editor such as vi to open the server.xml file, and comment out lines 116-121. Use the <!-- character sequence to begin a comment. Use the --> character sequence to end a comment.
The following are lines 111-121 of the server.xml file:
<!-- Define an SSL HTTP/1.1 Connector on port 8443 --><!-- CHANGE MADE: enabled HTTPS.Note: to disable HTTPS, comment out this Connector --><Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="true" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false"keystoreFile="/cisco-ar/certs/tomcat/server-cert.p12"keystorePass="cisco" keystoreType="PKCS12" sslProtocol="TLS" /></Connector>The following example shows these lines with beginning and ending comment sequences to disable HTTPS.
<!-- Define an SSL HTTP/1.1 Connector on port 8443 --><!-- CHANGE MADE: enabled HTTPS.Note: to disable HTTPS, comment out this Connector --><!--<Connector className="org.apache.catalina.connector.http.HttpConnector"port="8443" minProcessors="5" maxProcessors="75"enableLookups="true"acceptCount="10" debug="0" scheme="https" secure="true"><Factory className="org.apache.catalina.net.SSLServerSocketFactory"keystoreFile="/cisco-ar/certs/tomcat/server-cert.p12"keystorePass="cisco" keystoreType="PKCS12"clientAuth="false" protocol="TLS"/></Connector>-->After you modify the server.xml file, you must restart the CAR server for the changes to take effect. Use the following command line to restart the server:
/opt/CSCOar/bin/arserver restart
Login Page
The login page has fields for a username and password. This page displays when you first attempt to log in to the system, if a session times out, or after you log out of the system.
Logging In
Only users who are configured as administrators can log into the CAR server. To log into the CAR GUI, enter a username and password for a configured administrator in the fields provided, then click the Login.
Refreshing the GUI Interface
To stop the server (when it is running), and then immediately start the server, click the reload link.
Restarting the GUI Interface
To restart the CAR server using GUI, click the Restart link.
Note
Logging Out
To log out of the CAR GUI, click the Logout in the upper right portion of the CAR GUI window.
Common Methodologies
This section explains the operations that are common across the GUI interface of CAR. The functions explained in this section are referred throughout to this help system.
This section describes the following:
•
Filtering Records
To locate a record, enter the known details of the record in the text area preceding the Go button. Click the Go button; the records matching the search criteria will be displayed below in the predefined column format. To clear the performed filter, click the Clear Filter button.
Deleting Records
Select the record to be deleted from the list displayed by checking the check box relevant to it. Click the Delete button; a success message is displayed on deletion of the selected record. A record can be located using the filter option. See Filtering Records for more details.
Setting Record Limits per Page
To set the numbers of records to be displayed per page, select the record limit from the list available and click the Go button. The available denominations are 10, 25, 50, 100, and All.
Common Navigations
On existence of more records that cannot be accommodated in a page, the records are displayed in multiple pages. Table 3-1 describes the icons used for page navigation.
.
Table 3-1 Page Navigation Icons
To view the next page
To return back to previous page
To view the last page
To return to the first page
Relocating Records
Table 3-2 describes the icons used for relocating records.
Dashboard
The dashboard of the CAR GUI shows you the overview on the status on the server and user session details. It consists of 2 tabs, Server Status and User Sessions.
The Server Status tab provides details with respect to AAA Server status, the Health status of the AAA Server, and product. In AAA Server status, the AAA Process, Process ID and status are displayed. In health status, the status of the AAA Server with respect to the performance condition is displayed. The Product Details section displays version, build information and license of the CAR.
The User Sessions tab consists of three graphs.
•
•
•
The Number of Sessions vs Duration in Weeks report provides the session details with respect to the number of weeks for which it is queried. The Number of Sessions vs Duration in Days report provides the session details with respect to the number of days for which it is queried. The Time(mins) vs Username report provides the accumulated time with respect to the selected username. This report can also be viewed in the form of chart and grid. Click the relevant icons below the graph to view the details in the respective formats.
Sessions
The Sessions feature of the dashboard helps you in viewing the records based on session id.
To view sessions details, choose Dashboard > Sessions. The Sessions page appears. The session id can be located using the filter option. See Filtering Records for more details. Select the required session id to view the details. To release the selected session details, click the Release button. Click the Release All button to release all the records from the list. To send the CoA packet to the client device, click the Send CoA packet. Click the Send PoD button to send the disconnect packet to the NAS to clear sessions and an Accounting-Stop notification to the client listed in the session record. To query all the sessions in the server, click the Query All Sessions button.
Configuring CAR
CAR's operation and configuration are based on a set of objects. On configuring the CAR major components, the server objects can be created. These objects include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
RADIUS
The Radius object is the root of the hierarchy. For each installation of the CAR server, there is one instance of the Radius object. You reach all other objects in the hierarchy from the Radius.
To set or change the Radius properties, choose Configuration > Radius. The Radius Properties page appears.
Table 3-3 lists and describes the fields in the Radius Properties page.
Note
Click the Save button to save the changes made to the Radius properties.
Profiles
You use Profiles to group RADIUS attributes that belong together, such as attributes that are appropriate for a particular class of PPP or Telnet user. You can reference profiles by name from either the UserGroup or the User properties. Thus, if the specifications of a particular profile change, you can make the change in a single place and have it propagated throughout your user community.
Although you can use UserGroups or Profiles in a similar manner, choosing whether to use one rather than the other depends on your site. When you require some choice in determining how to authorize or authenticate a user session, then creating specific profiles, and creating a group that uses a script to choose among them is more flexible.
In such a situation, you might create a default group, and then write a script that selects the appropriate profile based on the specific request. The benefit to this technique is each user can have a single entry, and use the appropriate profile depending on the way they log in.
Use the Profiles page for the following:
Adding Profile Details
To add new profile details, choose Configuration > Profiles. The Profiles page appears.
Click the Add button to add new profile details. The Add Profiles page appears.
Table 3-4 lists and describes the fields in the Add Profiles page.
Table 3-4 Profile Properties
Name
Required; must be unique in the Profiles list.
Description
Optional; description of the profile.
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Value Attribute
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Radius and Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Submit button to save the specified details in the Add Profiles page. To return to the Profiles page without saving the details, click the Cancel button. On successful creation of the profiles, the Profiles page is displayed else a respective error message is displayed.
Editing Profile Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit a profile, check the appropriate check box and click the Edit button. The Edit Profiles page appears. To modify the profile's attributes, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Profiles page. If the modification is not successful, CAR displays an error message.
UserGroups
The UserGroups objects allow you to maintain common authentication and authorization attributes in one location, and then have many users reference them. By having a central location for attributes, you can make modifications in one place instead of having to make individual changes throughout your user community.
For example, you can use several UserGroups to separate users by the services they use, such as a group specifying PPP and another for Telnet.
Use the User Groups page for the following:
Adding UserGroup Details
To add new user group details, choose Configuration > UserGroups. The User Groups page appears.
Click the Add button to add new user group details. The Add User Groups page appears.
Table 3-5 lists and describes the fields in the Add User Groups page.
Table 3-5 UserGroups Properties
General Properties tab
Name
Required; must be unique in the UserGroup list.
Description
Optional; description of the group.
BaseProfile
Optional; when you set this to the name of a profile, CAR adds the properties in the Profile to the response dictionary as part of the authorization.
AuthenticationScript
Optional; when you set this property to the name of a script, you can use the Script to perform additional authentication checks to determine whether to accept or reject the user.
AuthorizationScript
Optional; when you set this property to the name of a script, you can use the script to add, delete, or modify the attributes of the Response dictionary.
Attribute List tab
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Name and Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
CheckItems List tab
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Check Name and Check Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Submit button to save the specified details in the Add User Groups page. To return to the User Groups page without saving the details, click the Cancel button. On successful creation of the user groups, the User Groups page is displayed else a respective error message is displayed.
Editing UserGroup Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the user group details, check the appropriate check box and click the Edit button. The Edit UserGroups page appears. To modify the attributes of user group, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the UserGroups page. If the modification is not successful, CAR displays an error message.
UserList
The UserLists object contains all of the individual UserLists, which in turn, contain the specific users stored within CAR. CAR references each specific UserList by name from a Service whose type is set to local. When CAR receives a request, it directs it to a Service. When the Service has its type property set to local, the Service looks up the user's entry in the specific UserList and authenticates and/or authorizes the user against that entry.
You can have more than one UserList in the UserLists object. Therefore, use the UserLists object to divide your user community by organization. For example, you might have separate UserLists objects for Company A and B, or you might have separate UserLists objects for different departments within a company.
Using separate UserLists objects allows you to have the same name in different lists. For example, if your company has three people named Bob and they work in different departments, you could create a UserList for each department, and each Bob could use his own name. Using UserLists lets you avoid the problem of Bob1, Bob2, and so on.
If you have more than one UserList, you can have a script CAR can run in response to requests. The script chooses the Service, and the Service specifies the actual UserList which contains the user. The alternative is dynamic properties.
Use the User List page for the following:
Adding UserList Details
To add new user list details, choose Configuration > UserList. The User List page appears.
Click the Add button to add new user list details. The Add User List page appears. Table 3-6 lists and describes the fields in the Add User List page.
Table 3-6 User List Properties
Name
Required; must be unique.
Description
Optional; description of the user.
Click the Submit button to save the specified details in the Add User List page. After adding a new user list, you can add users to the user list. See Adding User Details for details. To return to the User List page without saving the details, click the Cancel button. On successful creation of the user list, the User List page is displayed else a respective error message is displayed.
Editing UserList Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit a user list, check the appropriate check box and click the Edit button. The Edit User List page appears. To modify the attributes of user list, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the User List page. If the modification is not successful, CAR displays an error message.
Users
The user objects are created to hold the necessary details to authenticate or authorize a user. These users form the component of User Lists, where their details are stored with in CAR. The users in local Userlist can have multiple profiles.
Note
Use the Users page for the following:
Adding User Details
To add new user details, choose Configuration > UserList. The User List page appears. Click the user list name link. The Users page appears. Click the Add button to add new user details. The Add Users page appears. Table 3-7 lists and describes the fields in the Add Users page.
Table 3-7 Users Properties
General Properties tab
Name
Required; must be unique.
Enabled
Required; must be checked to allow user access. If Enabled is not checked, user is denied access.
Allow Null Pwd
During authentication, if the Allow NULL Password environment variable is set to TRUE, user authentication is bypassed. By default, the Allow NULL Password environment variable is not set.
UserGroup
Use the drop-down list to select a UserGroup and use the properties specified in the UserGroup to authenticate and/or authorize the user. The default is none.
Password
Required; length must be between 0-253 characters.
Base Profile
Use the drop-down list to select a Profile. If the service-type is not equal to Authenticate Only, CAR adds the properties in the Profile to the Response dictionary as part of the authorization. This field is optional for the CLI, but required for the GUI. Use the menu to select a profile other than the default None.
Confirm Password
Required; must match password.
User Defined
Optional; you can use this property to store notational information which you can then use to filter the UserList. This property also sets the environment variable for UserDefined.
AuthenticationScript
Use the drop-down list to select the name of a script to perform additional authentication checks to determine whether to accept or reject the user. This field is optional for the CLI, but required for the GUI. Use the menu to select an AuthenticationScript other than the default None.
AuthorizationScript
Use the drop-down list to select the name of a script to add, delete, or modify the attributes of the Response dictionary. This field is optional for the CLI, but required for the GUI. Use the menu to select an AuthorizationScript other than the default None.
Description
Optional; description of the user.
Attribute List tab
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Name and Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
CheckItems List tab
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Check Name and Check Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Submit button to save the specified details in the Add Users page. To return to the Users page without saving the details, click the Cancel button. On successful creation of the user details, the Users page is displayed else a respective error message is displayed.
Editing User Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit a user list, check the appropriate check box and click the Edit button. The Edit Users page appears. To modify an attributes of user, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Users page. If the modification is not successful, CAR displays an error message.
Scripts
The Script objects define the function CAR invokes whenever the Script is referenced by name from other objects in the configuration.
You can write three types of scripts:
•
•
•
For more information about scripts, see Chapter 10, "Using Extension Points." of the User Guide for Cisco Access Registrar, 5.0.
Use the Scripts page for the following:
Adding Script Details
To add new script details, choose Configuration > Scripts. The Scripts page appears.
