Configuring a Basic Site
The simplest RADIUS or Diameter server configuration is a site that uses a single user list for all its users, writes its accounting information to a file, and does not use session management to allocate dynamic resources.
To configure such a site, do the following:
1. Run the aregcmd command on your Prime Access Registrar machine.
2. Configure the Prime Access Registrar server settings, such as the server name and the server defaults. For example, with RADIUS object.
3. Add users by copying the sample users.
4. Configure the Network Access Server (NAS) clients and proxies that communicate with Prime Access Registrar.
5. Change profile attributes as needed.
6. Save your changes and reload your Prime Access Registrar RADIUS server.
This topic contains the following sections:
aregcmd is the command-line interface program used to configure the Prime Access Registrar server. The aregcmd program is located in $INSTALL/bin.
Step 1 Run the aregcmd command:
Step 2 When asked for “Cluster,” press Enter.
Step 3 Enter your administrator name and password.
When you install Prime Access Registrar software, the installation process creates a default administrator called admin with the password aicuser.
Prime Access Registrar allows you to perform the following:
Changing the Administrator’s Password
The administrator ID admin and password aicuser are default settings for all releases of Prime Access Registrar software. For security purposes, you should change the password for admin at your earliest convenience.
To change the administrator’s password:
Step 1 Use the cd command to change to the Administrators level. Prime Access Registrar displays the contents of the Administrators object.
Step 2 Use the cd command to change to admin :
[ //localhost/Administrators ]
Entries 1 to 1 from 1 total entries
Step 3 Use the set command to change the administrator’s password. You enter the password on the command line in readable form, however, Prime Access Registrar displays it as encrypted.
The following example changes the password to
345. You are asked to reenter it for confirmation.
set Password 345
Optionally, use the set command to change the description of the admin administrator.
set Description local
Step 4 Use the ls command to display the changed admin.
Creating Additional Administrators
Use the add command to add additional administrators.
Step 1 Use the cd command to change to the Administrators level:
Step 2 Use the add command and specify the name of the administrator, an optional description, and a password.
The following example adds the administrator
jane , description
testadmin, and password
add jane testadmin 123
Step 3 Use the ls command to display the properties of the new administrator:
Configuring Prime Access Registrar Server Settings
The top level of the Prime Access Registrar RADIUS server is the RADIUS object itself. It specifies the name of the server and other parameters. In configuring this site, you only need to change a few of these properties.
DefaultAuthenticationService~ = local-users
DefaultAuthorizationService~ = local-users
DefaultAccountingService~ = local-file
DefaultSessionManager~ = mgr-rad
Note For session managers, user groups, user lists, and profiles, the attributes defined must match the protocol of the incoming packet. For example, if the incoming packet is a Diameter packet, the attributes defined must be specific to Diameter or common to both RADIUS and Diameter. Similarly, if the incoming packet is a RADIUS packet, the attributes defined must be specific to RADIUS or common to both RADIUS and Diameter. Otherwise, the incoming packet will not be processed.
This topic contains the following sections:
Checking the System-Level Defaults
Because this site does not use incoming or outgoing scripts, you do not need to change the scripts’ properties (IncomingScript and OutgoingScript).
Since the default authentication and authorization properties specify a single user list, you can leave these unchanged as well (DefaultAuthenticationService and DefaultAuthorizationService). And because you have decided to use a file for accounting information, you can leave this property unchanged (DefaultAccountingService).
Session management, however, is on by default (DefaultSessionManager). If you do not want to use session management, you must disable it. Use the set command, enter DefaultSessionManager, then specify an empty string by entering a set of double quotes:
set DefaultSessionManager ""
Note When you do not want Prime Access Registrar to monitor resources for user sessions, you should disable session management because using it affects your server performance.
You have now configured some of the properties for the RADIUS server. The next step is to add users.
Checking the Server’s Health
To check the server’s health, use the aregcmd command status. The following issues decrement the server’s health:
- Rejection of an Access-Request
Note One of the parameters in the calculation of the Prime Access Registrar server’s health is the percentage of responses to Access-Accepts that are rejections. In a healthy environment, the rejection percentage will be fairly low. An extremely high percentage of rejections could be an indication of a Denial of Service attack.
- Configuration errors
- Running out of memory
- Errors reading from the network
- Dropping packets that cannot be read (because the server ran out of memory)
- Errors writing to the network.
Prime Access Registrar logs all of these conditions. Sending a successful response to any packet increments the server’s health.
Selecting Ports to Use
By default, Prime Access Registrar uses well-known Solaris ports 1645 and 1646 and Linux ports 1812 and 1813 for TCP/IP communications. Prime Access Registrar can be configured to use other ports, if necessary. You can add them to the list of ports to use.
