Product Overview
Cisco® Access Registrar is a carrier class solution that provides scalable, flexible, intelligent authentication, authorization, and accounting (AAA) services.
Service providers face tremendous challenges in deploying and managing mission-critical access services. These include:
● Efficiently serving an increasingly diverse mix of access technologies (and corresponding authentication protocols), users, and roaming partners
● Rapidly delivering new subscriber services for competitive advantage (for example, a new prepaid service)
● Facilitating different service delivery models such as mobile virtual network operators (MVNOs)/wholesale and roaming
● Efficiently managing resources like IP addresses or session limits
● Keeping up with scalability demands
Adding to this complexity is the fact that many service providers have multivendor, heterogeneous AAA environments and increasingly complex business requirements. Service providers also are under pressure to reduce operating expenses (OpEx) and have to keep up with the need to centralize data stores and adapt billing systems. Operators need a comprehensive access management solution to address these issues.
Cisco Access Registrar provides a RADIUS/Diameter server designed from the ground up for scalability and extensibility for deployment in complex service provider environments including integration with external data stores and systems and multivendor network access servers (NASs). Session and resource management tools track user sessions and allocate dynamic resources to support new subscriber service introductions. The solution supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco Access Registrar Director provides proxy function and scripting capability for RADIUS. Cisco Access Registrar Director is intended for use in scenarios such as roaming or those in which a customer is going to use the solution to perform an intelligent proxy or load-balance the RADIUS packet based on certain conditions or rules.
Product Architecture
At the core of Cisco Access Registrar (Figure 1) is a policy engine that determines processing based on the contents of the request packet. The policy engine makes the following types of decisions:
● Whether to perform one or more of the following against any incoming packet: authentication, authorization, accounting, proxy
● Which authentication/authorization data store to perform authentication and/or authorization against. Supported options are Lightweight Directory Access Protocol Version 3 (LDAPv3) directories (including Microsoft Active Directory [AD]), Oracle database, MySQL database, and the local embedded database
● What type of authentication to use: built-in authentication mechanisms or a custom-built mechanism. Built-in mechanisms include Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and the following Extensible Authentication Protocol (EAP) authentication methods: EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS, EAP-GTC, EAP-MSCHAPV2, LEAP, EAP-FAST, EAP-MD5, PEAPv0, PEAPv1
● Whether accounting against an external database like Oracle or MySQL or a local flat file is required
● Whether a request should be proxied to an external RADIUS/Diameter server
● What type of accounting is required
● Whether user/group session limits apply
● Whether an IP-address has to be allocated and whether to use static mapping or to allocate one from a preconfigured pool
While the basic operation of the server is determined by configuration, multiple extension points within the server provide optional callouts to custom code. Extension points can be used for several purposes, including influencing the processing of a request or modifying incoming or outgoing packets to meet specialized requirements.
Features and Benefits
● Supports a broad range of wireless and wireline access technologies on a common AAA server platform, delivering operational and capital expense savings while providing flexibility to the service provider regarding choice in AAA.
● Provides extensive subscriber data store support including an internal database and integration with external databases including Oracle, MySQL, Microsoft AD, and OpenLDAP through the use of connectivity mechanisms such as Open Database Connectivity (ODBC), LDAP, Oracle Call Interface (OCI), and Java Database Connectivity (JDBC).
● Provides scalability to support large service deployments. An external session manager allows tens of millions of simultaneous active sessions. Additionally, the multithreaded architecture provides performance that scales with additional CPUs.
● Efficiently manages resource use with real-time session management to track user sessions and dynamically allocate resources like IP addresses and user/group session limits.
● Gives service providers an off-the-shelf, standards-based RADIUS/Diameter server that is highly flexible and extensible. With extension point scripting (EPS), the solution can be customized to meet unique business, regulatory, and technical requirements.
● Provides broad integration support: Reduces operational costs and speeds service rollout by supporting integration with provisioning, billing, and other service-management components.
Table 1 lists detailed features and benefits of Cisco Access Registrar.