Click the Add button to add new script details. The Add Scripts page appears. Table 3-8 lists and describes the fields in the Add Scripts page.
The InitEntryPoint properties allow you to perform initialization before processing and then cleanup before stopping the server. For example, when CAR unloads the script (when it stops the RADIUS server) it calls the InitEntryPoint again to allow it to perform any clean-up operations as a result of its initialization. One use of the function might be to allow the script to close an open Accounting log file before stopping the RADIUS server.
Note
Note
Click the Submit button to save the specified details in the Add Scripts page. To return to the Scripts page without saving the details, click the Cancel button. On successful creation of the scripts, the Scripts page is displayed else a respective error message is displayed.
Editing Script Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit script details, check the appropriate check box and click the Edit button. The Edit Scripts page appears. To modify the attributes of script, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Scripts page. If the modification is not successful, CAR displays an error message.
Policies
A Policy is a set of rules applied to an Access-Request.
Use the Policies page for the following:
Adding Policy Details
To add new policy details, choose Configuration > Policies. The Policies page appears.
Click the Add button to add new policy details. The Add Policies page appears. Table 3-9 lists and describes the fields in the Add Policies page.
Click the Submit button to save the specified details in the Add Policies page. To return to the Policies page without saving the details, click the Cancel button. On successful creation of the policies, the Policies page is displayed else a respective error message is displayed.
Editing Policy Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit a policy, check the appropriate check box and click the Edit button. The Edit Policies page appears. To modify the attributes of policy, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Policies page. If the modification is not successful, CAR displays an error message.
Services
CAR supports authentication, authorization, and accounting (AAA) services. In addition to the variety of built-in AAA services (specified in the Type property), CAR also enables you to add new AAA services through custom shared libraries.
This section lists the types of services available in CAR with their required and optional properties. The service you specify determines what additional information you must provide. The various types of services are:
Simple Service
CAR provides the following simple services:
•
•
•
Rex
Select rex service when a custom service needs to be created and a script for authentication, authorization, or accounting has to be used.
File
Select File type when local accounting is to be performed using a specific file. The files under the configuration will be saved in the configured name when the server is invoked even if the service is not being invoked by any request packets.
CAR flushes the accounting record to disk before it acknowledges the request packets. Based on the specified maximum file size and age, it closes the accounting file, moves it to a new name, and reopens the file as a new file. The file names are based on its creation and modification dates.
Group
A group service contains a list of references to other services and specifies whether the responses from each of the services should be handled as a logical AND or OR function, which is specified in the Result-Rule attribute of Group Services. The default value is AND.
When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially, and the Group Service waits for a response from the first referenced service before moving on to the next service (if necessary).
The ResultRule settings parallel-and and parallel-or are similar to the AND and OR settings except that they ask each referenced service to process the request simultaneously instead of asking each referenced server sequentially, thereby saving processing time.
Local
Select local services when authentication and authorization needs to be performed by CAR server using a specific UserList.
Java
Select Java service type when a custom service needs to be created and to use an extension point script to provide the service's functionality and handle both RADIUS and TACACS requests for authentication, authorization, or accounting.
WiMAX
CAR uses the Extensible Authentication Protocol (EAP) to enable the WiMAX feature. It captures the IP attributes and Mobility Keys that are generated during network access authentication.
Radius Query
Select this service type to query cached data through Radius Packets. It contains the list of session managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet in response to a Radius Query request. It is initiated through an extension point script or through the Rule and Policy Engine by setting it to a new environment variable named Query-Service.
Use the Simple Services List page for the following:
•
•
Adding Simple Service Details
To add new simple service details, choose Configuration > Services > Simple. The Simple Services List page appears.
Click the Add button to add new simple service details. The Add Simple Services List page appears. Table 3-10 lists and describes the fields in the Add Simple Services List page. The fields listed below are the entire list of all the available types. The fields are displayed based on the type selected.
Table 3-10 Simple Service Properties
Service Name
Required; must be unique in the Services list.
Incoming Script
Name of script to run when the service starts.
Type
Required, must set it to a valid CAR service.
Outgoing Script
Name of script to run when the service ends.
Description
Optional; description of the service.
OutageScript
Optional; if you set this property to the name of a script, CAR runs it when an outage occurs. This property allows you to create a script that notifies you when the RADIUS server detects a failure.
OutagePolicy
Required; the default is RejectAll. This property defines how CAR handles requests if all servers listed in the RemoteServers properties are unavailable (that is, all remote RADIUS servers are not available). You must set it to one of the following: AcceptAll, DropPacket, or RejectAll.
FileName
Required; must be either a relative or an absolute path to the shared library containing the Service. When the pathname is relative, it must be relative to $INSTALL/Scripts/Radius/rex.
EntryPoint
Required; must be set to the function's global symbol.
InitEntryPoint
Required; must be the name of the global symbol CAR should call when it initializes the shared library and just before it unloads the shared library.
A rex service must have an InitEntryPoint even if the service only returns REX_OK.
InitEntryPointArgs
Optional; when set, it provides the arguments to be passed to the InitEntryPoint in the environmental variable Arguments.
FilenamePrefix
Required; a string that specifies where CAR writes the account records. It must be either a relative or absolute path. When you specify a relative path, it must be relative to the $INSTALL/logs directory. When you specify an absolute path, the server must be able to reach it. The default is Accounting.
MaxFileAge
Optional; stored as a string, but is composed of two parts, a number and a units indicator (<n> <units>) in which the unit is one of: H, Hour, Hours, D, Day, Days, W, Week, Weeks. The default is one day.
RolloverSchedule
Indicates the exact time including the day of the month or day of the week, hour and minute to roll over the accounting log file.
MaxFileSize
Optional; stored as a string, but is composed of two parts, a number and a units indicator (<n> <units>) in which the unit is one of: K, kilobyte, or kilobytes, M, megabyte, or megabytes, or G, gigabyte, or gigabytes. The default is ten megabytes.
UseLocalTimeZone
When set to TRUE, indicates the accounting records' TimeStamp is in local time. When set to FALSE, the default, accounting records' TimeStamp is in GMT.
UserService
Required; name of service that can be used to authenticate
SessionManager
Select the required session manager from the available list.
Result Rule
When set to AND (the default), the response from the GroupService is positive if each of the services referenced return a positive result. The response is negative if any of the services reference return a negative result.
When set to OR, the response from the GroupService is positive if any of the services referenced return a positive result. The response is negative if all the referenced services return a negative result.
The settings parallel-AND or parallel-OR are similar to AND and OR settings, except that each referenced service processes requests simultaneously instead of asking each reference service sequentially to save processing time.
GroupServices
Use the GroupServices subdirectory to specify the subservices in an indexed list to provide specific ordering control of which services to apply first. Each subservice listed must be defined in the Services section of the Radius configuration and cannot be a of type group, eap-leap, or eap-md5.
To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
UserList
Required; this object contains all of the individual UserLists, which in turn, contain the specific users stored within CAR. CAR references each specific UserList by name from a Service whose type is set to local.
When CAR receives a request, it directs it to a Service. When the Service has its type property set to local, the Service looks up the user's entry in the specific UserList and authenticates and/or authorizes the user against that entry.
Class name
Set to the name of a class that implements the Extension interface.
InitializeArg
Optional; set to a string to be passed to the Initialize method if the class implements the optional ExtensionWithInitialization interface.
HARKKey
Used as the base key to generate random HARKKey for all the HAs that are configured in CAR.
By default, the value is cisco123.You can change this value.
WimaxAuthenticationService
A valid EAP service which can be used for WiMAX authentication. By default, this value is none.
HARKLifeTime
Used as time (in minutes) to regenerate the HARKKeys based on its lifetime.
WimaxSessionManager
Set a valid session manager which has HA and HA Cache as resource managers. By default, this value is none.
WimaxQueryService
Set a valid RADIUS query service which is configured with WiMAX session manager. By default, this value is none.
WimaxPrepaidService
Set a valid prepaid service to carry out the prepaid functionality of WiMAX. Otherwise this value is set to none.
Attribute List tab
Attribute type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list. Select the attributes from the available list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Session Manager tab
Session Manager
Select the required session manager from the available list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Click the Submit button to save the specified details in the Add Simple Services List page. To return to the Simple Services List page without saving the details, click the Cancel button. On successful creation of the simple service properties, the Simple Services List page is displayed else a respective error message is displayed.
Editing Simple Service Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the simple service properties, check the appropriate check box and click the Edit button. The Edit Simple Services List page appears. To modify the properties of simple service, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Simple Services List page. If the modification is not successful, CAR displays an error message.
ServiceWithRS
The RemoteServers directory lists one or more remote servers to process access requests. The servers must also be listed in order under /Radius/RemoteServers. The order of the RemoteServers list determines the sequence for directing access requests when MultipleServersPolicy is set to RoundRobin mode. The first server in the list receives all access requests when MultipleServersPolicy is set to Failover mode.
The RemoteServers object can be used to specify the properties of the remote servers to which Services proxy requests. RemoteServers are referenced by name from the RemoteServers list in either the RADIUS, LDAP or TACACS-UDP Services.
Use the ServiceWithRS List page for the following:
•
•
Adding Remote Server Service Details
To add new remote server service details, choose Configuration > Services > ServiceWithRS. The ServiceWithRS List page appears.
Click the Add button to add new remote server service details. The Add ServiceWithRS List page appears. Table 3-11 lists and describes the fields in the Add ServiceWithRS List page.
Table 3-11 Remote Server Service Properties
Service Name
Required; name of the remote server service
Incoming Script
Name of script to run when the service starts
Type
Required; Remote service Type must be set to one of the following: domain-auth, ldap, ldap-accounting, odbc-accounting, odbc, prepaid, radius, or radius-session.
Outgoing Script
Name of script to run when the service ends
Outage Script
Optional; if you set this property to the name of a script, CAR runs it when an outage occurs. This property allows you to create a script that notifies you when the RADIUS server detects a failure.
Outage Policy
Required; the default is RejectAll. This property defines how CAR handles requests if all servers listed in the RemoteServers properties are unavailable (that is, all remote RADIUS servers are not available). You must set it to one of the following: AcceptAll, DropPacket, or RejectAll.
Description (optional)
Optional; description of the remote server service
MultipleServersPolicy
Required; must be set to either Failover or RoundRobin.
When you set it to Failover, CAR directs requests to the first server in the list until it determines the server is offline. At which time, CAR redirects all requests to the next server in the list until it finds a server that is online.
When you set it to RoundRobin, CAR directs each request to the next server in the RemoteServers list to share the resource load across all of the servers listed in the RemoteServers list.
RemoteServers
Select the required remote server from the available list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Click the Submit button to save the specified details in the Add ServiceWithRS List page. To return to the ServiceWithRS List page without saving the details, click the Cancel button. On successful creation of the properties, the ServiceWithRS List page is displayed else a respective error message is displayed.
Editing Remote Server Service Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit properties of ServiceWithRS, check the appropriate check box and click the Edit button. The Edit ServiceWithRS List page appears. To modify the properties of ServiceWithRS properties, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the ServiceWithRS List page. If the modification is not successful, CAR displays an error message.
PEAP Service
Protected EAP (PEAP) is an authentication method designed to mitigate several weaknesses of EAP. PEAP leverages Industry standard authentication of the server using certificates TLS (RFC 2246) and creation of a secure session that can then be used to authenticate the client.
The PEAP protocol consists of two phases, an authentication handshake phase and a tunnel phase where another complete EAP authentication exchange takes place protected by the session keys negotiated by phase one. CAR 5.0 supports the tunneling of other EAP methods within the PEAP phase two exchange.
CAR 5.0 supports the two major existing variants of PEAP,
•
•
PEAP Version 0
PEAP Version 0 also called as Microsoft PEAP is described in IETF drafts (draft-kamath-pppext-peapv0-00.txt and draft-josefsson-pppext-eap-tls-eap-02.txt). This version of PEAP uses either EAP-MSChapV2 or EAP-SIM as an authentication method. The testing method used for this version of PEAP is radclient.
PEAP Version 1
PEAP Version 1 also called as Cisco PEAP is described by IETF draft (draft-zhou-pppext-peapv1-00.txt). This version can use either EAP-GTC or EAP-SIM as an authentication method. The testing method used for this version of PEAP is radclient.
Use the PEAP Services List page for the following:
Adding PEAP Service Details
To add new PEAP service details, choose Configuration > Services > PEAP. The PEAP Services List page appears.