To configure Prime Access Registrar to use ports other than the default ports, complete the following steps:
Step 1 Change directory to /Radius/Advanced/Ports.
[ //localhost/Radius/Advanced/Ports ]
<no ports specified, will be using the well-known ports, 1645, 1646>
Step 2 Use the add command (twice) to add ports in pairs. (The ls is entered to show the results of the add command.)
[ //localhost/Radius/Advanced/Ports ]
Entries 1 to 2 from 2 total entries
Current filter: <all>
Note After modifying Access Registrar’s default ports setting, to continue using ports 1645 and 1646, you must add them to the list of ports in /Radius/Advanced/Ports.
Step 3 Enter the save and reload commands to affect, validate, and save your modifications to the Prime Access Registrar server configuration.
Reloading Server 'Radius'...
Server 'Radius' is Running, its health is 10 out of 10
Displaying the UserLists
The first subobject in a RADIUS or Diameter hierarchy that you can configure is the Userlists. The UserLists object contains all of the individual UserLists, which in turn contain the specific users.
When Prime Access Registrar receives an Access-Request, it directs it to an authentication and/or authorization Service. If the Service has its type set to local, the Service looks up the user’s entry in the specific UserList, and authenticates and/or authorizes the user.
Prime Access Registrar, by default, specifies a Service called local-users that has the type local and uses the Default UserList (Figure 5-1).
Figure 5-1 Choosing Appropriate Services
This topic contains the following sections:
Displaying the Default UserList
Step 1 Use the cd command to change to UserLists/Default :
Step 2 Use the ls -R command to display the properties of the three users:
Prime Access Registrar displays the three sample users:
bob who is configured as a PPP user
jane who is configured as a Telnet user
joe who is configured as either a PPP or Telnet user depending on how he logs in.
Adding Users to UserLists
Use the aregcmd command add to create a user under a UserList.
To add a user:
Step 1 Use the add command to specify the name of a user and an optional description on one command line.
Step 2 Change directory to jane.
[ //localhost/Radius/UserLists/Default/jane ]
Name = jane
Password = <encrypted>
Enabled = TRUE
Group~ = Telnet-users
AllowNullPassword = FALSE
Step 3 Use the set command to provide a password for user jane.
set password jane
Set Password <encrypted>
Note When using the aregcmd command, you can use the add command and specify all of the properties, or you can use the add command to create the object, and then use the set command and property name to set the property. For an example of using the set command, see the “Adding a NAS” section.
To delete the sample users, or if you want to remove a user you have added, use the delete command.
From the appropriate UserList, use the delete command, and specify the name of the user you want to delete. For example, to delete user
beth from the Default UserList, enter:
The UserGroups object contains the specific UserGroups. Specific UserGroups allow you to maintain common authentication and authorization attributes in one location, and then have users reference them. By having a central location for attributes, you can make modifications in one place instead of having to make individual changes throughout your user community.
Prime Access Registrar has three default UserGroups:
- Default —uses the script AuthorizeService to determine the type of service to provide the user.
- PPP-users— uses the BaseProfile default-PPP-users to specify the attributes of PPP service to provide the user. The BaseProfile default-PPP-users contains the attributes that are added to the response dictionary as part of the authorization. For more information about Profiles, see the “Configuring Profiles” section.
- Telnet-users— uses the BaseProfile default-Telnet-users to specify the attributes of Telnet service to provide the user. The BaseProfile default-Telnet-users contains the attributes that are added to the response dictionary as part of the authorization.
For this basic site, you do not need to change these UserGroups. You can, however, use the add or delete commands to add or delete groups.
The Clients object contains all NAS and proxies that communicate directly with Prime Access Registrar. Each client must have an entry in the Clients list, because each NAS and proxy share a secret with the RADIUS server, which is used to encrypt passwords and to sign responses. See Adding a NAS, for more information on adding a NAS in Prime Access Registrar.
Note If you are just testing Prime Access Registrar with the radclient command, the only client you need is localhost. The localhost client is available in the sample configuration. For more information about using the radclient command, see the “Using radclient” section.
Adding a NAS
You must add your specific NAS from both ends of the connection. That is, you must add Prime Access Registrar for your NAS, and you must add your NAS for Prime Access Registrar.
