Table Of Contents
Release Notes for Cisco Access Registrar 3.0R9
Contents
Copyright Notice
Introduction
What's New in Cisco AR 3.0
New Features in Cisco AR 3.0
HTTP Digest Authentication
Parallel Service Grouping
View-Only Administrator
Oracle 9 Support
MySQL Support
Configuring MySQL
Example Configuration
Changes from Previous Versions of Cisco AR
Changes to Package Name
Changes to Environment Variables
Changes to Subdirectories
Relocation of Executables
Executable Name Changes
Removal of Wrapper Scripts
Changes in aregcmd
Related Documentation
System Requirements
Cisco Access Registrar Full Installation
Cisco Access Registrar Server-only Installation
Cisco Access Registrar Configuration-only Installation
Co-Existence With Other Network Management Applications
Downloading Cisco Access Registrar Software
Upgrading Cisco Access Registrar Software
Preparing to Install Downloaded Cisco Access Registrar Software
Designating the JRE Location
Upgrade Cisco Access Registrar Software and Retain Your Configuration
Back-up Copy of Original Configuration
Removing Old VSA Names
VSA Update Script
Starting the Cisco AR Server
Configuring SNMP
Upgrade Cisco Access Registrar Software and Erase Your Configuration
Restarting Replication
Installing Cisco Access Registrar Software For the First Time
Adding Group Staff
Installing from CD-ROM
Uncompressing the Tarfile and Extracting Files
Preparing to Use SNMP
Installing Software
Modifying Your Environment
Borne, Korn, Bash, or zsh
csh or tcsh
Changing Log Directory
SNMP Configuration
Stopping the Master Agent
Modifying the snmpd.conf File
Access Control
Trap Recipient
System Contact Information
Starting the Master Agent
Enabling SNMP
Cisco Access Registrar Subdirectories
Using the Cisco AR License
Specifying the License Key
Changing the License Key
Testing Cisco Access Registrar
Checking the Servers
Logging into Cisco AR
Testing a Packet
Caveats
Known Anomalies in Cisco Access Registrar 3.0R9
Anomalies Fixed in Cisco Access Registrar 3.0R9
Anomalies Fixed in Cisco Access Registrar 3.0R8
Anomalies Fixed in Cisco Access Registrar 3.0R7
Anomalies Fixed in Cisco Access Registrar 3.0R6
Anomalies Fixed in Cisco Access Registrar 3.0R5
Anomalies Fixed in Cisco Access Registrar 3.0R4
Anomalies Fixed in Cisco Access Registrar 3.0R2
Anomalies Fixed in Cisco Access Registrar 3.0R2
Anomalies Fixed in Cisco Access Registrar 3.0R1
Anomalies Fixed in Cisco Access Registrar 3.0R0
Known Problems in Solaris 8
Buffer Overflow in Multiple DNS Resolver Libraries (CERT Advisory CA-2002-19)
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco Technical Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Access Registrar 3.0R9
This document contains important information about the Cisco Access Registrar 3.0R9 software. All features in previous versions of Cisco Access Registrar are present in Cisco Access Registrar 3.0R9. Cisco AR 3.0R9 is available for Solaris 8 only.
Note 
Releases since Cisco Access Registrar 3.0R1 use a version of aregcmd that is incompatible with Cisco AR 3.0R0 and Cisco AR 1.7R6 (and earlier). You can find more details about aregcmd incompatibility with other versions of Cisco AR software in Changes in aregcmd.
CCO Date: May 23, 2002
Revised: October 25, 2004
Contents
This document contains the following sections:
•Copyright Notice
•Introduction
•What's New in Cisco AR 3.0
•Changes from Previous Versions of Cisco AR
•Related Documentation
•System Requirements
•Upgrading Cisco Access Registrar Software
•Installing Cisco Access Registrar Software For the First Time
•Modifying Your Environment
•Changing Log Directory
•SNMP Configuration
•Cisco Access Registrar Subdirectories
•Using the Cisco AR License
•Testing Cisco Access Registrar
•Caveats
•Obtaining Documentation
•Obtaining Technical Assistance
Copyright Notice
This product contains copyrighted programs that are used with permission and are the property of the following respective owners.
