Installing Cisco Prime Access Registrar 9.3

This chapter provides information about installing Cisco Prime Access Registrar software. The software is available in DVD-ROM form and can also be downloaded from the Cisco.com website. The installation instructions differ slightly depending on whether you install the software from the Prime Access Registrar DVD-ROM or from downloaded software.

note.gif

Noteblank.gif Prime Access Registrar can be used with Red Hat Enterprise Linux (RHEL) 7.x and 8.5 or CentOS 7.x operating system. Also, Prime Access Registrar is qualified with VMWare ESXi 7.0 Update 3, OpenStack Xena.

This chapter contains the following sections:

note.gif

Noteblank.gif For installing Prime Access Registrar, we have set /opt/CSCOar as the install location. However, you can change the install location as required.

Installing the Prime Access Registrar 9.3 License File

You must have a license file in a directory on the Prime Access Registrar machine before you attempt to install Prime Access Registrar software. After purchasing Prime Access Registrar, you will receive a license file in an e-mail attachment. Save or copy this license file to a directory on the Prime Access Registrar workstation. If you have not installed the Prime Access Registrar license file before beginning the software installation, the installation process will fail.

You can store the Prime Access Registrar license file in any directory on the Prime Access Registrar machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory or to the base installation directory you specify when you install the software if you are not using the default installation location.

The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Prime Access Registrar license file, you can copy and paste the text into a file, or you can simply save the file you receive in e-mail to an accessible directory.

note.gif

Noteblank.gif Prime Access Registrar can be used with Red Hat Enterprise Linux (RHEL) 7.x and 8.5 or CentOS 7.x operating system. Prime Access Registrar has no special OS dependencies; therefore there are no restrictions from upgrading to newer releases of RHEL or CentOS.

note.gif

Noteblank.gif Prime Access Registrar 9.3 evaluation license can be generated using your Cisco.com account in the Product License Registration tool at http://www.cisco.com/web/go/license/index.html. The evaluation license is valid only for 90 days.

Installing Prime Access Registrar 9.3 Software

This section describes the software installation process when installing Prime Access Registrar software for the first time. This section includes the following subsections:

tip.gif

Tipblank.gifs Before you begin to install the software, check your workstation’s /etc/group file and make sure that group adm exists. The software installation will fail if group staff does not exist before you begin.

Deciding Where to Install

Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco Prime Access Registrar software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Prime Access Registrar software in a different directory.

Installing Downloaded Software

This section describes how to uncompress and extract downloaded Prime Access Registrar software and begin the software installation.

Step 1blank.gif Log into the Prime Access Registrar workstation as a root user.

Step 2blank.gif Change directory to the location where you have stored the uncompressed tar file.

cd /tmp

Step 3blank.gif Change the permissions of the CSCOar-9.3-RHEL7x-lnx26_64-install.sh file to make it executable.

chmod 777 CSCOar-9.3-RHEL7x-lnx26_64-install.sh

Step 4blank.gif Run set SELinux to permissive mode:

setenforce 0

note.gif

Noteblank.gif The above command will set SELinux to permissive mode temporarily until you reboot the system. To start the system in permissive mode permanently, edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=permissive and reboot the system.

Step 5blank.gif Proceed to “Common Installation Steps” section.

 

Installing Cisco Prime Access Registrar Software from DVD-ROM

The following steps describe how to begin the software installation process when installing software from the Cisco Prime Access Registrar DVD-ROM. If you are installing downloaded software, proceed to “Installing Downloaded Software” section.

Step 1blank.gif Place the DVD-ROM in the Prime Access Registrar workstation DVD-ROM drive.

Step 2blank.gif Log into the Prime Access Registrar workstation as a root user and find a temporary directory, such as /tmp, to store the Linux installation file.

note.gif

Noteblank.gif The temporary directory requires at least 130 MB of free space.