Click the Add button to add new PEAP service details. The Add PEAP Services List page appears. Table 3-12 lists and describes the fields in the Add PEAP Services List page. The fields listed below are the entire list of all the available types. The fields are displayed based on the type selected.
Click the Submit button to save the specified details in the Add PEAP Services List page. To return to the PEAP Services List page without saving the details, click the Cancel button. On successful creation of the PEAP service properties, the PEAP Services List page is displayed else a respective error message is displayed.
Editing PEAP Service Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit properties of PEAP service, check the appropriate check box and click the Edit button. The Edit PEAP Services List page appears. To modify the service properties, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the PEAP Services List page. If the modification is not successful, CAR displays an error message.
EAP Service
Cisco Access Registrar (CAR) supports the Extensible Authentication Protocol (EAP) to provide a common protocol for differing authentication mechanisms. It provides dynamic selection of the authentication mechanism at the time of authentication based on information transmitted in the Access-Request.
CAR 5.0 supports the following EAP authentication methods:
•
EAP-AKA
Authentication and Key Agreement (AKA) is an EAP mechanism for authentication and session key distribution. It is used in the 3rd generation mobile networks Universal Mobile Telecommunications System (UMTS) and CDMA2000. AKA is based on symmetric keys, and typically runs in a UMTS Subscriber Identity Module (USIM), or a (Removable) User Identity Module ((R) UIM), similar to a smart card. EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) includes optional identity privacy support, optional result indications, and an optional fast reauthentication procedure.
EAP-FAST
EAP-FAST is an authentication method which uses the EAP-MSChapV2 method for credential provisioning and EAP-GTC for authentication. Credential provisioning typically occurs only during the client's initial EAP-FAST authentication. Subsequent authentications rely on the provisioned credential and will usually omit the provisioning step.
This authentication protocol is designed to address the performance shortcomings of prior TLS-based EAP methods while retaining features such as identity privacy and support for password-based protocols. The EAP-FAST protocol is described by the IETF draft (draft-cam-winget-eap-fast-00.txt).
EAP-GTC
This method defined in RFC 2284, is used for transmitting a username and password to an authentication server.
Note
EAP-LEAP
The new AAA Cisco-proprietary protocol called Light Extensible Authentication Protocol (LEAP) supported by CAR, is a proprietary Cisco authentication protocol designed for use in IEEE 802.11 wireless local area network (WLAN) environments. Important features of LEAP include:
•
•
•
Note
The Cisco-Wireless or LEAP is an EAP authentication mechanism where the user password is hashed based on an MD4 algorithm.
EAP-MD5
This is another EAP authentication exchange. In EAP-MD5 there is a CHAP-like exchange and the password is hashed by a challenge from both client and server to verify the password. On successful verification, the connection proceeds, although the connection is periodically rechallenged (per RFC 1994).
EAP-Negotiate
This is a special service used to select at runtime the EAP service to be used to authenticate the client. It is configured with a list of candidate EAP services that represent the allowable authentication methods in preference order.
EAP-Negotiate is useful when the client population has deployed a mix of different EAP methods that must be simultaneously supported by CAR. EAP-Negotiate solves the problem of distinguishing client requirement by using the method negotiation feature of the EAP protocol.
EAP-MSChapV2
EAP-MSChapv2 encapsulates the MSChapV2 protocol (specified by RFC 2759) and can be used either as an independent authentication mechanism or as an inner method for PEAP Version 0 (recommended). This is based on draft-kamath-pppext-eap-mschapv2-00.txt, an informational IETF draft document.
EAP-SIM
An access point uses the CAR RADIUS server to perform EAP-SIM authentication of mobile clients. CAR must obtain authentication information from the HLR. CAR contacts the MAP gateway that performs the MAP protocol over SS7 to the HLR.
EAP-Transport Level Security (EAP-TLS)
This is an authentication method (described in RFC 2716) which leverages TLS, described in RFC 2246, to achieve certificate-based authentication of the server and the client (optionally). It provides many of the same benefits as PEAP but differs in the lack of support for legacy authentication methods.
EAP-Transport Level Security (TLS)
This is an authentication method (described in RFC 2716) which leverages TLS, described in RFC 2246, to achieve certificate-based authentication of the server and the client (optionally). It provides many of the same benefits as PEAP but differs in the lack of support for legacy authentication methods.
EAP-TTLS
The Extensible Authentication Protocol Tunneled TLS (EAP-TTLS) is an EAP protocol that extends EAP-TLS. EAP- TTLS extends the authentication negotiation EAP-TLS by using the secure connection established by the TLS handshake to exchange additional information between client and server. It leverages TLS (RFC 2246) to achieve certificate-based authentication of the server (and optionally the client) and creation of a secure session that can then be used to authenticate the client using a legacy mechanism.
EAP-TTLS is a two-phase protocol. Phase 1 conducts a complete TLS session and derives the session keys used in Phase 2 to securely tunnel attributes between the server and the client. The attributes tunneled during Phase 2 can be used to perform additional authentication(s) via a number of different mechanisms.
The authentication mechanisms used during Phase 2 include PAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP. If the mechanism is EAP, then several different EAP methods are possible.
Use the EAP Services List page for the following:
Adding EAP Service Details
To add new EAP service details, choose Configuration > Services > EAP. The EAP Services List page appears.
Click the Add button to add new EAP service details. The Add EAP Services List page appears. Table 3-13 lists and describes the fields in the Add EAP Services List page. The fields listed below are the entire list of all the available types. The fields are displayed based on the type selected.
Table 3-13 EAP Service Properties
Service Name
Required; service name
Incoming Script
Optional script CAR server runs when it receives a request from a client
Type
Required; must set it to a valid CAR service
Outgoing Script
Optional script CAR server runs before it sends a response to a client
Description (optional)
Optional; description of the PEAP service.
Authentication Timeout
Mandatory; specifies time (in seconds) to wait before an authentication request times out; defaults to 120.
UserService
Required; name of service that can be used to authenticate using cleartext passwords.
Service List
List of preconfigured EAP authentication services. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Maximum Message Size
Indicates the maximum length in bytes that a PEAP message can have before it is fragmented.
Server Certificate File
The full pathname of the file containing the server's certificate or certificate chain used during the TLS exchange. The pathname can be optionally prefixed with a special string that indicates the type of encoding used for the certificate. The two valid encoding prefixes are PEM and DER. If an encoding prefix is not present, the file is assumed to be in PEM format.
Private Key Password
The password used to protect the server's private key.
Server RSA Key File
The full pathname of the file containing the server's RSA private key. The pathname can be optionally prefixed with a special string that indicates the type of encoding used for the certificate. The two valid encoding prefixes are "PEM" and "DER". If an encoding prefix is not present, the file is assumed to be in PEM format.
The following example assumes that the subdirectory pki under /cisco-ar contains the server's certificate file. The file server-key.pem is assumed to be in PEM format. The file extension .pem is not significant.
set ServerRSAKeyFile PEM:/cisco-ar/pki/server-key.pem
CRL Distribution URL
Optional. Enter the URL that CAR should use to retrieve the CRL.You can specify a URL that uses HTTP or LDAP.
The following is an example for an HTTP URL: <http://crl.verisign.com/pca1.1.1.crl>.
The following is an example for an LDAP URL: ldap://209.165.200.225:388/CN=development-CA,CN=acs-westcoast2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cisco,DC=com
CA Certificate File
The full pathname of the file containing trusted CA certificates used for client verification. The file can contain more than one certificate, but all certificates must be in PEM format. DER encoding is not allowed.
Certificate Verification Mode
The value is set to optional by default. If set to RequireCertificate, the client certificate will always be verified. If set to optional, client certificate verification happens optionally.
CA Certificate Path
The name of a directory containing trusted CA certificates (in PEM format) used for client verification. This parameter is optional and if it is used there are some special preparations required for the directory it references.
Each certificate file in this directory must contain exactly one certificate in PEM format. The server looks up the certificate files using the MD5 hash value of the certificate's subject name as a key. The directory must therefore also contain a set of symbolic links each of which points to an actual certificate file. The name of each symbolic link is the hash of the subject name of the certificate.
For example, if a certificate file named ca-cert.pem is located in the CACertificatePath directory, and the MD5 hash of the subject name contained in ca-cert.path.pem is 1b96dd93, then a symbolic link named 1b96dd93 must point to ca-cert.pem.
If there are subject name collisions such as multiple certificates with the same subject name, each link name must be indexed with a numeric extension as in 1b96dd93.0 and 1b96dd93.1.
Verification Depth
Specifies the maximum length of the certificate chain used for client verification.
Enable Session Cache
Specifies whether TLS session caching (fast reconnect) is enabled or not. Set to True to enable session caching; otherwise set to False.
Session Timeout
If TLS session caching (fast reconnect) is enabled, SessionTimeout specifies the maximum lifetime of a TLS session. Expired sessions are removed from the cache and will require a subsequent full authentication.
SessionTimeout is specified as a string consisting of pairs of numbers and units, where units might be one of the following: M, Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks, as in the following:
Set SessionTimeout "1 Hour 45 Minutes"
Authentication Service
Specifies the name of the EAP-GTC service is used for authentication. The named service must have the UseLabels parameter set to True.
User Prompt
Optional string the client might display to the user; default is Enter password:" Use the set command to change the prompt, as in the following:
set UserPrompt "Admin Password:"
User Labels
Required; must be set to TRUE for EAP-FAST authentication and set to FALSE for PEAP authentication. Set to FALSE by default.
SystemID
Optional; string that identifies the sender of the MSChapV2 challenge message
Authority Identifier
A string that uniquely identifies the credential (PAC) issuer. The client uses this value to select the correct PAC to use with a particular server from the set of PACs it might have stored locally.
Authority Information
A string that provides a descriptive text for this credential issuer. The value can be displayed to the client for identification purposes and might contain the enterprise or server names.
Credential Life Time
Specifies the maximum lifetime of a Protected Access Credential (PAC). Clients that successfully authenticate with an expired PAC will be reprovisioned with a new PAC.
CredentialLifetime is specified as a string consisting of pairs of numbers and units, where units might be one of the following: M, Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks. Credentials that never expire should be specified as Forever.
Provision Service
Specifies the name of the EAP-MSChapV2 service used for provisioning.
Provision Mode
Specifies the TLS mode used for provisioning. Clients only support the default Anonymous mode.
Always Authenticate
Indicates whether provisioning should always automatically rollover into authentication without relying on a separate session. Most environments, particularly wireless, will perform better when this parameter is set to True, the default value.
General tab
MultipleServersPolicy
Required. Must be set to either Failover or RoundRobin.
When set to Failover, CAR directs requests to the first server in the list until it determines the server is offline. At that time, CAR redirects all requests to the next server in the list until it finds a server that is online.
When set to RoundRobin, CAR directs each request to the next server in the RemoteServers list to share the resource load across all of the servers listed in the RemoteServers list.
NumberOfTriplets
Number of triplets (1, 2, or 3) to use for authentication; default is 2.
PseudonymSecret
The secret string that is used as the basis for protecting identities when identity privacy is enabled. This should be at least 16 characters long and have a value that is impossible for an outsider to guess. The default value is secret.
Note
PseudonymRenewtime
Specifies the maximum age a pseudonym can have before it is renewed. When the server receives a valid pseudonym that is older than this, it generates a new pseudonym for that subscriber. The value is specified as a string consisting of pairs of numbers and units, where the units might be of the following: M, Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks. The default value is "24 Hours".
Examples are: "8 Hours", "10 Hours 30 Minutes", "5 D 6 H 10 M"
PseudonymLifetime
Specifies the maximum age a pseudonym can have before it is rejected by the server, forcing the subscriber to authenticate using it's permanent identity. The value is specified as a string consisting of pairs of numbers and units, where the units might be one of the following: M, Minute, Minutes, H, Hour, Hours, D, Day, Days, W, Week, Weeks. It can also be Forever, in which case, pseudonyms do not have a maximum age. The default value is "Forever".
Examples are: "Forever", "3 Days 12 Hours 15 Minutes", "52 Weeks"
ReauthenticationTimeout
Specifies the time in seconds that reauthentication identities are cached by the server. Subscribers that attempt to reauthenticate using identities that are older than this value will be forced to use full authentication instead. The default value is 3600 (one hour).