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
NAI copyright notice (BSD) Copyright © 2001, NAI Labs. All rights reserved.All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
•Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
•Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
•Neither the name of the NAI Labs nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Introduction
Cisco Access Registrar (AR) provides RADIUS authentication, authorization, and accounting (AAA) services for the service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco Access Registrar is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
Cisco Access Registrar supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco Access Registrar 3.0 supports the latest wireless authentication protocols such as Extensible Authentication Protocol—Message Digest 5 (EAP-MD5) used in wireless LAN deployments. Cisco Access Registrar 3.0 also has the ability to make real-time AAA requests to billing systems to support prepaid applications.
What's New in Cisco AR 3.0
Cisco Access Registrar 3.0 includes the following new features:
•Open Database Connectivity (ODBC)
Cisco Access Registrar 3.0 provides Oracle database support using Open Database Connectivity (ODBC). Using ODBC, you can store user information including return attributes and check items in an Oracle database. Cisco AR 3.0 supports authentication and authorization through ODBC.
•Prepaid Billing
Cisco Access Registrar 3.0 provides a generic prepaid billing application-programming interface (API) that allows a real-time interface to billing and rating systems. Cisco Access Registrar 3.0 Prepaid supports Cisco Packet Data Serving Node (PDSN) Code-division Multiple Access (CDMA2000) mobile wireless prepaid services.
Cisco AR 3.0 works with the client NAS and an external billing system (EBS) or billing server. EBS vendors are required to provide a Solaris 8 shared library that is built with gcc version 2.95.3.
•EAP-MD5 Support
Cisco Access Registrar 3.0 supports the EAP standard that provides enhanced security for PPP authentication. EAP support is extended by supporting the EAP-MD5 authentication protocol, an EAP authentication exchange. EAP-MD5 uses a CHAP-like exchange and the password is hashed by challenge from both client and server to verify it is correct.
•Enhanced configuration interface
Cisco AR's configuration utility, aregcmd, has been enhanced for faster and easier service provider AAA provisioning including:
–Automatic command completion
–Context-sensitive list of options
–Recall of values for quick editing
–User return-attribute configuration
–Check-items configuration
–Detailed configuration-error messages
•Prefix Rule in Policy Engine
Cisco Access Registrar 3.0 has an addition rule in its policy engine that allows user-name prefix matching for dynamic processing decisions. Cisco AR 3.0 is able to select a service based on a prefix in the username. Cisco AR can strip the prefix and use it in the policy engine to select a particular service.
•Lightweight Directory Access Protocol (LDAP) Directory Rebind
For environments using smart Domain Name System (DNS), Cisco AR can be configured to requery DNS at fixed intervals and dynamically rebind to any new IP address returned. When configuring to use an LDAP server, you can specify a qualified or unqualified hostname of an LDAP directory server.
•Time-based Accounting File Rollover
Cisco Access Registrar 3.0 provides additional accounting file rollover criteria based on specific times.
•User-password Overriding
The Cisco Access Registrar scripting API now allows easy user-password overriding.
•Optimized Accounting-request Handling
Cisco Access Registrar 3.0 provides improved algorithms for handling duplicate accounting requests containing Acct-Delay-Time.
•Increased Multi-vendor Support
Cisco Access Registrar 3.0 supports an extended vendor type field in vendor-specific attributes.
•Support for MS-CHAPv1
Cisco AR 3.0 provides native support for MS-CHAPv1 authentication as defined in Internet RFCs 2433 and 2548. When using MS_CHAPv1 with LDAP or ODBC user storage, the password must be stored in clear text.
•Managing Multi-Valued Attributes
Cisco AR 3.0 provides a mechanism to all easy editing of multi-value attributes that enables you to add new values, change part of the values, and delete any portion of the values without having to enter the entire value.
•HTTP Digest Authentication
Cisco Access Registrar 3.0R6 supports HTTP Digest, an encryption method used by protocols such as HTTP, SIP, and EAP to authenticate RADIUS clients.
•Parallel Service Grouping
Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or, that ask each referenced service to process requests simultaneously instead of sequentially, thereby saving processing time.