To add a NAS in Prime Access Registrar:
Step 1 Use the cd command to change to the Clients level:
Step 2 Use the add command to add the NAS:
Step 3 Use the cd command to change directory to the QuickExampleNAS directory:
Step 4 Use the set command to specify the description
WestOffice, the IP address
188.8.131.52, the shared secret of
xyz, and the Type as
set Description WestOffice
set IPAddress 184.108.40.206
set SharedSecret xyz
set Type NAS
set Vendor USR
set IncomingScript ParseServiceHints
The script, ParseServiceHints, checks the username for %PPP or %SLIP. It uses these tags to modify the request so it appears to the RADIUS server that the NAS requested that service.
Note When you are using a different NAS than the one in the example, or when you are adding NAS proprietary attributes, see the Cisco Prime Access Registrar User Guide for more information about configuring Client and Vendor objects.
Configure your NAS, using your vendor’s documentation. Make sure both your NAS and the Client specification have the same shared secret.
The Profiles object allows you to set specific RFC-defined attributes that Prime Access Registrar returns in the Access-Accept response. You can use profiles to group attributes that belong together, such as attributes that are appropriate for a particular class of PPP or Telnet user. You can reference profiles by name from either the UserGroup or the user properties. The sample users, mentioned earlier in this chapter, reference the following Prime Access Registrar profiles:
- default-PPP-users —specifies the appropriate attributes for PPP service
- default-SLIP-users —specifies the appropriate attributes for SLIP service
- default-Telnet-users — specifies the appropriate attributes for Telnet service.
This topic contains the following sections:
Setting RADIUS / Diameter Attributes
When you want to set an attribute to a profile, use the following command syntax:
set <attribute> <value>
This syntax assigns a new value to the named attribute. The following example sets the attribute Service-Type to Framed:
Step 1 Use the cd command to change to the appropriate profile and attribute.
Step 2 Use the set command to assign a value to the named attribute.
set Service-Type Framed
When you need to set an attribute to a value that includes a space, you must double-quote the value, as in the following:
set Framed-Routing "192.168.1.0/24 192.168.1.1"
Adding Multiple Cisco AV Pairs
When you want to add multiple values to the same attribute in a profile, use the following command syntax:
set <attribute> <value1> < value2> < value3>
The AV pairs cannot be added one at a time or each subsequent command will overwrite the previous value. For example, consider the following command entry:
set Cisco-AVpair "vpdn:12tp-tunnel-password=XYZ" "vpdn:tunnel-type=12tp" "vpdn:tunnel-id=telemar" "vpdn:ip-addresses=220.127.116.11"
Cisco-Avpair = vpdn:12tp-tunnel-password=XYZ
Cisco-Avpair = vpdn:tunnel-type=12tp
Cisco-Avpair = vpdn:tunnel-id=telemar
Cisco-Avpair = vpdn:ip-addresses=18.104.22.168
Note The example above is for explanation only; not all attributes and properties are listed.
Validating and Using Your Changes
After you have finished configuring your Prime Access Registrar server, you must save your changes. Saving your changes causes Prime Access Registrar to validate your changes and, if there were no errors, commit them to the configuration database.
Using the save command, however, does not automatically update your server. To update your server you must use the reload command. The reload command stops your server if it is running, and then restarts the server, which causes Prime Access Registrar to reread the configuration database.
You must save and reload your configuration changes in order for them to take effect in the Prime Access Registrar server. For more information, see Saving and Reloading.
Saving and Reloading
From anywhere in the radius object hierarchy, enter the save and reload commands.
Step 1 Use the save command to save your changes:
Step 2 Use the reload command to reload your server.
Testing Your Configuration
Now that you have configured some users and a NAS, you are ready to test your configuration. There are two ways you can test your site:
1. You can act as a user and dial in to your NAS, and check that you can successfully log in.
2. You can run the radclient command, and specify one of the default users when making a request. For more information, see Using radclient.
You can use the radclient command simple to create and send a packet. The following example creates an Access-Request packet for user
john with password
john, and the packet identifier
p001. It displays the packet before sending it. It uses the send command to send the packet, which displays the response packet object identifier,
p002. Then, the example shows how to display the contents of the response packet.
Step 1 Run the radclient command.
. /radclient -s
Step 2 The radclient command prompts you for the administrator’s username and password (as defined in the Prime Access Registrar configuration). Use admin for the admin name, and aicuser for the password.
Cisco Prime Access Registrar 22.214.171.124 RADIUS Test Client
Copyright (C) 1995-2013 by Cisco Systems, Inc. All rights reserved.
Logging in to localhost... done.
