Cisco Prime Access Registrar (Prime Access Registrar) is a high performance, carrier class, 3GPP-compliant, 64-bit RADIUS/Diameter solution that provides scalable, flexible, intelligent authentication, authorization, and accounting (AAA) services.
Prime Access Registrar comprises a RADIUS/Diameter server designed from the ground up for performance, scalability, and extensibility for deployment in complex service provider environments including integration with external data stores and systems. Session and resource management tools track user sessions and allocate dynamic resources to support new subscriber service introductions.
Note Prime Access Registrar can be used with Red Hat Enterprise Linux (RHEL) 7.7 or CentOS 6.5 and above operating system. Prime Access Registrar has no special OS dependencies; therefore there are no restrictions from upgrading to newer releases of RHEL or CentOS.
This release note contains the following sections:
This section describes the system requirements to install and use the Prime Access Registrar software.
Table 1 lists the system requirements for Prime Access Registrar 8.0.4.x.
Table 1 Minimum Hardware and Software Requirements for Prime Access Registrar Server
CentOS 6.5 and above
Note Prime Access Registrar has no special OS dependencies; therefore there are no restrictions from upgrading to newer releases of RHEL or CentOS.
Intel Xeon CPU 2.30 GHz
Prime Access Registrar supports JDK versions 1.7 and 1.8.
Note These are the minimum system requirements to have Prime Access Registrar up and running. This may vary based on the deployments. Please contact your BU team to know the specific system requirements for your deployment.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Prime Access Registrar should be the only application running on a given server. In certain cases, when you choose to run collaborative applications such as a SNMP agent, you must configure Prime Access Registrar to avoid UDP port conflicts. The most common conflicts occur when other applications also use ports 2785 and 2786. For more information on SNMP configuration, see the “Configuring SNMP” section in the “Configuring Cisco Prime Access Registrar” chapter of the Cisco Prime Access Registrar 8.0 Administrator Guide.
Enhanced Features in Cisco Prime Access Registrar 22.214.171.124
Cisco Prime Access Registrar 126.96.36.199 provides the following enhancements:
SNMP Trap Support for Throttling Active and Inactive States
A new parameter ThrottlingMonitorFrequencyInSecs is introduced under RADIUS/Advanced/Diameter/TransportManagement/ to support this feature. Prime Access Registrar monitors whether traffic is throttled every second over the configured interval. If throttling occurs for at least half of the configured seconds, a throttling trap is sent from Prime Access Registrar. E.g. if the configured value is 60 seconds, and throttling occurs for at least 30 seconds during the configured duration of 60 seconds, then throttling trap is sent from Prime Access Registrar. When no throttling occurs during the entire interval, a throttling reset trap is sent.
By default, ThrottlingMonitorFrequencyInSecs is set to zero (0), which indicates that throttling trap functionality is disabled and throttling traps should not flow even if throttling conditions are met. Minimum non-zero value that can be configured is 20.
carThrottlingTrap—Indicates that throttling has kicked in and has lasted for half of the time as per the configured value.
carThrottlingResetTrap—Indicates that throttling has settled down and Prime Access Registrar has recovered.
Logging Worker Queue Size
Reporting of All Workers Temporarily Busy warning has been added to the System Stats Log under the parameter Peak Worker Thread Queue / sec, and is only reported if the condition has occurred during the last statistics interval.
Support for Preemptive Recovery
The Preemptive recovery enhancement addresses the automatic recovery of Prime Access Registrar when it enters into a presumed unrecoverable state. Following are the conditions when Prime Access Registrar can enter into a presumed unrecoverable state:
The number of incoming DER EAP-AKA Challenge (DER2) being processed by Prime Access Registrar is less than 10% of the successful DER EAP-AKA responses being sent for the initial Identity request (DEA1).
The DER EAP-AKA responses being sent exceed a certain configured limit (default 5000 over a period of 2 minutes) for the condition to be triggered to account for low traffic conditions.
Following are the parameters introduced to support this feature:
EnablePreeemptiveRecovery—If set to TRUE, indicates that preemptive recovery feature is enabled for Prime Access Registrar. By default, this parameter is disabled.
MinDEA1Threshold—Indicates the minimum number of DEA EAP Multi-Round Auth (DEA1) responses sent over the past 120 seconds, that will kick off the preemptive recovery condition check. This parameter is available only if EnablePreeemptiveRecovery is set to TRUE. Default value is 5000.
When the EnablePreeemptiveRecovery parameter is enabled and the presumed unrecoverable state is detected, Prime Access Registrar sends a PreemptiveRecovery Trap and restarts the RADIUS process. This trap indicates that preemptive recovery has been initiated because the number of DER EAP-AKA Challenge (DER2) received by Prime Access Registrar is less than 10% of the successful DER EAP-AKA responses being sent for the initial Identity request (DEA1).
Support for Duplicate Authentication Request Detection
With this enhancement, Prime Access Registrar can detect duplicate authentication requests based on UE session ID. If any diameter request packet has a Session ID same as that of a packet that is already being processed, the new request is silently dropped/ignored from processing.
A new parameter EnableDuplicateSessionIdDetection is introduced under /Radius/Advanced/ to support this functionality. By default, this parameter is enabled.
This enhancement is primarily provided so that the server does not respond with a 3004 (Diameter Too Busy) status for a request that is already in progress; instead drop the duplicate request packet silently.