EnableReauthentication
When True, the fast reauthentication option is enabled. The default value is False.
UseProtectedResults
Enables or disables the use of protected results messages. Results messages indicate the state of the authentication but are cryptographically protected.
ReauthenticationRealm
This information will be supplied later.
MaximumReauthentications
Specifies the maximum number of times a reauthentication identity might be reused before it must be renewed. The default value is 16.
TripletCacheTimeout
Time in seconds an entry remains in the triplet cache. A zero (0) indicates that triplets are not cached. The maximum is 28 days; the default is 0 (no caching).
Authentication Timeout
Time in seconds to wait for authentication to complete. The default is 2 minutes; range is 10 seconds to 10 minutes.
UseSimDemoTriplets
Set to TRUE to enable the use of demo triplets. This must be disabled for release builds.
AlwaysRequestIdentity
When True, enables the server to obtain the subscriber's identity via EAP/SIM messages instead of relying on the EAP messages alone. This might be useful in cases where intermediate software layers can modify the identity field of the EAP-Response/Identity message. The default value is False.
EnableIdentityPrivacy
When True, the identity privacy feature is enabled. The default value is False.
Generate3GPPCompliantPseudonym
The value is set to False by default. If set to TRUE then CAR generates a 23 octet 3GPP compliant pseudonym identities. The Pseudonym username identities to protect the privacy of subscriber identities.
Remote Servers tab
Attribute
List of remote RADIUS servers which are map gateways. The remote server type must be set to map-gateway. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Click the Submit button to save the specified details in the Add EAP Service List page. To return to the EAP Service List page without saving the details, click the Cancel button. On successful creation of the EAP Service properties, the EAP Service List page is displayed else a respective error message is displayed.
Editing EAP Service Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit properties of EAP service, check the appropriate check box and click the Edit button. The Edit EAP Services List page appears. To modify the service properties, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the EAP Services List page. If the modification is not successful, CAR displays an error message.
Replication
The replication feature of CAR allows you in maintaining identical configurations on multiple machines simultaneously. It eliminates the need to have administrators with multiple CAR installations, make the same configuration changes at each of their installations. Instead, only the master's configuration must be changed and the slave is automatically configured eliminating the need to make repetitive, error-prone configuration changes for each individual installation. In addition to enhancing server configuration management, using replication eliminates the need for a hot-standby machine.
Employing CAR's replication feature, both servers can perform RADIUS request processing simultaneously, eliminating wasted resources. It focuses on configuration maintenance only, not session information or installation-specific information.
Use the Replication Details page for the following:
•
Adding Replication Details
To add new replication details, choose Configuration > Replication. The Replication Details page appears.Table 3-14 lists and describes the fields in the Replication Details page.
Click the Add button to add new replication details. To restore the default values, click the Reset button. You can also add the replication member details by entering the required details in the fields displayed in Replication Members tab. Click the Submit button to add the replication member details. On successful creation of the replication details, a success message is displayed else a respective error message is displayed.
Editing Replication Member Details
To edit the replication member details, check the appropriate radio button and click the Edit button. To modify the details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR lists the modified details else a respective error message is displayed.
Radius Dictionary
The RADIUS dictionary passes information between a script and the RADIUS server, or between scripts running on a single packet.
Use the Radius Attributes page for the following:
•
•
Adding Radius Dictionary Details
To add new Radius dictionary details, choose Configuration > Radius Dictionary. The Radius Attributes page appears.
Click the Add button to add new Radius dictionary details. The Add Radius Attributes page appears. Table 3-15 lists and describes the fields in the Add Radius Attributes page. The fields listed below are the entire list of all the available types. The fields are displayed based on the type selected.
Table 3-15 Radius Dictionary Properties
Name
Required; must be unique in the Radius dictionary list
Description
Optional; description of the attribute
Attribute
Required; must be a number between 1-255. It must be unique within the Attribute dictionary list.
Type
Required; type governs how the value is interpreted and printed.
Minimum
Set to zero
Maximum
Set to 253
Enum Number
Enums allow you to specify the mapping between the value and the strings. After you have established this mapping, CAR then replaces the number with the appropriate string. The min/max properties represent the lowest to highest values of the enumeration.
Enum Equivalent
The value can range from 1 through 255. Click the Add button to save the details and list it in the Enums list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Tag
The tag number value can range from 0 through 31. The default value is zero.
Click the Submit button to save the specified details in the Add Radius Attributes page. To return to the Radius Attributes page without saving the details, click the Cancel button. On successful creation of the Radius Attributes, the Radius Attributes page is displayed else a respective error message is displayed.
Editing Radius Dictionary Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit Radius dictionary details, check the appropriate check box and click the Edit button. The Edit Radius Attributes page appears. To modify the Radius dictionary details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Radius Attributes page. If the modification is not successful, CAR displays an error message.
Vendor Dictionary
The vendor dictionary allows the user to maintain the attributes of the vendor with respect to vendor id, vendor type and the attributes required to support the major NAS.
Use the Vendor Dictionary page for the following:
•
•
Adding Vendor Dictionary Details
To add new vendor dictionary details, choose Configuration > Vendor Dictionary. The Vendor Dictionary page appears.
Click the Add button to add new Vendor dictionary details. The Add Vendor Dictionary page appears. Table 3-16 lists and describes the fields in the Add Vendor Dictionary page. The fields listed below are the entire list of all the available types. The fields are displayed based on the type selected.
Table 3-16 Vendor Dictionary Properties
Name
Required; must be unique in the Vendor dictionary list
Description
Optional; description of the attribute
Vendor ID
Required; must be a valid number and unique within the entire attribute dictionary
Type
Required; type governs how the value is interpreted and printed.
Minimum
Set to zero
Maximum
Set to 253
Enum Number
Enums allow you to specify the mapping between the value and the strings. After you have established this mapping, CAR then replaces the number with the appropriate string. The min/max properties represent the lowest to highest values of the enumeration.
Enum Equivalent
The value can range from 1 through 255. Click the Add button to save the details and list it in the Enums list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Tag
The tag number value can range from 0 through 31. The default value is zero.
Vendor Size
Set the vendor size to 8, 16, or 32 bit
HasSubAttributeLengthField
Indicates that the value field of the attribute has the length field for the sub attribute.
Click the Submit button to save the specified details in the Add Vendor Dictionary page. After adding new vendor dictionary details, you can add vendor attributes. See Adding Vendor Attributes for details. To return to the Vendor Dictionary page without saving the details, click the Cancel button. On successful creation of the vendor dictionary details, the Vendor Dictionary page is displayed else a respective error message is displayed.
Editing Vendor Dictionary Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit Vendor dictionary details, check the appropriate check box and click the Edit button. The Edit Vendor Dictionary page appears. To modify the Vendor dictionary details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Vendor Dictionary page. If the modification is not successful, CAR displays an error message.
Vendor Attributes
Vendor-specific attributes are included in specific RADIUS packets to communicate prepaid user balance information from the CAR server to the AAA client, and actual usage, either interim or total, between the NAS and the CAR Server.
Use the Vendor Attributes page for the following:
Adding Vendor Attributes
To add new Vendor attributes, choose Configuration > Vendor Dictionary. The Vendor Dictionary page appears. Click the Vendor name link. The Vendor Attributes page appears. Click the Add button to add new Vendor attributes. The Add Vendor Attributes page appears. Table 3-17 lists and describes the fields in the Add Vendor Attributes page.
Table 3-17 Vendor Attribute Properties
Name
Required; must be unique in the Vendor attribute list
Description
Optional; description of the attribute
Attribute
Required; must be a valid number and unique within the entire attribute dictionary
Type
Required; type governs how the value is interpreted and printed.
Minimum
Set to zero
Maximum
Set to 253
Enum Number
Enums allow you to specify the mapping between the value and the strings. After you have established this mapping, CAR then replaces the number with the appropriate string. The min/max properties represent the lowest to highest values of the enumeration.
Enum Equivalent
The value can range from 1 through 255. Click the Add button to save the details and list it in the Enums list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Tag
The tag number value can range from 0 through 31. The default value is zero.
Click the Submit button to save the specified details in the Add Vendor Attributes page. To return to the Vendor Attributes page without saving the details, click the Cancel button. On successful creation of the Vendor attributes, the Vendor Attributes page is displayed else a respective error message is displayed.
Editing Vendor Attributes
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit Vendor attribute details, check the appropriate check box and click the Edit button. The Edit Vendor Attributes page appears. To modify the Vendor attributes, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Vendor Attributes page. If the modification is not successful, CAR displays an error message.
Vendors
The Vendor object provides a central location for specifying all of the request and response processing a particular NAS or Proxy vendor requires. Depending on the vendor, it might be necessary to map attributes in the request from one set to another, or to filter out certain attributes before sending the response to the client. For more information about standard RADIUS attributes, see Appendix C, "RADIUS Attributes." of User Guide for Cisco Access Registrar, 5.0.
Note
Use the Vendors page for the following:
Adding Vendor Details
To add new Vendor details, choose Configuration > Vendors. The Vendors page appears.
Click the Add button to add new Vendor details. The Add Vendor page appears. Table 3-18 lists and describes the fields in the Add Vendor page.
Click the Submit button to save the specified details in the Add Vendor page. To return to the Vendor page without saving the details, click the Cancel button. On successful creation of the Vendor details, the Vendor page is displayed else a respective error message is displayed.
Editing Vendor Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the Vendor details, check the appropriate check box and click the Edit button. The Edit Vendors page appears. To modify an attributes of vendor, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Vendors page. If the modification is not successful, CAR displays an error message.
Translations
Translations add new attributes to a packet or change an existing attribute from one value to another. The Translations subdirectory lists all definitions of Translations the RADIUS server can apply to certain packets.
Under the /Radius/Translations directory, any translation to insert, substitute, or translate attributes can be added. The following is a sample configuration under the /Radius/Translations directory:
cd /Radius/Translations Add T1 cd T1 Set DeleAttrs Session-Timeout,Called-Station-Id cd Attributes Set Calling-Station-Id 18009998888DeleAttrs is the set of attributes to be deleted from the packet. Each attribute is comma separated and no spaces are allowed between attributes. All attribute value pairs under the attributes subdirectory are the attributes and values that are going to be added or translated to the packet.
Under the /Radius/Translations/T1/Attributes directory, inserted or translated attribute value pairs can be set. These attribute value pairs are either added to the packet or replaced with the new value.
If a translation applies to an Access-Request packet, by referencing the definition of that translation, the CAR server modifies the Request dictionary and inserts, filters and substitutes the attributes accordingly. You can set many translations for one packet and the CAR server applies these translations sequentially.
Note
Use the Translations page for the following:
Adding Translation Details
To add new translation details, choose Configuration > Translations. The Translations page appears.
Click the Add button to add new translations details. The Add Translations page appears. Table 3-19 lists and describes the fields in the Add Translations page.
Table 3-19 Translations Properties
General Properties tab
Name
Required; must be unique in the Translations list.
Description
Optional; description of the Translation
Attribute Type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list. Select the attributes from the available list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Attributes tab
Attribute Type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Radius and Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Add Translations button to save the specified details in the Add Translations page. To return to the Translations page without saving the details, click the Cancel button. On successful creation of the translation details, the Translations page is displayed else a respective error message is displayed.
Editing Translation Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the translation details, check the appropriate check box and click the Edit button. The Edit Translations page appears. To modify the translation details, enter new information in the editable fields and click the Edit Translation button. If the modification is successful, CAR returns you to the Translations page. If the modification is not successful, CAR displays an error message.
Translation Groups
You can add translation groups for different user groups under TranslationGroups. All Translations under the Translations subdirectory are applied to those packets that fall into the groups. The groups are integrated with the CAR Rule engine.
The CAR Administrator can use any RADIUS attribute to determine the Translation Group. The incoming and outgoing translation group can be different translation groups. For example, you can set one translation group for incoming translations and one for outgoing translations.
Under the /Radius/TranslationGroups directory, translations can be grouped and applied to certain sets of packets, which are referred to in a rule. The following is a sample configuration under the /Radius/TranslationGroups directory:
cd /Radius/TranslationGroups Add CiscoIncoming cd CiscoIncoming cd Translations Set 1 T1The translation group is referenced through the CAR Policy Engine in the /Radius/Rules/<RuleName>/Attributes directory. Incoming-Translation-Groups are set to a translation group (for example CiscoIncoming) and Outgoing-Translation-Groups to another translation group (for example CiscoOutgoing).