Step 3blank.gif Change directory to the CD-ROM.

cd /cdrom/cdrom0/kit/linux-2.6

Step 4blank.gif Copy the CSCOar-9.3-RHEL7x-lnx26_64-install.sh file to the temporary directory.

cp CSCOar-9.3-RHEL7x-lnx26_64-install.sh /tmp

Step 5blank.gif Change the permissions of the CSCOar-9.3-lnx26-install.sh file to make it executable.

chmod 777 CSCOar-9.3-RHEL7x-lnx26_64-install.sh

Step 6blank.gif Run set SELinux to permissive mode:

setenforce 0

note.gif

Noteblank.gif The above command will set SELinux to permissive mode temporarily until you reboot the system. To start the system in permissive mode permanently, edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=permissive and reboot the system.

To continue the installation, proceed to “Common Installation Steps” section.

 

Common Installation Steps

This section describes how to install the downloaded Prime Access Registrar software for Linux and begin the software installation.

note.gif

Noteblank.gif The Prime Access Registrar Linux installation automatically installs aregcmd and radclient as setgid programs in group adm.

Step 1blank.gif Log into the Prime Access Registrar workstation as a root user.

Step 2blank.gif Change the directory to the location where you have stored the CSCOar-9.3-RHEL7x-lnx26_64-install.sh file.

cd /tmp

Step 3blank.gif Enter the name of the script file to begin the installation:

./CSCOar-9.3-RHEL7x-lnx26_64-install.sh

Name : CSCOar
Epoch : 1
Version : 9.3.0.0
Release : 1621845210
Group : Applications/Internet
Build Date : Mon 26 July 2021 02:12:21 AM PDT
Build Host : ar-lnx-vm044-sj.cisco.com
Relocations : /opt/CSCOar
Vendor : Cisco Systems, Inc.
Summary : Cisco Prime Access Registrar, a carrier-class RADIUS server
Description :
Cisco Prime Access Registrar is a carrier-class AAA server, implementing a
robust, extensible, high-performance RADIUS authentication, authorization, and accounting server.
build_tag: [Linux-3.10.0, official]
 
Copyright (C) 1998-2021 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written consent.
 
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
 

Step 4blank.gif Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as the base installation directory.

Cisco Prime Access Registrar requires FLEXlm license file to operate.
A list of space delimited license files or directories can be supplied
as input; license files must have the extension ".lic".
 
Do you want to enable smartlicensing?[y/n] [n]: [y,n,?,q] y
 

Step 5blank.gif Specify whether you want to enable Smart Licensing or not. If yes, refer to Smart Licensing in Prime Access Registrar for smart licensing work flow. Proceed with the next step if you want to use the traditional licensing method.

Cisco Prime Access Registrar requires FLEXlm license file to operate.
A list of space delimited license files or directories can be supplied
as input; license files must have the extension ".lic".
 
Where are the FLEXlm license files located? [] [?,q]
 
Cisco Prime Access Registrar provides a Web GUI. It requires J2RE
version 1.8.* or 11.* to be installed on the server.
 
If you already have a compatible version of J2RE installed, please
enter the directory where it is installed. If you do not, the
compatible J2RE version can be downloaded from:
 
http://java.sun.com/
 
Where is the J2RE installed? [] [?,q] /opt/jdk1.8.0_131
 

Step 6blank.gif The J2RE is required to use the Cisco Prime Access Registrar GUI. If you already have a Java 2 platform installed, enter the directory where it is installed as mentioned above.

note.gif

Noteblank.gif If you do not provide the JRE path, or if the path is empty or unsupported, the installation process exits. Prime Access Registrar requires either JRE 1.8.x or JRE 11.x version.

If you are not using ORACLE, press Enter/Return to skip this
step. ORACLE installation directory is required for ODBC
and OCI configuration. ORACLE_HOME variable will be set in
/etc/init.d/arserver script
 
Where is ORACLE installed? [] [?,q] /opt/oracle/oracle-client-19c/product/19.0.0/client_1/
 
note.gif

Noteblank.gif For OCI related services, install Oracle client version 11g - 19c. Oracle Instant Client libraries are not supported by OCI services.

Step 7blank.gif Enter the location where you have installed Oracle as mentioned above, otherwise press Enter.