[ //localhost/Radius/Advanced ]
LogServerActivity = FALSE
TLSv1Enabled = TRUE
MaximumNumberOfRadiusPackets = 8192
UDPPacketSize = 4096
SocketWaitTime = 3
NumberOfRemoteUDPServerSockets = 4
NumberOfRadiusIdentifiersPerSocket = 256
PerPacketHeapSize = 6500
RequireNASsBehindProxyBeInClientList = FALSE
AAAFileServiceSyncInterval = 75
SessionBackingStoreSyncInterval = 100
BackingStoreDiscThreshold = "5 Gigabyte"
SessionBackingStorePruneInterval = "2 Hours"
PacketBackingStorePruneInterval = "6 Hours"
RemoteLDAPServerThreadTimerInterval = 10
RemoteSigtranServerThreadTimerInterval = 10
InitialBackgroundTimerSleepTime = 5
MinimumSocketBufferSize = 65536
LogFileSize = "1 Gigabyte"
LogFileCount = 20
TraceFileSize = "1 Gigabyte"
TraceFileCount = 2
MemoryLimitForRadiusProcess = "10000 Megabyte"
UseAdvancedDuplicateDetection = FALSE
AdvancedDuplicateDetectionMemoryInterval = 10000
InitialSessionBufferSize = 0
DetectOutOfOrderAccountingPackets = FALSE
DefaultReturnedSubnetSizeIfNoMatch = BIGGER
MaximumODBCResultSize = 256
ARIsCaseInsensitive = TRUE
PacketBackingStoreSyncInterval = 75
ListenForDynamicAuthorizationRequests = truE
MaximumNumberOfXMLPackets = 1024
XMLUDPPacketSize = 4096
RollingEncryptionKeyChangePeriod = "1 week"
SessionPurgeInterval = "6 Hours"
EapBadMessagePolicy = SilentDiscard
StaleSessionTimeout = "1 Hour"
MaximumOutstandingRequests = 0
MaximumIncomingRequestRate = 0
HideSharedSecretAndPrivateKeys = falSE
ServerStatusSharedSecret = Hardlyasecret
EnableLocationCapability = FALSE
LogTPSActivity = TRUE
TPSLogFileCount = 15
TPSLogFilenamePrefix = tps
TPSSamplingPeriodInSecs = 5
LogSessionActivity = TRUE
EnableLengthFlag = FALSE
SessionLogFileCount = 15
SessionLogFilenamePrefix = sm
SessionSamplingPeriodInSecs = 30
FlushDiskInBackground = TRUE
SendOpCodeInISDResponse = FALSE
EnableRoutingContextInM3UA = FALSE
EnableStickySessionCount = TRUE
ServerMonitorAltApproach = FALSE
EnableSIGTRANStackLogs = TRUE
SIGTRANStackLogFileSize = "100 Megabyte"
SIGTRANLogFileCount = 10
StickySessionCountInterval = 60000
StickySessionSyncInterval = 500
ReserveRADIUSPacketPool = 0
DiameterStaleSessionPurgeTime = 00:00:00
UISessionTimeoutInMins = 0
DiameterStaleConnectionDeletionTimeOut = 300000
DiameterSessionRestorationPurgeTime = 01:30:00
DisplayUserForFailedLogin = TRUE
EnableDuplicateSessionIdDetection = TRUE
Enhanced Features in Cisco Prime Access Registrar 8.0.4
Cisco Prime Access Registrar 8.0.4 provides the following enhancement:
Configuring Unique TAG number for Vendor-Specific Sub Attributes
With this enhancement, Prime Access Registrar allows you to configure a unique tag number for each of the multiple vendor-specific sub-attributes available for a user profile. This enhancement is applicable for multi-tag valued vendor-specific attributes with type as TAG_STRING and TAG_INT.
Fixed Anomalies in Cisco Prime Access Registrar 188.8.131.52
Table 3 lists the anomalies fixed in Prime Access Registrar 184.108.40.206 release.
Table 2 Fixed Anomalies in Prime Access Registrar 220.127.116.11
Upgrade Tomcat to 9.0.40 and JDK to 1.8.
In GUI, multiple values for Cisco-AVPair should be permitted in User Attribute list.
Fixed Anomalies in Cisco Prime Access Registrar 8.0.4
Table 3 lists the anomalies fixed in Prime Access Registrar 8.0.4 release.
Table 3 Fixed Anomalies in Prime Access Registrar 8.0.4
EAP SIM fast reauthentication takes longer time to send response to the client.
MCD Configuration gets corrupted due to REST query add/edit.
Using the Bug Search Tool
Use the Bug Search tool (BST) to get the latest information about Cisco Prime Access Registrar bugs. BST allows partners and customers to search for software bugs based on product, release, and keyword, and it aggregates key data such as bug details, product, and version.
BST allows you to:
Quickly scan bug content
Configure e-mail notifications for updates on selected bugs
Start or join community discussions about bugs
Save your search criteria so you can use it later
When you open the Bug Search page, check the interactive tour to familiarize yourself with these and other Bug Search features.
Step 2 To search for a specific bug, enter the bug ID in the Search For field and press Return.
Step 3 To search for bugs in a particular release:
a. In the Search For field, enter the product name and the release version, e.g. Cisco Prime Access Registrar 8.0.4, and press Return. (Leave the other fields empty.)
b. When the search results are displayed, use the filter and sort tools to find the types of bugs you are looking for. You can search for bugs by severity, by status, how recently they were modified, according to the number of support cases associated with them, and so forth.
Note We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.