Use the Translation Groups page for the following:
•
•
Adding Translation Group Details
To add new translation group details, choose Configuration > TranslationGroups. The Translation Groups page appears.
Click the Add button to add new translation group details. The Add Translation Groups page appears. Table 3-20 lists and describes the fields in the Add Translation Groups page.
Table 3-20 TranslationGroups Properties
Name
Required; must be unique in the Translations list.
Description
Optional; description of the Translation Group
Translations
Lists of translation. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Click the Add TranslationGroup button to save the specified details in the Add Translation Groups page. To return to the Translation Groups page without saving the details, click the Cancel button. On successful creation of the translation group details, the Translation Groups page is displayed else a respective error message is displayed.
Editing Translation Group Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the translation group details, check the appropriate check box and click the Edit button. The Edit Translation Groups page appears. To modify the translation group details, enter new information in the editable fields and click the Edit TranslationGroup button. If the modification is successful, CAR returns you to the Translation Groups page. If the modification is not successful, CAR displays an error message.
DIAMETER
Diameter is a computer networking protocol forAuthentication, Authorization and Accounting (AAA). It is a successor to RADIUS or an enhanced version of the RADIUS protocol. It includes numerous enhancements in all aspects, such as error handling and message delivery reliability. It extracts the essence of the AAA protocol from RADIUS and defines a set of messages that are general enough to be the core of the Diameter Base protocol. The various applications that require AAA functions can define their own extensions on top of the Diameter base protocol, and can benefit from the general capabilities provided by the Diameter base protocol.
The following sections can be used to configure diameter transportmanagement properties, sessionmanagement properties, add new application, commands associated with it and application specific AVPs:
General
This section explains how to set Diameter general configuration such as product name, version, and transport management properties.
Setting General Diameter Parameters
To set general diameter parameters, choose Configuration > Diameter > General. The General Diameter page appears.
Table 3-21 lists and describes the fields in the General Diameter page.
Click the Set button to save the specified details in the General Diameter page. On successful creation of the general diameter parameters, a success message is displayed else a respective error message is displayed.
SessionManagement
Diameter Base protocol stack provides the functionality of SessionManagement. Base Stack maintains sessions separately for authentication and accounting messages. Session-Id AVP is used to identify the user session.
Setting Session Management Properties
To set session management properties, choose Configuration > Diameter > SessionManagement. The Session Management page appears.
Table 3-22 lists and describes the fields in the Session Management page.
Click the Set button to save the specified details in the Session Management page. On successful creation of the parameters, a success message is displayed else a respective error message is displayed.
Applications
A Diameter application is not a software application, but a protocol based on the Diameter base protocol (defined in RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs.
Use the Applications page for the following:
•
•
Adding Diameter Application Details
To add new Diameter application details, choose Configuration > Diameter > Applications. The Applications page appears.
Click the Add button to add new Diameter application details. The Add Applications page appears. Table 3-23 lists and describes the fields in the Add Applications page.
Table 3-23 Diameter Application Properties
Name
Required; name of the application.
Description
Optional; description of the application.
IsVendorSpecific
Required; the default is FALSE. If set to FALSE, the application is ordinary application and user is prompted to enter the ApplicationID. If set to TRUE, the application is a VendorSpecific Application. User is prompted to enter VendorSpecificApplicationID and VendorID.
IsAuthApplication
Required; if set to TRUE the application represents AuthApplication else it represents Accounting Application.
Application ID
Required; specifies the unique integer value for the application.
The following are examples of Diameter application:
NASREQ 1
Mobile-IP 2
Diameter Base Accounting 3
Note
VendorSpecificApplicationID
Required; specifies the integer value for the vendor specific application.
VendorID
Required; specifies the VendorID for the application.
Example:
DIAMETER 3GPP Cx APPLICATION
VendorSpecificApplicationID 16777216
VendorID 10415
ApplicationURI
Optional; specifies the URI of the Application.
Eg: "ftp://ftp.ietf.org/internet-drafts/draft-ietf-aaa-diameter-nasreq- 12.txt"
Commands
Required; an indexed list from 1 to <n>. Each entry in the list is the name of the command. It specifies the list of commands associated with the application.
To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
Click the Add Application button to save the specified details in the Add Applications page. To return to the Applications page without saving the details, click the Cancel button. On successful creation of the Diameter application details, the Applications page is displayed else a respective error message is displayed.
Editing Diameter Application Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the Diameter application details, check the appropriate check box and click the Edit button. The Edit Applications page appears. To modify the Diameter application details, enter new information in the editable fields and click the Add Application button. If the modification is successful, CAR displays a success message else a respective error message is displayed.
Commands
Each command in Diameter is associated with a command code. The command can be a request command or an answer command which is identified by the 'R' bit in the Command Flags field of the Diameter header.
Use the Commands page for the following:
Adding Diameter Commands
To add new Diameter commands, choose Configuration > Diameter > Commands. The Commands page appears.
Click the Add button to add new Diameter commands. The Add Commands page appears. Table 3-24 lists and describes the fields in the Add Commands page.
Click the Add button, to add AVP details. Table 3-25 lists and describes the fields displayed on clicking the Add button.
Click either Save button to save the specified AVP details or Cancel button to exit.
To edit the AVP details, select the appropriate radio button and click the Edit button. To modify the AVP details, enter new information in the editable fields and click the Save button. To delete the AVP details, select the appropriate radio button and click the Delete button.
Click the Add Command button to save the specified details in the Add Commands page. To return to the Commands page without saving the details, click the Cancel button. On successful creation of the Diameter command details, the Commands page is displayed else a respective error message is displayed.
Editing Diameter Commands
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the Diameter command details, check the appropriate check box and click the Edit button. The Edit Commands page appears. To modify the Diameter command details, enter new information in the editable fields and click the Add Command button. If the modification is successful, CAR displays a success message else a respective error message is displayed.
Advanced
Advanced objects allow configuring system-level properties and the Attribute dictionary. Under normal system operation, the system-level properties should not be changed.
The following list helps you in defining the system-level properties and attribute dictionary:
•
•
•
Default
This feature of GUI allows you in configuring the default values for other functionalities of GUI. The configurations set in this feature reflects on all the other features.
Setting Default Configuration
To set new default configuration details, choose Configuration > Advanced > Default. The Default Advanced Details page appears.
Table 3-26 lists and describes the fields in the Default Advanced Details page.
Click the Set button to save the specified details in the Default Advanced Details page. To restore the default values, click the Reset button. On successful creation of the default configurations, a success message is displayed else a respective error message is displayed.
BackingStore/ServerParam
The Backing Store is a Parsing Tool which helps you in analyzing the session backing store files. It retrieves the information on Radius sessions, clears phantom sessions details manually and processes the binary log files information to user-readable format.
The Server parameters are set to configure objects to remote server using the relevant aregcmd commands.
Setting Server Parameters
To set new server parameters, choose Configuration > Advanced > Backing/ServerParam. The Backing/ServerParam Advanced Details page appears.
Table 3-27 lists and describes the fields in the Backing/ServerParam Advanced Details page.
Click the Set button to save the specified details in the Backing/ServerParamAdvanced Details page. On successful creation of the server parameters, a success message is displayed else a respective error message is displayed.
RemoteODBCSessionServer
Cisco AR 5.0 sessions can also be stored on a remote database. This improves the overall scalability of the number of sessions that AR can simultaneously handle. The remote session manager internally uses the following two ODBC remote servers:
•
•
Configurations pertaining to these internal remoteservers can be done under the RemoteODBCSessionServer section
Note
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/5.0/user/guide/features.html
Note
Setting RemoteODBCSessionServer Details
To set new RemoteODBCSessionServer details, choose Configuration > Advanced > RemoteODBCSessionServer. The RemoteODBCSessionServer Advanced Details page appears.
Table 3-28 lists and describes the fields in the RemoteODBCSessionServer Advanced Details page.
Click the Set button to save the specified details in the RemoteODBCSessionServer Advanced Details page. On successful creation of the RemoteODBCSessionServer details, a success message is displayed else a respective error message is displayed.
SNMP
CAR provides SNMP MIB for users of network management systems. The supported MIBs enable the network management station to collect state and statistic information from a CAR server. It enables a standard SNMP management station to check the current state of the server as well as the statistics on each client or each proxy remote server. These messages contain information indicating that either the server was brought up or down or that the proxy remote server is down or has come back online.
Setting SNMP Details
To set new SNMP details, choose Configuration > Advanced > SNMP. The SNMP Advanced Details page appears.
Table 3-29 lists and describes the fields in the SNMP Advanced Details page.
Click the Set button to save the specified details in the SNMP Advanced Details page. On successful creation of the SNMP details, a success message is displayed else a respective error message is displayed.
DDNS
CAR supports Dynamic DNS Remote server. It is a method, protocol, or network that notifies the server to change the active DNS configuration of its configured hostnames, addresses or other information stored in DNS.
Use the DDNS Details page for the following:
Setting DDNS Details
To set new DDNS details, choose Configuration > Advanced > DDNS. The DDNS Details page appears.
Check the SynthesizeReverseZone check box, and click the Set DDNS button.
Adding DDNS Details
To add new DDNS details, choose Configuration > Advanced > DDNS. The DDNS Details page appears.
Click the Add button to add new DDNS details. The Add DDNS Details page appears. Table 3-30 lists and describes the fields in the Add DDNS Details page.
Table 3-30 DDNS Properties
Name
Name of the TSIG Key.
Secret
Set to the same base64-encoded string as defined in the DNS server.
Description
Description of the TSIG Key
Click the Add button to save the specified details in the Add DDNS Details page. On successful creation of the DDNS details, a success page is displayed else a respective error message is displayed.
Editing DDNS Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the DDNS details, check the appropriate check box and click the Edit button. The Edit DDNS Details page appears. To modify the DDNS details, enter new information in the editable fields and click the Update button. If the modification is successful, CAR displays a success message else a respective error message is displayed.
ODBCDataSources
CAR uses ODBC as the datasource name to be used by the remote server. Multiple remote servers can use the same ODBCDataSource. Under the ODBCDataSource object definition, a list defines ODBC.ini filename/value pairs for a connection. The list includes a Type field and a Driver field, different for each Driver and Data Source, to indicate its Driver and Data Source. CAR 5.0 supports only the Easysoft Open Source Oracle Driver.
Use the ODBC DataSources page for the following:
Adding ODBC Data Source
To add new ODBC data source details, choose Configuration > Advanced > ODBC DataSources. The ODBC DataSources page appears.
Click the Add button to add new ODBC data source details. The Add ODBC DataSources page appears. Table 3-31 lists and describes the fields in the Add ODBC DataSources page.
Click the Submit button to save the specified details in the Add ODBC DataSources page. To return to the ODBC DataSources page without saving the details, click the Cancel button. On successful creation of the ODBC data source details, the ODBC DataSources page is displayed else a respective error message is displayed.
EditingODBC Data Source
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the ODBC data source details, check the appropriate check box and click the Edit button. The Edit ODBC DataSources page appears. To modify the ODBC data source details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR displays a success message else a respective error message is displayed.
Log
The log files defined in CAR assist you in identifying the issues related to it. CAR holds sets of log files to store information relevant to server agent processes, monitoring arserver utility, execution of aregcme commands, mcd internal database details, radius server processes and debug details of RADIUS request process.
Use the Log Files page for the following:
Viewing Log Details
To view the log files, choose Configuration > Advanced > Log. The Log Files page appears. Select the appropriate radio button and click the View button to view the file.
Downloading Log Details
To download the log files, choose Configuration > Advanced > Log. The Log Files page appears. Select the appropriate radio button and click the Download button to download the file.
Setting Log Details
To set the log details, choose Configuration > Advanced > Log. The Log Files page appears. Table 3-32 lists and describes the fields in the Log Files page.
Click the Set button to save the specified details in the Add Log Files page.
Ports
The Ports list specifies which ports to listen to for requests. When you specify a port, CAR makes no distinction between the port used to receive Access-Requests and the port used to receive Accounting-Requests. Either request can come in on either port.
Most NASs send Access-Requests to port 1645 and Accounting-Requests to 1646, however, CAR does not check.