Table 1. Features and Benefits
Feature |
Benefit |
Access Technology Support |
|
Supports a broad range of wireless and wireline access technologies including: dial, wholesale dial, broadband, mobile wireless (including WiMAX, wireless LAN and public WLAN, voice over IP [VoIP], Code Division Multiple Access [CDMA], iDen, General Packet Radio Service [GPRS], Universal Mobile Telecommunications Service [UMTS], and femtocell). |
By helping enable standardization on a common AAA server platform, the solution delivers operational and capital expense savings while providing flexibility to the service provider regarding choice in AAA. |
Supports femtocell network rollouts in conjunction with Cisco Broadband Access Center and Cisco Network Registrar. Cisco Access Registrar acts as the RADIUS headend to authenticate and authorize a 3G femtocell. |
Extends AAA resources where they may already be deployed. For a mobile operator, femtocells provide improvements to both coverage and capacity, especially indoors where access would otherwise be limited or unavailable. Consumers benefit from improved coverage and potentially better voice quality and battery life. |
Authentication and Authorization |
|
High-speed internal embedded user database. |
● Provides a rapid start point for small-scale deployments
● Easy, logical grouping of users
● Easy configuration to return attributes in responses and check attributes (“check items”) in requests
● Provides operator ability to enable and disable user access
|
Able to authenticate/authorize user information stored in an external data store: LDAP directory (like Microsoft AD, OpenLDAP), Oracle or MySQL database, combined with the ability to:
● Store return and check-items attributes
● Add custom logic based on information in user’s record
|
Integration support is data-store schema independent, simplifying deployment and day-to-day operations, providing OpEx savings by using existing infrastructure, and helping to support networks with tens of millions of subscribers. |
Advanced RADIUS/Diameter proxy support for service provider environments
● Includes ability to add/modify/delete attributes while proxying attributes
|
Facilitates roaming arrangements with other service providers and load balancing. |
Rich set of authentication protocols including support for EAP-proxy and certificate revocation list (CRL)
● PAP, CHAP, MSCHAPv2, LEAP, PEAPv0, PEAPv1
● EAP-MD5, GTC, EAP-FAST, EAP-TLS, EAP-TTLS, EAP-SIM, EAP‑AKA
● EAP Negotiate (run-time selection of EAP service)
● EAP proxy
● Diameter NASREQ
● HTTP Digest Authentication
● LDAP remote server bind-based authentication
● CRL support for EAP services
|
Broad user support with the ability to extend to others such as POP3 through custom services for meeting unique requirements. |
IETF RADIUS tunnel support. |
Provides support for VPN authentication. |
Automatic and customizable reply-message generation. |
Helps provide detailed information in case of authentication rejects. |
Flexible AAA processing through use of logical operators. |
Logical operators AND, OR, PARALLEL-AND, PARALLEL-OR provide extreme flexibility in evaluating AAA processing choices in serial or parallel. Parallel is used when a response from any one subsystem is sufficient to trigger a decision process. Serial is used when a sequential response from subsystems is required. |
Accounting |
|
Local file
● Able to store accounting records in a single file or multiple files
● Automatic file rollover based on file age, size, or specific time
|
The ability to store accounting information on the same server on which the AAA services are running speeds up processing. |
Proxy
● Option to ignore acknowledgements and continue processing
|
Able to speed up decision-making logic when responses (or lack of) from certain remote systems can be ignored. |
Database/LDAP
● Able to write accounting records directly to an Oracle or MySQL database or an LDAPv3 directory
● Buffering option for relational database management systems (RDBMSs) for higher throughput and fault tolerance
|
Integration support is schema independent, simplifying deployment and day-to-day operations, providing OpEx savings by using existing infrastructure, and helping to support networks with tens of millions of subscribers. |
Option to have a mix of multiple types of accounting (local file, proxy, database) and destinations within each type. |
Flexibility and customer choice. |
Platform Support |
|
Supported operating systems: Cisco Access Registrar 5.1:
● Oracle Solaris 10
● Red Hat Enterprise Linux (RHEL) 5.3/5.4/5.5
Cisco Access Registrar Jumpstart:
● CentOS5.4, VMware ESXi 4.1
|
Broad operating system support for customer choice. |
Support for virtualization technologies: Oracle VM Server for SPARC and VMware ESXi 4.1. |
Lower total cost of ownership (TCO), ease of deployment, and greater flexibility in migration and backup. |
Various Technology Support |
|