Do you want to install SIGTRAN-M3UA functionality now? [n]: [y,n,?,q] n
 

Step 8blank.gif Specify whether you want to install SIGTRAN_M3UA. If you select the option ‘Y’, SIGTRAN-M3UA process will run.

Cisco Prime Access Registrar can be run as non-root user also.
This requires the libcap-2.16-5.5 rpm to be installed. If the kernel
version is 2.6.24 or later, libcap is already available Please ensure
that you have an existing non-root user created prior to this.
 
If you require to run CPAR as non-root user, and the user does not
exist, please choose to exit installation. Once the non-root user
is created, you may install CPAR.
 
Do you want CPAR to be run as non-root user? [n]: [y,n,?,q]
 

Step 9blank.gif Specify whether you want to run Prime Access Registrar as a non-root user.

You will be requested for the non-root user information. Ensure that the non-root user account exists.

Enter the username that is to be used to run CPAR processes: test
Enter the usergroup of the above username: eng
User test exists.
 

Step 10blank.gif To enable SystemD service, enter Y as mentioned below after providing the non-root user details:

Do you want CPAR arserver service to be run as non-root user while OS startup? [n]: [y,n,?,q] y
 

You can check whether the startup service is enabled or not using the following commands. The first two commands below are used to set environment variables for systemctl command:

# loginctl enable-linger <CPAR_USERNAME>
# export XDG_RUNTIME_DIR=/run/user/$(id -u <CPAR_USERNAME>)
# su <CPAR_USERNAME> -c 'systemctl --user list-unit-files arserver.service'
# su <CPAR_USERNAME> -c 'systemctl --user status arserver'
 
[root@RHEL82-95-175 ~]# su cisco -c 'systemctl --user status arserver'
● arserver.service - systemctl: Cisco Prime Access Registrar startup script runlevel is 345
Loaded: loaded (/cisco-ar/bin/arserver; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-06-30 03:13:17 IST; 9min ago
Docs: man:systemctl(1)
Process: 635073 ExecStop=/cisco-ar/bin/arserver stop (code=exited, status=0/SUCCESS)
Process: 635114 ExecStart=/cisco-ar/bin/arserver start (code=exited, status=0/SUCCESS)
CGroup: /user.slice/user-1001.slice/user@1001.service/arserver.service
├─635200 /opt/CSCOar/.system/arservagt -T 256 -A10000000 -N2 -d
├─635203 /opt/CSCOar/.system/arlockmgr -d -a aiclkmgr
├─635210 /opt/CSCOar/.system/armcdsvr -Z 0 -Alogsize=10000000,nlogs=2 -L -P config/mcd/1 -A id=0
├─635212 /opt/CSCOar/.system/radius -Z 3 -C servers/name/radius/1 -S servers/name/radius/1 -B /opt/CSCOar/ -P RHEL82-95-175.cisco.com/name/radius/1 -A id=3,thre>
└─635213 /opt/jdk1.8.0_131/bin/java -Djava.util.logging.config.file=/opt/CSCOar/apache-tomcat-9.0.63/conf/logging.properties -Djava.util.logging.manager=org.apa>
 
note.gif

Noteblank.gif This feature is supported from RHEL version 8.0.

If you want to learn about Cisco Prime Access Registrar by following
the examples in the Installation Guide, you need
to populate the database with the example configuration.
 
NOTE: If you are using DIRECTOR/DIRECTOR NEXT GEN Licenses,
please do not try installing Example configuration, Give the
option for Example configuration as "n"
 
Do you want to install the example configuration now? [n]: [y,n,?,q] y
 

Step 11blank.gif When prompted whether to install the example configuration now, enter Y or N to continue.

note.gif

Noteblank.gif You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.