When you do not specify any ports, CAR reads the /etc/services file for the ports to use for access and accounting requests. If none are defined, CAR uses the standard ports (1645 and 1646).
Use the Ports page for the following:
Adding Port Details
To add new port details, choose Configuration > Advanced > Port. The Ports page appears.
Table 3-33 lists and describes the fields in the Ports page.
Click the Add button to add new port details. The new port details will be listed in the Ports page.
Editing Port Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the port details, check the appropriate check box and click the Edit button. To modify the port details, enter new information in the editable fields and click the Save button. If the modification is successful, CAR displays a success message else a respective error message is displayed.
Interfaces
The Interfaces list specifies the interfaces on which the RADIUS server receives and sends requests. You specify an interface by its IP address.
•
•
Note
Use the interfaces page for the following:
•
Adding IP Addressing Interface
To add a new IP address interface to define an interface, choose Configuration > Advanced > Interfaces. The Interfaces page appears. Enter the IP address, and click the Add button. The new IP address will be listed in the Interfaces page.
Attribute Groups
The Attributes can be grouped using CAR Profile object. The attributes for a particular user group can be grouped under a profile and the attributes contained in the profiles will be returned in their access-accepts.
Use the Attribute Groups page for the following:
•
•
Adding Attribute Group Details
To add new attribute groups details, choose Configuration > Advanced > Attributes Groups. The Attribute Groups page appears.
Click the Add button to add new attribute groups details. The Add Attribute Groups page appears. Table 3-34 lists and describes the fields in the Add Attribute Groups page.
Table 3-34 AttributeGroups Properties
Name
Name of the attribute group.
Description
Optional; description of the attribute group.
Attribute type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected. Click the Add button to save the details and list it in Attribute list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Submit button to save the specified details in the Add Attribute Groups page. To return to the Attribute Groups page without saving the details, click the Cancel button. On successful creation of the attribute group details, the Attribute Groups page is displayed else a respective error message is displayed.
Editing Attribute Group Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the attribute group details, check the appropriate check box and click the Edit button. To modify the attribute group details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Attribute Groups page. If the modification is not successful, CAR displays an error message.
Rules
A Rule is a function that selects services based on all input information used by the function.
Use the Rules List page for the following:
Setting Rules
To set new rules, choose Configuration > Rules. The Rules List page appears.
Click the Add button to set new rules. The Add Rules List page appears. Table 3-35 lists and describes the fields in the Add Rules List page.
Table 3-35 Rule Properties
General Properties tab
Rule Name
Required; must be unique in the Rule list.
Description
Optional; description of the rule.
Script Name
Name of the script.
Attribute Details tab
RADIUS
Optional; set Radius, if the attribute and value needs to be defined for Radius.
VENDOR
Optional; set Vendor, if the attribute and value needs to be defined for Vendor.
Attribute Name
Optional; based on the Attribute Type selected, the attribute name is automated. Set the relevant name for the attribute type selected.
Attribute Value
Optional; set the value for the selected attribute. Click the Add button to save the details and list it in Name and Value list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
ManualEntry For Unlisted Attributes
Select this option if you want to manually enter the attribute name and attribute value.
Click the Submit button to save the specified details in the Add Rules List page. To return to the Rules List page without saving the details, click the Cancel button. After successfully setting the rules, the Rules List page is displayed else a respective error message is displayed.
Editing Rules
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the rules, check the appropriate check box and click the Edit button. To modify the rules, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Rules List page. If the modification is not successful, CAR displays an error message.
Session Managers
You can use Session Managers to track user sessions. The Session Managers monitor the flow of requests from each NAS and detect the session state. When requests come through to the Session Manager, it creates sessions, allocates resources from appropriate Resource Managers, and frees and deletes sessions when users log out.
The Session Manager enables you to allocate dynamic resources to users for the lifetime of their session. You can define one or more Session Managers and have each one manage the sessions for a particular group or company.
Note
Note
Note
Session Managers use Resource Managers, which in turn, manage a pool of resources of a particular type.
Use the Session Managers page for the following:
•
•
Adding Session Manager Details
To add new session manager details, choose Configuration > Session Managers. The Session Managers page appears.
Click the Add button to add new session managers details. The Add Session Managers page appears. Table 3-36 lists and describes the fields in the Add Session Managers page.
Table 3-36 Session Manager Properties
Name
Required; must be unique in the Session Managers list.
Description
Optional description of the Session Manager.
Type
Set to local or remote. Local is the traditional session manager that maintains sessions in memory and has good performance. The remote session manager operates on a remote ODBC database, and its performance is highly dependent on the performance of the ODBC database.
SessionKey
SessionKey property is used to set the sessionkey value for the Session Manager.
The SessionManager checks whether the environmental variable Session-Key is set or not. If the environmental variable is set, the server uses it as the sessionkey. If environmental variable Session-Key is not set then SessionManager gets the value configured in the SessionKey property under SessionManager.
SessionKey can be a combination of attributes separated by colon. The values for those attributes are obtained from the RequestDictionary. If any one of the attribute that is configured for the sessionkey is not present in the RequestDictionary, CAR will drop the request.
However, if Session-Key is not set, SessionManager uses NAS-Identifier and NAS-Port to create the sessionkey. An example configuration,
--> set SessionKey "User-Name:NAS-Port"The following shows the sample configuration of sessionkey for Session Manager:
[ //localhost/Radius/SessionManagers/session-mgr-1 ]Name = session-mgr-1Description =IncomingScript =OutgoingScript =AllowAccountingStartToCreateSession = TRUESessionTimeOut =PhantomSessionTimeOut =SessionKey =ResourceManagers/AllowAccountingStartToCreateSession
Set to TRUE by default; start the session when the CAR server receives an Access Accept or an Accounting-Start.
When set to FALSE, start the session when the CAR server receives an Access Accept.
IncomingScript
Optional; name of script to run when the service starts. This script is run as soon as the session is acquired in Cisco AR 4.1.
OutgoingScript
Optional; script to be run just before the session is written to backing store.
SessionTimeOut
The SessionTimeOut property is optional; no value for this property means the session timeout feature is disabled.
Used in conjunction with /Radius/Advanced/SessionPurgeInterval for the session timeout feature. Enables the session timeout feature for a Session Manager. If the SessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for timeouts at each SessionPurgeInterval. If any sessions have timed out, they will be released, and all resources associated with those sessions are also released.
The SessionTimeOut property determines the timeout for a session. If the time difference between the current time and the last update time is greater than this property's value, the session is considered to be stale. The last update time of the session is the time at which the session was created or updated.
The SessionTimeOut value is comprised of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks. The default unit is `days'.
PhantomSessionTimeOut
Optional; no value for this property means the phantom session timeout feature is disabled.
The PhantomSessionTimeOut property is used in conjunction with /Radius/Advanced/SessionPurgeInterval to enable the phantom session timeout feature for Session Manager.
If the PhantomSessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for receipt of an Accounting-Start packet. Sessions that do not receive an Accounting-Start packet from creation until its timeout will be released.
The PhantomSessionTimeOut value comprises a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks. The default unit is `days'
Resource Managers List
Ordered list of Resource Managers. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details.
MemoryLimitForRadiusProcess
This property is used to avoid crashing of the radius process. The default value is 3500 Megabytes. This property is under /radius/advanced. When the radius process uses memory more than the configured limit, further sessions are not created and CAR rejects further incoming requests.
MemorySizeCheckInterval
This property is used to avoid crashing of the radius process. This is used in conjunction with MemoryLimitForRadiusProcess. The default value is 5 minutes. MemorySizeCheckInterval is a hidden parameter in mcd database. To modify the default value, you need to export the mcd database. Typically, a separate thread is created to monitor the radius process memory usage for every 5 minutes.
Click the Add button to save the specified details in the Add Session Managers page. To return to the Session Managers page without saving the details, click the Cancel button. On successful creation of the session manager details, the Session Managers page is displayed else a respective error message is displayed.
Editing Session Manager Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the session manager details, check the appropriate check box and click the Edit button. To modify the session manager details, enter new information in the editable fields and click the Add button. If the modification is successful, CAR returns you to the Session Managers page. If the modification is not successful, CAR displays an error message.
Resource Manager
Resource Managers allow you to allocate dynamic resources to user sessions. The following lists the different types of Resource Managers.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Each Resource Manager is responsible for examining the request and deciding whether to allocate a resource for the user, do nothing, or cause CAR to reject the request.
Use the Resource Manager List page for the following:
•
•
Adding Resource Manager Details
To add new resource manager details, choose Configuration > Resource Manager. The Resource Manager List page appears.
Click the Add button to add new resource manager details. The Add Resource Manager List page appears. Table 3-37 lists and describes the fields in the Add Resource Manager List page.
Click the Submit button to save the specified details in the Add Resource Manager List page. To return to the Resource Manager List page without saving the details, click the Cancel button. On successful creation of the resource manager details, the Resource Manager List page is displayed else a respective error message is displayed.
DYNAMIC-DNS
Table 3-38 lists and describes the fields in the Add Resource Manager List page.
GROUP-SESSION-LIMIT
Table 3-39 lists and describes the fields in the Add Resource Manager List page.
Table 3-39 GROUP-SESSION-LIMIT Properties
Group Session Limit
Set the GroupSessionLimit property to the maximum number of concurrent sessions for all users.
REMOTE-GROUP-SESSION-LIMIT
Table 3-40 lists and describes the fields in the Add Resource Manager List page.
Table 3-40 REMOTE-GROUP-SESSION-LIMIT Properties
Group Session Limit
Set the GroupSessionLimit property to the maximum number of concurrent sessions for all users.
HOME-AGENT
Table 3-41 lists and describes the fields in the Add Resource Manager List page.
Table 3-41 HOME-AGENT Properties
HomeAgentIPAddresses tab
Start
Required; must be an IP address.
End
Required; must be an IP address.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
HOME-AGENT-IPv6
Table 3-42 lists and describes the fields in the Add Resource Manager List page.
Table 3-42 HOME-AGENT-IPv6 Properties
HomeAgentIPv6Addresses tab
Start
Required; must be an IPv6 address.
End
Required; must be an IPv6 address.
Click the Add button to save the details and list it in Start and End IPv6 list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
IP-DYNAMIC
Table 3-43 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
REMOTE-IP-DYNAMIC
Table 3-44 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
IP-PER-NAS-PORT
Table 3-45 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
IPX-DYNAMIC
Table 3-46 lists and describes the fields in the Add Resource Manager List page.
Table 3-46 IPX-DYNAMIC Properties
Networks tab
Start
Required; must be an IP address.
End
Required; must be an IP address.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
SESSION-CACHE
Table 3-47 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
SUBNET-DYNAMIC
Table 3-48 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details and list it in Start and End IP list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
USER-SESSION-LIMIT
Table 3-49 lists and describes the fields in the Add Resource Manager List page.
Table 3-49 USER-SESSION-LIMIT Properties
User Session Limit
Set the user session limit property to the maximum number of concurrent sessions for a particular user
REMOTE-USER-SESSION-LIMIT
Table 3-50 lists and describes the fields in the Add Resource Manager List page.
Table 3-50 REMOTE-USER-SESSION-LIMIT Properties
User Session Limit
Set the user session limit property to the maximum number of concurrent sessions for a particular user
USR-VPN
Table 3-51 lists and describes the fields in the Add Resource Manager List page.
To edit the gateway details, check the appropriate check box and click the Edit button. Enter new information in the editable fields and click the Save button. You can also delete the record using Delete button.
REMOTE-SESSION-CACHE
Table 3-52 lists and describes the fields in the Add Resource Manager List page.
Click the Add button to save the details. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Note
Editing Resource Manager Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the resource manager details, check the appropriate check box and click the Edit button. To modify the resource manager details, enter new information in the editable fields and click the Submit button. If the modification is successful, CAR returns you to the Resource Manager List page. If the modification is not successful, CAR displays an error message.
Network Resources
Network Resources constitutes the maintenance and management of the details of the clients and remote servers. The clients IP address and shared secret details are maintained under clients, The management of server directory with use of remote server protocols details are maintained in remote server.
This section describes the following:
Clients
All NASs and proxy clients that communicate directly with CAR must have an entry in the Clients list. This is required because NAS and proxy clients share a secret with the RADIUS server which is used to encrypt passwords and to sign responses.
Use the Clients page for the following:
Adding Client Details
To add new Client details, choose Network Resources > Clients. The Clients page appears.