IPv6 support:
● Performs processing of RADIUS/Diameter requests from IPv6 RADIUS/Diameter clients/servers
● Able to proxy requests to and receive responses from a remote IPv6 RADIUS/Diameter server
|
Provides support for IPv6 networks and dual-stack IPv4/IPv6 networks. |
Provides the following facilities:
● Supports authentication and authorization of Diameter packets with the help of a local database or an external database with interfaces such as LDAP and ODBC
● Performs session management and resource management
● Supports writing a Diameter accounting packet in a local file or proxying to another AAA server
● Supports adding, modifying, or deleting the attribute-value pairs (AVPs) in Diameter packets through extension point scripting
● Supports open-ended Diameter applications
|
|
Complies with the WiMAX Network Working Group (NWG) stage 3 document version 1.3.1. |
Meets the various WiMAX NWG requirements for WiMAX networks. |
Support for PWLAN/hotspot markets and wireless data offload Wx interface support for Home Subscriber Server (HSS) lookup: Cisco Access Registrar supports Subscriber Identity Module (SIM) and Universal SIM (USIM) authentication for data access against the newer generation subscriber database HSS through the Diameter interface Wx. This support adds to existing authentication support against the Home Location Register (HLR) and external databases including Oracle, MySQL, OpenLDAP, and AD. |
Helps enable service providers to effectively provide public WLAN and wireless data offload functionality. |
Proxy, Database, and LDAP Configuration |
|
Remote server support:
● Operator is able to define a list of remote systems to be used in failover or round-robin modes
● Operator is able to define the individual characteristics of each remote system, for example, ports, timeouts, retries, or reactivate timers
● Sophisticated algorithms detect status of remote systems
|
Provides option to perform authentication, authorization and accounting against a wide variety of remote systems with adequate options for load balancing and handling failure scenarios. |
Outage policies: When no remote systems are available, Accept All, Reject All, and Drop Packet outage policies are available. |
Helps enable AAA processing to occur based on preconfigured policies even when remote systems are not available. |
Rule and Policy Engine for Decision Making |
|
● Able to process requests using different types of data stores; for example, use LDAP for some access requests, the internal database for others
● Able to process requests using a variety of options; for example, store an accounting request to a local file and proxy it to a number of remote RADIUS/Diameter servers, in series or in parallel waiting for acknowledgement from some and not from others
● Able to split authentication and authorization by selecting one method for authentication and another for authorization (One-Time Password [OTP] server and Oracle database, for example)
● Able to decide how to process a packet based on attributes in the request packet such as source or destination IP address or User Datagram Protocol (UDP) port or based on Cisco Access Registrar’s environment variables settings such as reauthentication service, reauthorization service, and reaccounting service
● Easy request processing options based on a variety of attributes/values like DNS domain, username prefix, dialed number, calling number, NAS, and others, using the predefined policies in Cisco Access Registrar policy engine
|
Provides a variety of predefined rules and policies for meeting most usual requirements in service provider environments. Provides the ability to extend default logic with custom policies written using C/C++/Tool Command Language [Tcl]/Java. |
Session Management and Resource Allocation |
|
Built-in feature to track user sessions |
|
Dynamic resource allocation including:
● Session limits
● IP addresses
|
Supports:
● Enforcement of session limits per user and per group
● Allocation of critical resources such as IP-addresses and home‑agents
|
Options to store active session information to an external database like Oracle. |
Helps enables scaling up to tens of millions of sessions per server. |
In an environment with multiple Cisco Access Registrar servers, the operator may designate one Cisco Access Registrar to manage all sessions. |
Helps avoid bypass of session limits and to allocate IP addresses and other resources centrally. |
Session query capabilities:
● Real-time query of the session table using the command-line interface (CLI), XML over UDP, or RADIUS
● Able to query cached attributes through the query session
● Able to query and release sessions based on session age, username, NAS, and other criteria
|
Allows external/business applications to query Access Registrar for information on users who are logged in and the resources (like IP-address) that they are allocated. This can then be used for making other business decisions such as providing personalized services, reduced sign-on, and enhanced video delivery. |
