-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides information about using Cisco Access Registrar for wireless support. The following topics are included in this chapter:
•Mobile Node-Home Agent Shared Key
•Session Correlation Based on User-Defined Attributes
•Managing Multiple Accounting Start/Stop Messages
•New 3GPP2 VSAs in the CAR Dictionary
In a mobile wireless environment, a Home Agent (HA) can request a Mobile Node-Home Agent (MN-HA) shared key from the home Cisco AR RADIUS server during a mobile IP registration request (RRQ) from a Packet Data Serving Node (PDSN). Cisco AR supports distribution of the shared key in this environment. Cisco AR encrypts the shared key using MD5 encryption before sending the key back to the HA in an Access-Accept packet.
When an HA receives an RRQ from a PDSN, the HA authenticates the RRQ using a MN-HA shared key. If the HA does not have the MN-HA shared key, it retrieves the MN-HA shared key from the Cisco AR server by sending an Access-Request packet containing the 3GPP2 VSA CDMA-MN-HA-SPI (SPI attribute). Cisco AR then sends the CDMA-MN-HA-Shared-Key corresponding to the user if the user has been successfully authenticated.
When HA receives an RRQ from a PDSN, it authenticates the RRQ by using a MN-HA shared key. If the HA does not have the MN-HA shared key, it retrieves the MN-HA shared key from the Cisco AR server by sending an Access-Request packet containing the 3GPP2 vendor-specific attribute (VSA) CDMA-MN-HA-SPI, the Security Parameter Index (SPI attribute).
The Cisco AR server then sends the CDMA-MN-HA-Shared-Key corresponding to the user if the user has successfully authenticated subject to the following rules:
1. If there is an incoming SPI and no configured SPI, the Cisco AR server authenticates the user as usual and does not include a configured shared-key (if there is one) in the reply.
2. If the incoming SPI does not match the configured SPI, the Cisco AR server authenticates the user as usual, but does not include the configured shared-key (if there is one) in the reply.
3. If the incoming SPI matches the configured SPI, but there is no shared-key configured, the Cisco AR server proceeds with normal authentication. Since there is no shared-key, it will not be included in the reply.
4. If the incoming SPI matches the configured SPI and a configured shared-key exists, the Cisco AR server proceeds to encrypt the MCD5 shared-key and include it in the Access-Accept.
The key to including the shared key in an Access-Accept is in matching the values of the SPI attribute.
To configure a user with the CDMA-MN-HA-SPI VSA to request a MN-HA shared key, complete the following steps:
Step 1 Log in to the Cisco AR server and launch aregcmd.
Log in as a user with administrative rights such as user admin.
Step 2 Change directory to the attribute directory of the user.
cd /Radius/UserLists/Default/bob/Attributes
Step 3 Set the CDMA-MN-HA-SPI VSA to the appropriate shared-key value.
set CDMA-MN-HA-SPI 1234
set CDMA-MN-HA-SPI 1234
Step 4 Set the CDMA-MN-HA-SPI VSA to the appropriate shared-key value.
set CDMA-MN-HA-Shared-Key secret123
set CDMA-MN-HA-Shared-Key secret123
Step 5 Validate and save your changes.
validate
save
The Cisco AR server supports 3GPP2 home agents. This support enables mobile IP clients that authenticate through a Cisco AR RADIUS server to be told which home agent they should use.
Every Mobile IP client has a home domain that is served by a group of Home Agents (HA). The Mobile IP client sets up a tunnel to one (and only one) HA during a session while it roams. Typically, the domain can be determined by the Mobile IP client's network access identifier (NAI).
Note The NAI is the userID submitted by the client during PPP authentication. In roaming, the purpose of the NAI is to identify the user as well as to assist in the routing of the authentication request.
During the authentication and authorization phase for each Mobile IP client, the RADIUS server must decide which HA from a group of HAs should be chosen to serve the client. This is called dynamic HA assignment.
Cisco AR 1.7 and above supports dynamic HA assignment with a new resource manager type called home-agent. You configure the home-agent resource manager with a list of IP addresses. The CAR server assigns those addresses to clients whose request dictionary has the right attributes to indicate that an assignment should be done. This is similar to the ip-dynamic resource manager.
Unlike the ip-dynamic resource manager, HAs are not exclusively allocated to an individual session but are shared among a set of sessions.
The goal of dynamic HA assignment is to have load balancing among HAs. The Cisco AR server achieves this by evenly distributing mobile clients among HAs. At the same time, the CAR server ensures that the same HA is always assigned to the same Mobile IP client for the same session.
Use the aregcmd command add to create a new resource manager.
Step 1 Use the cd command to change to the Radius /ResourceManagers level.
--> cd /Radius/ResourceManagers
[ //localhost/Radius/ResourceManagers ]
Entries 0 to 0 from 0 total entries
Current filter: <all>
Step 2 Use the add command to specify the name of a resource manager to create.
--> add home-agent-pool
--> Added home-agent-pool
Step 3 Use the cd command to change to the Radius /ResourceManagers/home-agent-pool level.