Click the Add button to add new Client details. The Add Clients page appears. Table 3-53 lists and describes the fields in the Add Clients page.
Click the Submit button to save the specified details in the Add Clients page. To return to the Clients page without saving the details, click the Cancel button. On successful creation of the client details, the Clients page is displayed else a respective error message is displayed.
Editing Client Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the Client details, check the appropriate check box and click the Edit button. To modify the Client details, enter new information in the editable fields and click the Save button. If the modification is successful, CAR returns you to the Clients page. If the modification is not successful, CAR displays an error message.
Remote Servers
You can use the RemoteServers object to specify the properties of the remote servers to which Services proxy requests.
CAR 5.0 provides the following RemoteServer protocol types:
•
•
DIAMETER
Use the DIAMETER-RemoteServers page for the following:
Adding DIAMETER Details
To add new DIAMETER details, choose Network Resources > RemoteServers > DIAMETER. The DIAMETER-RemoteServers page appears.
Click the Add button to add new DIAMETER details. The Add DIAMETER-RemoteServers page appears. Table 3-54 lists and describes the fields in the Add DIAMETER-RemoteServers page.
To add peer statements, click the Add button in Peer Definitions tab. Enter the required details and click the Save button.
Click the Add DIAMETER Server button to save the specified details in the Add DIAMETER-RemoteServers page. To return to the DIAMETER-RemoteServers page without saving the details, click the Cancel button. On successful creation of the DIAMETER details, the DIAMETER-RemoteServers page is displayed else a respective error message is displayed.
Editing DIAMETER Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the DIAMETER details, check the appropriate check box and click the Edit button. To modify the DIAMETER details, enter new information in the editable fields and click the Save button. If the modification is successful, CAR returns you to the DIAMETER-RemoteServers page. If the modification is not successful, CAR displays an error message.
LDAP
Specify the ldap service type when you want to use a particular LDAP remote server for authentication and/or authorization.When using LDAP for authentication and a local database for authorization, ensure that the usernames in both locations are identical with regard to case-sensitivity.
Use the LDAP-RemoteServers page for the following:
Adding LDAP Details
To add new LDAP details, choose Network Resources > RemoteServers > LDAP. The LDAP-RemoteServers page appears.
Click the Add button to add new LDAP details. The Add LDAP-RemoteServers page appears. Table 3-55 lists and describes the fields in the Add LDAP-RemoteServers page.
Table 3-55 LDAP Server Properties
LDAP Properties tab
Name
Required; name of the LDAP server
Host Name
Required; the LDAP server's hostname or IP address.
Port
Required; defaults to port 389.
Description
Description of the LDAP server.
Timeout
Required; the default is 15. The timeout property indicates how many seconds the RADIUS server will wait for a response from the LDAP server.
Note
Reactivate Time Interval
Required; the amount of time (in milliseconds) to wait before retrying a remote server that was offline. You must specify a number greater than zero. The default is 300,000 (5 minutes).
MaxReferrals
Required; must be a number equal to or greater than zero. This property indicates how many referrals are allowed when looking up user information. When you set this property to zero, no referrals are allowed.
CAR manages referrals by allowing the RADIUS server's administrator to indicate an LDAP "referral attribute," which might or might not appear in the user information returned from an LDAP query. When this information is returned from a query, CAR assumes it is a referral and initiates another query based on the referral. Referrals can also contain referrals.
Note
Referral Attribute
Required when you have specified a MaxReferrals value. This property specifies which LDAP attribute, returned from an LDAP search, to check for referral information.
Note
Referral Filter
Required when you have specified a MaxReferral value. This is the filter CAR uses when processing referrals. When checking referrals, the information CAR finds in the referral itself is considered to be the search path and this property provides the filter. The syntax is the same as that of the Filter property.
Note
Bind Name
Optional; the distinguished name (dn) to use when establishing a connection between the LDAP and RADIUS servers.
Bind Password
Optional; the password associated with the BindName.
Search Path
Required; the path that indicates where in the LDAP database to start the search for user information.
Limit Outstanding Requests
Required; the default is FALSE. CAR uses this property in conjunction with the MaxOutstandingRequests property to tune the RADIUS server's use of the LDAP server.
When you set this property to TRUE, the number of outstanding requests for this RemoteServer is limited to the value you specified in MaxOutstandingRequests. When the number of requests exceeds this number, CAR queues the remaining requests, and sends them as soon as the number of outstanding requests drops to this number.
User Password Attribute
Required; this specifies which LDAP field the RADIUS server should check for the user's password.
Escape Spl.Character in UserName
FALSE by default
Datasource Connections
Specifies the number of concurrent connections to the LDAP server. The default value is 8.
Use SSL
A boolean field indicating whether you want CAR to use SSL (Secure Socket Layer) when communicating with this RemoteServer. When you set it to TRUE, be sure to specify the CertificateDBPath field in the Advanced section, and be sure the port you specified for this RemoteServer is the SSL port used by the LDAP server.
Filter
Required; this specifies the search filter CAR uses when querying the LDAP server for user information. When you configure this property, use the notation "%s" to indicate where the user ID should be inserted. For example, a typical value for this property is "(uid=%s)," which means that when querying for information about user joe, use the filter uid=joe.
Max Outstanding Requests
Required when you have set the LimitOutstandingRequests to TRUE. The number you specify, which must be greater than zero, determines the maximum number of outstanding requests allowed for this remote server.
Password Encryption Style
The default is None. You can also specify crypt, dynamic, SHA-1, and SSHA-1.
DNSLookup and LDAP RebindInterval
Specifies the timeout period after which the CAR server will attempt to resolve the LDAP hostname to IP address (DNS resolution); 0 by default
Search Scope
Specifies how deep to search within a search path; default is SubTree which indicates a search of the base object and the entire subtree of which the base object distinguished name is the highest object.
Base indicates a search of the base object only.
OneLevel indicates a search of objects immediately subordinate to the base object, but does not include the base object.
Use Binary Password Comparison
A boolean field that enables binary password comparison for authentication. This property when set to TRUE, enables binary password comparison. By default, this property is set to FALSE.
Use Bind Based Authentication
A boolean field that enables bind-based authentication with LDAP server. By default, this property is set to FALSE. When set to FALSE, it uses existing legacy authentication method.
On setting this property to TRUE, the mappings LDAPToRadius, LDAPToEnvironment, and LDAPToCheckItem will not work.
LDAPToRadiusMappings tab
LDAPAttribute
Set the value for the LDAP attribute
RadiusAttribute
A list of name/value pairs in which the name is the name of the ldap attribute to retrieve from the user record, and the value is the name of the RADIUS attribute to set to the value of the ldap attribute retrieved.
For example, when the LDAPToRadiusMappings has the entry: FramedIPAddress = Framed-IP-Address, the RemoteServer retrieves the FramedIPAddress attribute from the ldap user entry for the specified user, uses the value returned, and sets the Response variable Framed-IP-Address to that value.
Click the Add button to save the details and list it in the attribute list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
LDAPToCheckItems Mappings tab
Attribute Type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list.
LDAPAttribute
Set the value for the LDAP attribute
CheckedItems
A list of LDAP attribute/value pairs which must be present in the RADIUS access request and must match, both name and value, for the check to pass.
For example, when the LDAPToCheckItemMappings has the entry: group = User-Group, the Access Request must contain the attribute group, and it must be set to User-Group.
Click the Add button to save the details and list it in the attribute list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
LDAPToEnvironmentalMappings tab
LDAPAttribute
Set the value for the LDAP attribute
EnvironmentalAttribute
A list of name/value pairs in which the name is the name of the ldap attribute to retrieve from the user record, and the value is the name of the Environment variable to set to the value of the ldap attribute retrieved.
For example, when the LDAPToEnvironmentMappings has the entry: group = User-Group, the RemoteServer retrieves the group attribute from the ldap user entry for the specified user, uses the value returned, and sets the Environment variable User-Group to that value.
Click the Add button to save the details and list it in the attribute list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Save LDAP Server button to save the specified details in the Add LDAP-RemoteServers page. To return to the LDAP-RemoteServers page without saving the details, click the Cancel button. On successful creation of the LDAP details, the LDAP-RemoteServers page is displayed else a respective error message is displayed.
Editing LDAP Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the LDAP details, check the appropriate check box and click the Edit button. To modify the LDAP details, enter new information in the editable fields and click the Save LDAP Server button. If the modification is successful, CAR returns you to the LDAP-RemoteServers page. If the modification is not successful, CAR displays an error message.
LDAP Accounting
Previous releases of CAR supported accessing user data from an LDAP server, but this feature was limited to performing authentication and authorization (AA). You could only write the accounting records to local file or oracle database or proxy to another RADIUS server. CAR supports writing accounting records into LDAP server enabling integration between billing systems and LDAP.
Use the LDAP Accounting-RemoteServers page for the following:
•
•
Adding LDAP Accounting Details
To add new LDAP accounting details, choose Network Resources > RemoteServers > LDAP Accounting. The LDAP Accounting-RemoteServers page appears.
Click the Add button to add new LDAP accounting details. The Add LDAP Accounting-RemoteServers page appears. Table 3-56 lists and describes the fields in the LDAP Accounting-RemoteServers page.
Table 3-56 LDAP Accounting Server Properties
LDAP Acct Properties tab
Name
Name of the remote server; this property is mandatory, and there is no default.
Description
Optional description of server.
HostName
Required; the LDAP server's hostname or IP address.
Port
Required; the default value is 389. Port the LDAP server is listening on.
Timeout
Mandatory time interval (in seconds) to wait for LADP-write operation to complete; defaults to 15 seconds.
ReactivateTimerInterval
Mandatory time interval (in milliseconds) to activate an inactive server; defaults to 300000 ms.
BindName
Optional; the distinguished name (dn) to use when establishing a connection between the LDAP and RADIUS servers.
EnableKeepAlive
Required; default is FALSE. This is enabled to send a TCP keepalive to keep the idle connection active.
Delimiter
Character used to separate the values of the attributes given in AttributeList property.
LDAPEnvironmentMultiValueDelimiter
Optional; allows you to specify a character that separates multi-valued attribute lists when using ldap-accounting.
BindPassword
Optional; the password associated with the BindName.
DnPath
Required; the path that indicates where in the LDAP database to start the write for user information.
EntryName
Required; this specifies the write entry name Cisco AR uses when insetting the LDAP server for user information. When you configure this property, use the notation "%s" to indicate where the user ID should be inserted. For example, a typical value for this property is "(uid=%s)," which means that when insetting for information about user joe, use the fentry name uid=joe.
LimitOutstandingRequests
Required; the default is FALSE. Cisco AR uses this property in conjunction with the MaxOutstandingRequests property to tune the RADIUS server's use of the LDAP server.
When you set this property to TRUE, the number of outstanding requests for this RemoteServer is limited to the value you specified in MaxOutstandingRequests. When the number of requests exceeds this number, Cisco AR queues the remaining requests, and sends them as soon as the number of outstanding requests drops to this number.
MaxOutstandingRequests
Required when you have set the LimitOutstandingRequests to TRUE. The number you specify, which must be greater than zero, determines the maximum number of outstanding requests allowed for this remote server.
ObjectClass
Required; list of object classes which are all schemas defined in LDAP server. These schemas define required attributes and allowed attributes for an entry which is inserted from CAR.
DNSLookup and LDAPAcct RebindInterval
Specifies the timeout period after which the CAR server will attempt to resolve the LDAP hostname to IP address (DNS resolution).
Escape Spl.Character in UserName
FALSE by default.
AttributeList
List of comma-separated attribute names.
Datasource Connections
Mandatory number of connections to be established; defaults to 8.
UseLocalTimeZone
Optional; the default is FALSE. It determines the timezone of accounting records TimeStamp.
UseSSL
A boolean field indicating whether you want Cisco AR to use SSL (Secure Socket Layer) when communicating with this RemoteServer. When you set it to TRUE, be sure to specify the CertificateDBPath field in the Advanced section, and be sure the port you specified for this RemoteServer is the SSL port used by the LDAP server.
AttributestoWrite tab
LDAPAcctAttribute
Set the LDAP Accounting attribute.
EnvironmentalAttribute
A list of name and value pairs in which the name is the name of the data store attribute to retrieve from the user record, and the value is the name of the RADIUS attribute to set to the value of the data store attribute retrieved. The data store attributes must match those defined in the external SQL file.