Step 3 Create a simple Access-Request packet for User-Name
john and User-Password
john. At the prompt, enter:
simple john john
The radclient command displays the ID of the packet
Step 4 Enter the packet identifier:
Packet: code = Access-Request, id = 0, length = 0, attributes =
NAS-Identifier = localhost
Step 5 Send the request to the default host (localhost), enter:
Step 6 Enter the response identifier to display the contents of the Access-Accept packet:
Packet: code = Access-Accept, id = 1,\
length = 38, attributes =
Login-IP-Host = 126.96.36.199
Login-Service = Telnet
Login-TCP-Port = 541
Troubleshooting Your Configuration
If you are unable to receive an Access-Accept packet from the Prime Access Registrar server, you can use the aregcmd command trace to troubleshoot your problem.
The trace command allows you to set the trace level on your server, which governs how much information the server logs about the contents of each packet. You can set the trace levels from zero to four. The system default is zero, which means that no information is logged. For more information, see Setting the Trace Level.
Setting the Trace Level
Step 1 Run the aregcmd command.
Step 2 Use the trace command to set the trace level to 1-5.
Step 3 Try dialing in again.
Step 4 Use the UNIX tail command to view the end of the name_radius_1_trace log.
host% tail -f /opt/CSCOar/logs/name_radius_1_trace
Step 5 Read through the log to see where the request failed.
Configuring Dynamic DNS
Prime Access Registrar supports the Dynamic DNS protocol providing the ability to update DNS servers. The dynamic DNS updates contain the hostname/IP Address mapping for sessions managed by Prime Access Registrar.
You enable dynamic DNS updates by creating and configuring new Resource Managers and new RemoteServers, both of type dynamic-dns. The dynamic-dns Resource Managers specify which zones to use for the forward and reverse zones and which Remote Servers to use for those zones. The dynamic-dns Remote Servers specify how to access the DNS Servers.
Before you configure Prime Access Registrar you need to gather information about your DNS environment. For a given Resource Manager you must decide which forward zone you will be updating for sessions the resource manager will manage. Given that forward zone, you must determine the IP address of the primary DNS server for that zone. If the dynamic DNS updates will be protected with TSIG keys, you must find out the name and the base64 encoded value of the secret for the TSIG key. If the resource manager should also update the reverse zone (IP address to host mapping) for sessions, you will also need to determine the same information about the primary DNS server for the reverse zone (IP address and TSIG key).
If using TSIG keys, use aregcmd to create and configure the keys. You should set the key in the Remote Server or the Resource Manager, but not both. Set the key on the Remote Server if you want to use the same key for all of the zones accessed through that Remote Server. Otherwise, set the key on the Resource Manager. That key will be used only for the zone specified in the Resource Manager.
Note For proper function of Prime Access Registrar GUI, the DNS name resolution for the server’s hostname should be defined precisely.
To configure Dynamic DNS:
Step 1 Launch aregcmd.
Step 2 Create the dynamic-dns TSIG Keys:
This example named the TSIG Key, foo.com, which is related to the name of the example DNS server we use. You should choose a name for TSIG keys that reflects the DDNS client-server pair (for example, foo.bar if the client is foo and the server is bar), but you should use the name of the TSIG Key as defined in the DNS server.
Step 3 Configure the TSIG Key:
set Secret <base64-encoded string>
The Secret should be set to the same base64-encoded string as defined in the DNS server. If there is a second TSIG Key for the primary server of the reverse zone, follow these steps to add it, too.
Step 4 Use aregcmd to create and configure one or more dynamic-dns Remote Servers.
Step 5 Create the dynamic-dns remote server for the forward zone:
This example named the remote server ddns which is the related to the remote server type. You can use any valid name for your remote server.
Step 6 Configure the dynamic-dns remote server:
set Protocol dynamic-dns
set IPAddress 10.10.10.1 (ip address of primary dns server for zone)
set ForwardZoneTSIGKey foo.com
set ReverseZoneTSIGKey foo.com
If the reverse zone will be updated and if the primary server for the reverse zone is different than the primary server for the forward zone, you will need to add another Remote Server. Follow the previous two steps to do so. Note that the IP Address and the TSIG Key will be different.
You can now use aregcmd to create and configure a resource manager of type dynamic-dns.
Step 7 Create the dynamic-dns resource manager:
This example named the service ddns which is the related to the resource manager type but you can use any valid name for your resource manager.
Step 8 Configure the dynamic-dns resource manager.
set Type dynamic-dns
set ForwardZone foo.com
set ForwardZoneServer DDNS
Finally, reference the new resource manager from a session manager. Assuming that the example configuration was installed, the following step will accomplish this. If you have a different session manager defined you can add it there if that is appropriate.
Step 9 Reference the resource manager from a session manager:
set 5 DDNS
Note The Property AllowAccountingStartToCreateSession must be set to TRUE for dynamic DNS to work.
Step 10 Save the changes you have made.