--> cd home-agent-pool
[ //localhost/Radius/ResourceManagers/home-agent-pool ]
Name = home-agent-pool
Description =
Type =
Step 4 Use the set command to set the resource manager type to home-agent.
--> set type home-agent
Step 5 Use the ls command to view the subdirectories under home-agent-pool.
--> ls
[ //localhost/Radius/ResourceManagers/home-agent-pool ]
Name = home-agent-pool
Description =
Type = home-agent
Home-Agent-IPAddresses/
Step 6 Use the cd command to change to the Radius/ResourceManagers/home-agent-pool/Home-Agent-IPAddresses level.
--> cd Home-Agent-IPAddresses
[ //localhost/Radius/ResourceManagers/home-agent-pool/Home-Agent-IPAddresses ]
Step 7 Use the add command to add a single IP address or a range of IP addresses.
--> add 209.165.200.200-209.165.200.254
--> Added 209.165.200.200-209.165.200.254
The aregcmd program has been modified to support a new filter for query-session and release-session. You can use this filter to restrict a request (either query or release) to just the sessions with a given home-agent IP address. For example, consider the following command line.
--> query-session /radius with-home-agent 10.10.10.1
This command line will return all sessions that have a home-agent resource equal to the IP address 10.10.10.1.
Querying sessions using aregcmd displays the home-agent resource in each session as:
HA ddd.ddd.ddd.ddd
where each ddd is a decimal number from 0-255.
When the home-agent resource manager receives an Access-Request that contains a CDMA-HA-IP-Addr attribute, the home-agent resource manager checks the response dictionary to see if it already has a CDMA-HA-IP-Addr attribute. If it does, then the Mobile IP client has been assigned a HA address already and the resource manager does not need to do anything.
If the value of the CDMA-HA-IP-Addr attribute in the request dictionary is 0.0.0.0, the home-agent resource manager assigns a HA and puts a new CDMA-HA-IP-Addr attribute whose value is the IP address of the HA in the response dictionary.
If the value of the CDMA-HA-IP-Addr attribute is not 0.0.0.0, the Mobile IP client has been assigned a HA address already. The home-agent resource manager copies the attribute (with its value) from the request dictionary into the response dictionary.
The CAR server might select the session manager based on the domain (using the rule engine, dynamic properties, or scripting), and it allows each session manager to have its own home-agent resource manager.
Cisco AR 4.1 supports 3GPP2 vendor-specfic attributes (VSAs) in the vendor-specific dictionary in /Radius/Advanced/Attribute Dictionary.
Note There is no planned support for the Accounting-Container (3GPP2/6) attribute because it has different syntax than other vendor-specfic attributes (VSAs) and requires special processing.
All the session objects are maintained in one dictionary keyed by a string.
You can define the keying material to the session dictionary through a newly introduced environment variable, Session-Key. If the Session-Key is presented at the time of session manager process, it will be used as the key to the session object for this session. The Session-Key is of type string. By default, the Session-Key is not set. It's value should come from attributes in the incoming packet and is typically set by scripts. For example, CLID can be used to set the value of Session-Key.
Use the script UseCLIDAsSessionKey as defined in the script rexscript.c to specify that the Calling-Station-Id attribute that should be used as the session key to correlate requests for the same session. This is a typical case for 3G mobile user session correlation. You can provide your own script to define other attributes as the session key.
In the absence of the Session-Key variable, the key to the session will be created based on the string concatenated by the value of the NAS and the NAS-Port.
There is a new option with-key available in aregcmd for query-sessions and release-sessions to access sessions by Session-Key.
Since the PDSN is aware when it sends a RADIUS stop followed by a start record, it inserts the new Session Continue attribute (3GPP2/48) into the stop record. The existence of the Session Continue attribute denotes that a start record will immediately be sent and the packet data session continues on the PDSN.
When CAR 1.7 receives an accounting stop packet, the following two conditions trigger a release of a session and its resources.
•There is no 3GPP2/48 Session Continue attribute in the stop packet and the number of accounting stops received is greater or equal to the starts received for this session
•The 3GPP2/48 Session Continue attribute is present in the stop packet, but its value is zero (0)
Note One of the conditions above must be true to release the session and its resources.
CAR 1.7 defines a new CAR environment variable, Allow-NULL-Password. At authentication time, if the following three conditions are met, user authentication is bypassed.
1. Allow-NULL-Password environment variable is set to TRUE.
2. The User-Password or CHAP-Password must be NULL in the incoming request. (If it is not NULL, normal password checking will occur.)
3. A user record exists for this user.
By default, the Allow-NULL-Password environment variable is not set.
Note You should be aware of the security impact when using the NULL Password feature.
You can set this environment variable three different ways:
1. For the user in local database, one new field AllowNullPassword is added in the user record. When Cisco AR fetches a user record for authentication, if this field is set to TRUE and Allow-NULL-Password environment variable does not exist, it sets Allow-NULL-Password environment variable to TRUE.
2. If the user record is in LDAP database, then the LDAPToEnvironmentMappings must be defined to map an attribute in LDAP user record to Allow-NULL-Password environment variable.
3. Through scripting which allows the decision to be made based on run-time conditions, such as attributes in the access-request or policies.