unpack the rpm file done
Preparing... ################################# [100%]
Updating / installing...
1:CSCOarui-add-9.3.0.0-1621845210 ################################# [100%]
# setting up the web server...........
# configuring the web server...........
# extracting the web application...........
# extracting the rest application...........
Preparing... ################################# [100%]
Updating / installing...
1:CSCOar-1:9.3.0.0-1621845210 ################################# [100%]
relink cisco prime arserver
JAVA ROOT /opt/jdk1.8.0_131
JAVA_HOME /opt/jdk1.8.0_131
# setting ORACLE_HOME and JAVA_HOME variables in arserver
ORACLE_HOME /opt/oracle/oracle-client-19c/product/19.0.0/client_1/
JAVA_HOME /opt/jdk1.8.0_131
set JAVA_HOME
# flushing old replication archive
# creating initial configuration database
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Wed May 26 18:44:42 2021
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Wed May 26 18:44:42 2021
 
 
# add-example-config y
calling gen-tomcat
using OPENSSL=/cisco-ar/.system/openssl
Making sure the cert directory exists: /cisco-ar/certs/tomcat
Calling gen-ss-cert to create the cert
We will now generate an RSA key-pair and self-signed certificate that
may be used for test purposes
Generating a RSA private key
.................+++++
..........+++++
writing new private key to '/cisco-ar/certs/tomcat/server-key.pem'
-----
Server self-signed certificate now resides in /cisco-ar/certs/tomcat/server-cert.pem
Server private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
 
 
Remember to install additional CA certificates for client verification
Tomcat private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
Cisco Prime Access Registrar Service Status : active
Starting Cisco Prime Access Registrar by installer......
[root@ar-lnx-vm102 opt]# cd /cisco-ar/bin/
[root@ar-lnx-vm102 bin]#./aregcmd -s
Cisco Prime Access Registrar 9.3.0.0 Configuration Utility
Copyright (C) 1995-2021 by Cisco Systems, Inc. All rights reserved.
Logging in to localhost
Enter a new passphrase:
Warning: Passphrase length should be atleast 8 characters
Confirm new passphrase:
 
note.gif

Noteblank.gif After the installation process, run the command service iptables stop to disable the iptables firewall.

 

Configuring SNMP

If you choose not to use the SNMP features of Prime Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in “Configuring SNMP” section in the “Configuring Cisco Prime Access Registrar” chapter of the Cisco Prime Access Registrar 9.3 Administrator Guide.

Smart Licensing in Prime Access Registrar

The licenses purchased in CSSM must be added into Prime Access Register using a set of licensing commands, which are explained in detail below. For detailed information about the Smart Licensing process, see Chapter6, “Smart Licensing”

Prime Access Registrar provides a CLI option to enable smart licensing during the regular installation work flow. If you chose not to proceed with Smart Licensing, you can proceed with the traditional installation work flow.

1.blank.gif If Smart Licensing is enabled, Prime Access Registrar will start up with PAR-TPS as the default base license.

2.blank.gif You can use the following aregcmd to configure Prime Access Registrar in Smart Licensing mode.

aregcmd -s -L
 

3.blank.gif To use the licenses that you’ve registered in the CSSM, run the use command. You can perform the following with the use commands:

 

use Command
Description

use session

To use session-based licenses

use tps

To use TPS-based licenses

4.blank.gif For the use option selected above, you can use the enable command to add a required Prime Access Registrar license. The following screen shot shows an example of enable options available for the use tps command.

Figure 2-1 Enable Command Options

 

install-8.jpg

Licenses are available based on the combination of use and enable commands.

5.blank.gif After you add the required license, you must save and reload the server for the changes to take effect. After executing each of these commands, it’s important that you restart the Prime Access Registrar server for the changes to take effect.

6.blank.gif Use the following command to register the license using a token ID that was generated in the CSSM system:

license smart register <ID token>
 
note.gif

Noteblank.gif If Smart Licensing is not enabled as part of the installation work flow, Prime Access Registrar allows you to enable it at a later point in time using the CLI option. Use the following command in CLI to do so:

license smart enable
 

7.blank.gif After executing this command, it’s important that you restart the Prime Access Registrar server for the changes to take effect.