Session release capabilities:
● Manual release of sessions and resources
● Automatic session release when accounting stop is lost (inactivity timeout)
● Able to release sessions and generate Packet of Disconnect (PoD)
● Automatic session release when accounting on/off is detected (system accounting)
|
Helps manage session state information across the network automatically or through administration intervention. |
Session information not lost even if Cisco Access Registrar or the system is restarted. |
Avoids information loss during server restarts that can otherwise wreck user/group session limit enforcement or allocation of IP addresses. |
Session tracking for accounting-only servers: Able to count the number of user sessions. |
Session management can be done for servers through which only accounting messages pass through. This can be used in cases such as username to IP address resolution or International Mobile Subscriber Identity (IMSI) to IP address resolution where only accounting traffic is forwarded through Cisco Access Registrar. |
Able to send Change of Authorization (CoA) request. |
Helps in changing service levels of users who are logged in, on the fly. For example, a user on a 1 MB plan could be bumped up to 2 MB without having to log off. |
Scalability |
|
An external session manager allows tens of millions of simultaneous active sessions by storing the active session records on an external database server (Oracle 10g and 11i) instead of storing it in the internal memory of Cisco Access Registrar. |
Supports large service deployments with a single instance of Cisco Access Registrar. |
Multithreaded architecture provides performance that scales with additional CPUs. |
Supports large service deployments with a single instance of Cisco Access Registrar and allows the solution to grow with the business. |
Customization/Extensibility |
|
Able to add custom logic to the request processing flow using Tcl, C or C++, or Java through extension point scripting:
● Access request and response packets
● Modify processing decisions in real time
● Target specific requests with multiple callout points
● Add, delete, or modify the AVPs
EPS allows users to interact with request processing and communicate with Cisco Access Registrar at numerous API points. |
Helps enable meeting unique business, regulatory, and technical requirements. |
Able to create custom processing methods |
Helps to meet new/unique business requirements. For example, custom code can be written and integrated to support authentication mechanisms, such as POP3, which are not built into Cisco Access Registrar. |
Extensible attribute dictionary
● Populated with latest attribute definitions, including third-party, vendor-specific attributes
● Easy addition of new attributes (add/modify/delete)
● Variable-length vendor type in vendor-specific attributes
|
Easy interoperability with third-party devices. |
Resilience |
|
● Automatic configuration replication to other Cisco Access Registrar servers
● Specify lists of alternate remote systems for each processing method
● Specify multiple methods to process a request
● Automatic server restart
|
Provides multiple levels of redundancy including server redundancy, remote-system redundancy, and processing-method redundancy. |
Veritas and Sun clustering for high availability. |
Minimizes application downtime. |
Troubleshooting and Monitoring |
|
Multilevel debugging output |
Helps troubleshoot and isolate incidents faster. Allows controlling error, debug output. |
Statistics:
● Real-time query of statistics
● Reset statistics without restarting Cisco Access Registrar
|
Statistics are provided for a variety of events occurring within the server, such as number of packets processed, number of packets dropped, number of packets proxied to remote server, received response, and so on. These help in analyzing usage patterns, troubleshoot issues, and more. |
Able to query status of all Cisco Access Registrar processes and utilities. |
Simple utilities that show status of all Cisco Access Registrar-related processes help in troubleshooting. |
Logging:
● Log files for each Cisco Access Registrar process
● Audit log of all configuration changes
● Able to direct logs to a syslog server
|
Multiple logs for various components and logging levels helps manage and isolate incidents quicker. Audit trails can be maintained through configuration change logs. |
SNMP:
● RADIUS Simple Network Management Protocol (SNMP) support
● SNMP traps generated for critical events
|
Allows for easy monitoring from network management systems. |
Utility to generate RADIUS AAA requests: Radclient |
Helps to simulate network deployment scenarios in a lab through:
● Creation of individual packets of various types - access-requests, accounting requests, and more.