Click the Add button to save the details and list it in the Attributes list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Add LDAP-Accounting Server button to save the specified details in the Add LDAP Accounting-RemoteServers page. To return to the LDAP Accounting-RemoteServers page without saving the details, click the Cancel button. On successful creation of the LDAP accounting details, the LDAP Accounting-RemoteServers page is displayed else a respective error message is displayed.
Editing LDAP Accouting Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the LDAP Accounting details, check the appropriate check box and click the Edit button. To modify the LDAP Accounting details, enter new information in the editable fields and click the Edit LDAP-Accounting Server button. If the modification is successful, CAR returns you to the LDAP Accounting-RemoteServers page. If the modification is not successful, CAR displays an error message.
Domain Authentication
The Domain Authentication service type, domain-auth, is used with a Remote Server of the same type to provide support for authentication against Windows Domain Controller/Active Directory (WDC/AD).
Use the Domain Authentication-RemoteServers page for the following:
•
•
Adding Domain Authentication Details
To add new domain authentication details, choose Network Resources > RemoteServers > Domain Authentication. The Domain Authentication-RemoteServers page appears.
Click the Add button to add new domain authentication details. The Add Domain Authentication-RemoteServers page appears. Table 3-57 lists and describes the fields in the Add Domain Authentication-RemoteServers page.
Table 3-57 Domain Authentication Server Properties
General Properties tab
Name
Required; name of the domain authentication server.
Host Name
Required; hostname or IP address of the remote server.
Port
Required; port used for communication with WDC/AD; defaults to 2004.
Default Domain
Species the default domain for authentication if the user does not include a domain during log in. Otherwise, authentication is performed on the local domain.
Agent Connections
Required; default is 15. Represents the total number of connections CAR can open with the CSRA.
Description
Optional; description of the domain authentication server.
Timeout
Required; defaults to 15.
Reactivate Time Interval
Required; default is 300,000 milliseconds. Specifies the length of time to wait before attempting to reconnect if a thread is not connected to a data source.
Workstation
Optional; if a user has this workstation property set to some value, in Active Directory, then during authentication, AD will check with the CLI workstation value of AR. Only if they match authentication will succeed.
If this workstation value is not set in AD, no comparison with CLI workstation field happens.
Default Usergroup
User group to be used when no mapping is found in the list of maps in the GroupMap property or when there is no hit in the groups listed in GroupMaps. The DefaultUserGroup is used to authorize users that are authenticated by this domain-auth RemoteServer.
GroupMaps tab
AR UserGroup
Select a user group from the drop-down list.
AD UserGroups
A list of groups to which the user belongs in the WDC/AD mapped to an internal group in the CAR server. Entries are of the form:
1. "InternalGroup1 = ExternalGroup1, ExternalGroup2, ..."
2. "InternalGroup2 = ExternalGroup3, ExternalGroup4, ..."
To configure group mappings, use the following syntax:
set 1 "Group1 = ExternalGroup1,ExternalGroup2, ExternalGroup3"
Click the Add button to save the details and list it in the attribute list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
Click the Add Domain-Auth Server button to save the specified details in the Add Domain Authentication-RemoteServers page. To return to the Domain Authentication-RemoteServers page without saving the details, click the Cancel button. On successful creation of the domain authentication details, the Domain Authentication-RemoteServers page is displayed else a respective error message is displayed.
Editing Domain Authentication Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the domain authentication details, check the appropriate check box and click the Edit button. To modify the domain authentication details, enter new information in the editable fields and click the Edit Domain-Auth Server button. If the modification is successful, CAR returns you to the Domain Authentication-RemoteServers page. If the modification is not successful, CAR displays an error message.
ODBC
Specify odbc when you want to use an ODBC service for authentication, authorization and accounting through an ODBC data store. Use an ODBC service to authenticate and authorize an access requests by querying user information through ODBC and to insert accounting records into a data store through ODBC.
Use the ODBC-RemoteServers page for the following:
Adding ODBC Details
To add new ODBC details, choose Network Resources > RemoteServers > ODBC. The ODBC-RemoteServers page appears.
Click the Add button to add new ODBC details. The Add ODBC-RemoteServers page appears. Table 3-58 lists and describes the fields in the Add ODBC-RemoteServers page.
Table 3-58 ODBC Server Properties
Name
Required; name of the ODBC Server.
Datasource Connections
Required; default is 8. This represents the total number of connections CAR can open with the ODBC server; total number of threads CAR can create for the ODBC server.
ODBC Datasource Name
Required; name of the ODBCDataSource to use and must refer to one entry in the list of ODBC datasources configured under /Radius/Advanced/ODBCDataSources.
User Password Attribute
Set the user password.
Description
Description of the ODBC Server
Timeout
Required; the default is 15. The timeout property indicates how many seconds the RADIUS server will wait for a response from the ODBC server.
Note
Reactivate Time Interval
Required; default is 300,000 milliseconds. Length of time to wait before attempting to reconnect if a thread is not connected to a data source.
Keep Alive Timer Interval
Mandatory time interval (in milliseconds) to send a keepalive to keep the idle connection active; defaults to zero (0) meaning the option is disabled
SQL Definitions tab
Name
SQLDefinition properties define the SQL you want to execute.
Description
Description of the SQL
Type
CAR supports only type query.
SQL
SQL query used to add, update or delete a record from a database
Execution SequenceNumber
Sequence number for SQLStatement execution, must be greater than zero (mandatory, no default)
Marker List
Defines all markers for the query. MarkerList uses the format UserName/SQL_DATA_TYPE.
ODBCToRadiusMappings tab
ODBC Attribute
Set the ODBC attribute
RADIUS Attribute
A list of name and value pairs in which the name is the name of the data store attribute to retrieve from the user record, and the value is the name of the RADIUS attribute to set to the value of the data store attribute retrieved. The data store attributes must match those defined in the external SQL file.
Click the Add button to save the details and list it in the Attributes list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
ODBCToCheckItemsMappings tab
Attribute Type
Select either RADIUS or VENDOR. If Vendor is selected, specify the vendor type from the drop-down list.
ODBC Attribute
Set the ODBC attribute
CheckItem
A list of ODBC attribute/value pairs.
Click the Add button to save the details and list it in the Attributes list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
ODBCToEnvironmentalMappings tab
ODBC Attribute
Set the ODBC attribute
Environmental Attribute
A list of name/value pairs in which the name is the name of the data store attribute to retrieve from the user record, and the value is the name of the Environment variable to set to the value of the ODBC attribute retrieved.
Click the Add button to save the details and list it in the Attributes list. To navigate between the listed attributes, use the navigation option available adjacent to the list. See Relocating Records for more details. To delete the available attributes, select the relevant attribute and click the Delete button below.
To add SQL details, click the Add button in SQL Definitions tab. Enter the required details and click the Save button.
Click the Add ODBC Server button to save the specified details in the Add ODBC-RemoteServers page. To return to the ODBC-RemoteServers page without saving the details, click the Cancel button. On successful creation of the ODBC details, the ODBC-RemoteServers page is displayed else a respective error message is displayed.
Editing ODBC Details
To edit SQL details, check the appropriate check box and click the Edit button in SQL Definitions tab. Enter new information in the editable fields and click the Save button.
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the ODBC details, check the appropriate check box and click the Edit button. To modify the ODBC details, enter new information in the editable fields and click the Edit ODBC Server button. If the modification is successful, CAR returns you to the ODBC-RemoteServers page. If the modification is not successful, CAR displays an error message.
ODBC-Accounting
If you use the Oracle Accounting feature, you must configure an ODBC-Accounting RemoteServer object.
Use the ODBC Accounting-RemoteServers page for the following:
•
•
Adding ODBC Accounting Details
To add new ODBC accounting details, choose Network Resources > RemoteServers > ODBC Accounting. The ODBC Accounting-RemoteServers page appears.
Click the Add button to add new ODBC accounting details. The Add ODBC Accounting-RemoteServers page appears. Table 3-59 lists and describes the fields in the Add ODBC Accounting-RemoteServers page.
To add SQL details, click the Add button in SQL Definitions tab. Enter the required details and click the Save button.
Click the Add ODBC-Accounting Server button to save the specified details in the Add ODBC Accounting-RemoteServers page. To return to the ODBC Accounting-RemoteServers page without saving the details, click the Cancel button. On successful creation of the ODBC accounting details, the ODBC Accounting-RemoteServers page is displayed else a respective error message is displayed.
Editing ODBC Accounting Details
To edit SQL details, check the appropriate check box and click the Edit button in SQL Definitions tab. Enter new information in the editable fields and click the Save button.
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the ODBC accounting details, check the appropriate check box and click the Edit button. To modify the ODBC accounting details, enter new information in the editable fields and click the Edit ODBC-Accounting Server button. If the modification is successful, CAR returns you to the ODBC Accounting-RemoteServers page. If the modification is not successful, CAR displays an error message.
Others
This feature of GUI allows you in setting other specifications.
The various types of protocols are:
•
•
•
•
•
•
Use the RemoteServers page allows for the following:
Setting Other Specifications
To add other specifications, choose Network Resources > RemoteServers > Others. The RemoteServers page appears.
Click the Add button to add other specifications. The Add RemoteServers page appears. Table 3-60 lists and describes the fields in the Add RemoteServers page. The fields listed below are the entire list of all the available protocols. The fields are displayed based on the type of protocol selected.
Click the Add button to save the specified details in the Add RemoteServers page. To return to the RemoteServers page without saving the details, click the Cancel button. On successfully adding other specifications, the RemoteServers page is displayed else a respective error message is displayed.
Editing Other Specifications
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the specifications, check the appropriate check box and click the Edit button. To modify the specifications, enter new information in the editable fields and click the Edit button. If the modification is successful, CAR returns you to the RemoteServers page. If the modification is not successful, CAR displays an error message.
Administration
Administration constitutes the maintenance and management of details specific administrator, various statistical data respective to the administrators, backing up and restoring server details and license management of the server.
This section describes the following:
Administrators
CAR provided super-user administrative access in which administrator can perform all tasks including starting and stopping the system and changing the configuration. CAR also provides view-only administrative access. View-only access restricts an administrator to only being able to observe the system and prevents that user from making changes.
Use the Administrators page for the following:
•
Adding Administrator Details
To add new Administrator details, choose Administration > Administrators. The Administrators page appears.
Click the Add button to add new Administrator details. The Add Administrators page appears. Table 3-61 lists and describes the fields in the Add Administrators page.
Click the Submit button to save the specified details in the Add Administrators page. To return to the Administrators page without saving the details, click the Cancel button. On successful creation of the Administrator details, the Administrators page is displayed else a respective error message is displayed.
Editing Administrator Details
To locate a record that has to be edited, use the filter option. See Filtering Records for more details on filtering the records. To edit the Administrator details, check the appropriate check box and click the Edit button. To modify the Administrator details, enter new information in the editable fields and click the Edit button. If the modification is successful, CAR returns you to the Administrators page. If the modification is not successful, CAR displays an error message.
Statistics
This feature provides statistical information on the specified server.
Table 3-62 lists the statistics information and the meaning of the values.
Click the Reset button, to reset all the server statistics.
Backup and Restore
To backup and restore the server details, choose Administration > Backup & Restore. The Backup page is displayed with the list of recently backed up details of the server with the date and time. This option allows you to take a backup of the database, sessions, and scripts, and stores it in /cisco-ar/backup directory. To back up the server details, click the Backup button. The details will be backed up and appended to the backup list. To restore the backed-up details, select the record from the backup list. The details of the selected backup file will be restored successfully.
License Upload
To upload the license file, choose Administration > License Upload. The CAR License - Upload page appears. Click the Browse button, to locate the license file. The file selector dialog box appears. Select the file. To upload the license file, click the Upload button. To clear the text in the field, click the Reset button.
Read-Only GUI
CAR provides a read-only GUI that enables an administrator to observe the system but prevents that administrator from making changes.
When you configure a user to be an administrator, check the View-Only check box to limit the administrator to view-only operation. You can also use the CLI by setting the View-Only property to TRUE under /Administrator/admin_name.
When using the Read-Only GUI, the Configuration, Network Resources and Administration sections are displayed as same as a fully-enabled administrator. The details of these sections are displayed in text format and cannot be edited.