8.blank.gif If you wish to upgrade Prime Access Registrar from an earlier version:

blank.gif You must place the traditional license files for that version in the $INSTALLPATH/license folder and these licenses will be automatically upgraded to smart license. You need not configure them.

blank.gif You must ensure that only valid licenses are present in the installation path folder.

9.blank.gif After the registration process, the entitlements will be sent to the CSSM and you will get a notification with appropriate status:

blank.gif Registered – user registration is complete and entitlements are sent to CSSM

blank.gif Authorized – all the entitlements are in compliance with CSSM

blank.gif Out of Compliance – particular user is out of compliance. A log will be generated and an appropriate SNMP trap will also be sent

10.blank.gif Use the following command to exit the smart licensing mode:

no license smart enable
 

 

Registering Prime Access Registrar as a Service in RHEL SystemD Service Management

With this feature, Prime Access Registrar is added as a service in SystemD service management.

After successful installation, Prime Access Registrar gets registered as a service in SystemD unit, after

which you can execute the below commands to start, stop, or restart Prime Access Registrar and to find

the status of the Prime Access Registrar server:

  • systemctl start arserver
  • systemctl stop arserver
  • systemctl restart arserver
  • systemctl status arserver
note.gif

Noteblank.gif This feature is supported only from RHEL 7.7.

After successful registration of Prime Access Registrar as a service in SystemD, you should refrain from using the older method of starting, stopping, or restarting the server using arserver script (/cisco-ar/bin/arserver start, etc.).

When the installer enables Prime Access Registrar as SystemD service, the following logs will be printed in the console towards the end of successful installation. A sample of the log is provided below:

Created symlink from /etc/systemd/system/multi-user.target.wants/arserver.service to /usr/lib/systemd/system/arserver.service.
arserver service status : active
Cisco Prime Access Registrar started by arserver Service.....
 

Sample Output

Following is the sample output upon running the systemctl status arserver command:

[root@RHEL82-95-175 ~]# systemctl status arserver
arserver.service - systemctl: Cisco Prime Access Registrar startup script runlevel is 345
Loaded: loaded (/cisco-ar/bin/arserver; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-01-08 05:26:10 IST; 28min ago
Docs: man:systemctl(1)
Process: 2963170 ExecStop=/cisco-ar/bin/arserver stop (code=exited, status=0/SUCCESS)
Process: 2963701 ExecStart=/cisco-ar/bin/arserver start (code=exited, status=0/SUCCESS)
Tasks: 412 (limit: 49596)
Memory: 538.9M
CGroup: /system.slice/arserver.service
2963791 /opt/CSCOar/.system/arservagt -T 256 -A10000000 -N2 -d
2963797 /opt/CSCOar/.system/armcdsvr -Z 0 -Alogsize=10000000,nlogs=2 -L -P config/mcd/1 -A id=0
2963798 /opt/CSCOar/.system/arlockmgr -d -a aiclkmgr
2963805 /opt/CSCOar/.system/radius -Z 3 -C servers/name/radius/1 -S servers/name/radius/1 -B /opt/CSCOar/ -P RHEL82-95-175.cisco.com/name/radius/1 -A id=3,thr>
2963806 /opt/jdk-11.0.5/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=>
 
Jan 08 05:25:32 RHEL82-95-175.cisco.com systemd[1]: Starting systemctl: Cisco Prime Access Registrar startup script runlevel is 345...
Jan 08 05:25:34 RHEL82-95-175.cisco.com SmartAgent[2963805]: Fri Jan 8 05:25:34 2021
%SMART_LIC-6-EXPORT_CONTROLLED:Usage of export controlled features is not allowed
Jan 08 05:25:34 RHEL82-95-175.cisco.com SmartAgent[2963805]: Fri Jan 8 05:25:34 2021
%SMART_LIC-6-AGENT_READY:Smart Agent for Licensing is initialized
Jan 08 05:26:10 RHEL82-95-175.cisco.com arserver[2963701]: Starting Cisco Prime Access Registrar Server Agent...completed.
Jan 08 05:26:10 RHEL82-95-175.cisco.com systemd[1]: Started systemctl: Cisco Prime Access Registrar startup script runlevel is 345.