● Simulating stress/performance testing scenarios to exhibit server behavior and for tuning the system
|
Configuration |
|
● Powerful command-line configuration utility with interactive/noninteractive full and view-only modes
● Dynamic configuration feature allows configuration changes to take effect without a server restart
● Command and value recall, inline editing, autocommand completion, and a context-sensitive list of options
● Revamped web-based interface for configuring most of the objects in Cisco Access Registrar
● Wildcard definitions for grouping RADIUS clients
|
Noninteractive modes allow for configuration automation and OSS integration. Powerful CLI allows easy interactive operations saving operators time and helping avoiding errors. |
Broad Systems Integration Capabilities |
|
Support for integration with provisioning, billing, and other service-management components. |
Reduces operational costs and speeds service rollout. |
Prepaid billing interface allows billing vendors to integrate their systems into Cisco Access Registrar for prepaid functionality. |
Service providers may offer prepaid data or usage-based premium services while reusing their existing billing system and protecting their investments. |
Management |
|
● Replication of the internal databases allows multiple servers to be similarly configured
● Supports SNMP and syslog for network management
|
Centralized management and ease of use. |
System Requirements
Table 2 lists system requirements for Cisco Access Registrar 5.1.
Table 2. Server System Requirements
Demo Server Requirements |
||
Ordering Information
To place an order, visit the Cisco Ordering Home Page. See Table 3 for a list of Cisco Access Registrar product numbers and upgrade product numbers. To download software, visit the Cisco Software Center.
Table 3. Ordering Information
Cisco Access Registrar Product Numbers
Product Number |
Description |
AR-5.1-BASE-K9 |
Access Registrar Base license for Solaris/Linux; support for RADIUS; required for each Access Registrar Base Server; supports 100 transactions per second |
AR-5.1-BASE-NG-K9 |
Access Registrar Next-Generation Base license for Solaris/Linux; required for each Access Registrar Next‑Generation Base Server; support for RADIUS, Diameter, and IPv6; supports 100 transactions per second |
AR-5.1-DIR-BASE-K9 |
Access Registrar Director Base license; load balancing and intelligent AAA proxy support; Includes RADIUS support; required for each Access Registrar Director Base Server; supports 2000 transactions per second |
AR-5.1-SECOND-K9 |
Access Registrar Secondary license; required for each standby server or session management server |
L-AR-5.1-100TPS= |
eDelivery Access Registrar Additional License per server; supports 100 transactions per second |
L-AR-5.1-200TPS= |
eDelivery Access Registrar Additional License per server; supports 200 transactions per second |
L-AR-5.1-500TPS= |
eDelivery Access Registrar Additional License per server; supports 500 transactions per second |
L-AR-5.1-1000TPS= |
eDelivery Access Registrar Additional License per server; supports 1000 transactions per second |
L-AR-5.1-2000TPS= |
eDelivery Access Registrar Additional License per server; supports 2000 transactions per second |
L-AR-5.1-3000TPS= |
eDelivery Access Registrar Additional License per server; supports 3000 transactions per second |
L-AR-5.1-5000TPS= |
eDelivery Access Registrar Additional License per server; supports 5000 transactions per second |
Cisco Access Registrar Upgrade Product Numbers
Product Number |
Description |
AR-5.1-UPG-K9 |
Access Registrar Upgrade Base license for Solaris/Linux; support for RADIUS; required for each Access Registrar Base Server; supports 100 transactions per second |
AR-5.1-UPG-NG-K9 |
Access Registrar Upgrade Next-Generation Base license for Solaris/Linux; required for each Access Registrar Next-Generation Base Server, support for RADIUS, Diameter, and IPv6; supports 100 transactions per second |
AR-5.1-UPG-DIR-K9 |
Access Registrar Upgrade Director Base license; load balancing and intelligent AAA proxy support; includes RADIUS support; required for each Access Registrar Director Base Server; supports 2000 transactions per second |
AR-5.1-UPSECOND-K9 |
Access Registrar Upgrade Secondary license; required for each standby server or session management server |
L-AR-5.1-UP100TPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 100 transactions per second |
L-AR-5.1-UP200TPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 200 transactions per second |
L-AR-5.1-UP500TPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 500 transactions per second |
L-AR-5.1-UP1KTPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 1000 transactions per second |
L-AR-5.1-UP2KTPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 2000 transactions per second |
L-AR-5.1-UP3KTPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 3000 transactions per second |
L-AR-5.1-UP5KTPS= |
eDelivery Access Registrar Upgrade Additional License per server; supports 5000 transactions per second |
Cisco Services
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare the network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.
For More Information
For more information about Cisco Access Registrar, visit http://www.cisco.com/go/car/, contact your local account representative, or send an email to ar-tme@cisco.com for presales/business queries or cs-ar@cisco.com for technical queries.