Testing Dynamic DNS with radclient
After the Resource Manager has been defined it must be referenced from the appropriate Session Manager. You can use radclient to confirm that dynamic DNS has been properly configured and is operational.
To test Dynamic DNS using radclient :
Step 1 Launch aregcmd and log into the Prime Access Registrar server.
Step 2 Use the trace command to set the trace to level 4.
Step 3 Launch radclient.
Step 4 Create an Accounting-Start packet.
acct_request Start username
set p [ acct_request Start bob ]
Step 5 Add a Framed-IP-Address attribute to the Accounting-Start packet.
Step 6 Send the Accounting-Start packet.
Step 7 Check the aregcmd trace log and the DNS server to verify that the host entry was updated in both the forward and reverse zones.
High Availability in Prime Access Registrar
High Availability (HA) can be designed over a Prime Access Registrar network at two levels, based on the transactions per second (TPS) and whether Prime Access Registrar is used in a stateless or state-full manner.
- Stateless architecture—Prime Access Registrar is used for AAA functionality only. Prime Access Registrar does not maintain session information, IP allocation, concurrent session blocking, and so on. In this case, we can have multiple servers in active mode (with or without replication) with redundancy configured at the NAS level or can use a RADIUS Load Balancer (RLB) to load balance the AAA traffic.
- State-full architecture—Prime Access Registrar is used with session management to maintain session query, IP address allocation, concurrent session blocking, and so on. In this case, we can have two servers clustered for each node in active and standby mode by Sun cluster solution or VERITAS Cluster solution.
Single-tier architecture or a two-tier Architecture is recommended based on the number of TPS to maintain the session information and also to accommodate further expansion.
Stateless Architecture: Active-Standby
This architecture has two Prime Access Registrar servers, one in active state and the other in standby state. Redundancy is configured at the NAS level by configuring AR-1 as primary server and AR-2 as secondary server.
Stateless Architecture: Active-Active:
This architecture has two Prime Access Registrar servers in active-active state to perform AAA functionality and also act as a proxy. An RLB is placed in front of the NAS to perform the RADIUS traffic load balancing.
State-full Mode: Single-Tier Architecture
Prime Access Registrar servers are deployed in a cluster solution in active-standby mode to perform: AA lookup, accounting write-up to an external DB, proxy, session management (maintain session table), resource (IP Address) allocation, and so on.
When the active Prime Access Registrar server goes down, the cluster agent will trigger the standby Prime Access Registrar server to act upon as an active Prime Access Registrar server by reading all the information from the common disk store/location.
State-full Mode: Two-Tier Architecture
This architecture comprises:
- Front-end Prime Access Registrar servers in active-active mode to share the AAA load for AA lookup and accounting write-up to an external DB
- Back-end servers (cluster solution) in active-standby mode to perform session management (maintain session table), resource (IP Address) allocation, and so on
Redundancy in State-full Mode
There is redundancy of all the critical components in this Prime Access Registrar architecture. The Prime Access Registrar servers serving a particular region use the replication feature to maintain identical configurations. If one of the Prime Access Registrar servers fails, the other server can handle the AAA traffic. The servers are in active-standby mode using Sun cluster or VERITAS clustering solution and share a common disk. In the event of any failure to the active server, the stand-by server in the cluster comes online loading the configuration and session information from the shared disk.
Note For information on clustering solutions for RHEL and Solaris, refer to the respective websites or contact ar-tme(mailer list) <email@example.com>.
Installing Prime Access Registrar in Cluster Nodes
To install Prime Access Registrar in cluster nodes:
Step 1 Ensure that the following details are available in /etc/hosts directory in the primary and secondary
- IP address and hostname of primary node
- IP address and hostname of secondary node
- Common shared IP address used in cluster with shared name
Step 2 Install Prime Access Registrar in both AR-1 and AR-2 nodes.
Step 3 Stop Prime Access Registrar service.
Step 4 Remove the respective directories (certs conf data odbc pki scripts temp ucd-snmp) from AR-1 and AR-2 nodes.
Step 5 Create a softlink in the removed directories (certs conf data odbc pki scripts temp ucd-snmp) using the following command in AR-1 and AR-2 nodes:
ln –s /opt/CSCOar/certs certs
Step 6 Mount the shared location using mount command in AR-1 and AR-2. All the folders (certs conf data odbc pki scripts temp ucd-snmp) are available now.
Step 7 Start Prime Access Registrar on the primary node and make sure cman, ricci, and rgmanager services run.
Step 8 Create a soft link in the /etc/init.d directory using the following command:
ln –s /etc/init.d/arcluster arcluster