•View-Only Administrator and View-only aregcmd Sessions
A view-only administrator or a view-only aregcmd session enables an administrator to view Cisco AR configuration, but not modify it.
•Support for Oracle 9
Cisco AR supports Oracle 9 in addition to Oracle 8.1.6 and 8.1.7 for Open Database Connectivity.
•Support for Java Extensions
Cisco Access Registrar 3.0R9 provides support for Java extensions. In addition to the Tcl/C/C++ extension point scripting capability, Cisco AR 3.0R9 provides support for extensions written in Java. You must have installed JRE 1.4.x.
•Two New Environment Variables
AR 3.0R9 provides two new AR environment variables, Destination-IP-Address and Destination-Port. These variables enable Cisco AR to distinguish between RADIUS requests sent to different IP addresses or UDP ports on the Cisco AR server and make processing decisions based on this information.
•MySQL Support
AR 3.0R9 provides support for MySQL version 4.0.18 and MyODBC 3.51.06 to enable querying user records from a MySQL database.
New Features in Cisco AR 3.0
This section describes the new features included in this release of Cisco Access Registrar 3.0.
HTTP Digest Authentication
HTTP Digest is an encryption method used by protocols such as Hypertext Transport Protocol (HTTP), Session Initiation Protocol (SIP), and Extensible Authentication Protocol (EAP).
Cisco Access Registrar 3.0R6 provides an interface to authenticate RADIUS clients based on HTTP Digest. The client sends an Access-Request packet containing a Digest-Response and associated Digest Attributes. The Cisco AR server computes a value based on the user's profile and compares this with the digest response to return an Access-Accept or Access-Reject.
The Cisco AR server generates a session key based on Internet RFC 2617, the RADIUS Extension for Digest Authentication. The generated session key is delivered to the client using the MS-MPPE-Recv-Key attribute in the Access-Accept packet if the algorithm specified in the Access-Request is MD5-sess.
No special configuration is required for HTTP Digest authentication. The Cisco AR server automatically detects HTTP Digest Access-Requests and processes them accordingly. When using HTTP Digest, the MS-MPPE-Recv-Key attribute requires a session-timeout value. You might need to modify the default session timeout value using aregcmd.
Parallel Service Grouping
Cisco Access Registrar 3.0R6 supports parallel service grouping. In Cisco Access Registrar 3.0, Group Services contain a list of references to other services and specify whether the responses from each of the services should be handled as a logical AND or a logical OR function. You specify AND or OR in the Result-Rule attribute of Group Services. The default value is AND.
If Result-Rule is set to AND, the response from the Group Service is positive if each of the services referenced return a positive result. The response is negative if any of the services reference return a negative result. If Result-Rule is set to OR, the response from the Group Service is positive if any of the services referenced return a positive result. The response is negative if all the referenced services return a negative result.
When the Result-Rule attribute is set to AND or OR, each referenced service is accessed sequentially, and the Group Service waits for a response from the first referenced service before moving on to the next service (if necessary). If a service takes a long time to respond, that causes a delay in sending the request to the next referenced server.
Cisco Access Registrar 3.0R6 introduces two new types of Group Services, parallel-and and parallel-or. These new types are similar to the AND and OR settings except that they ask each referenced service to process the request simultaneously instead of asking each referenced server sequentially, thereby saving processing time.
A parallel-and setting might respond with its own reply as soon as it receives a negative response, but otherwise must wait for all responses before it can respond with a positive reply. Likewise, a parallel-or might respond as soon as it receives a positive response, but otherwise must wait for all responses before it can reply with a negative response.
If a service referenced from a Group Service is of type RADIUS and if Accounting-Requests are being processed by the Group Service, setting the AckAccounting property in the remote server will affect the behavior of the parallel-or Group Service. This is because if AckAccounting is set to FALSE, the RADIUS Remote Server will not wait for the response from the remote server but returns a response immediately. Since the Group Service is set to parallel-or, once it receives the response from the RADIUS service, it is free to send a response itself. This will have the effect that a response is sent very quickly from the Group Service acknowledging the Accounting-Request and responses from the other referenced services are handled as the arrive.
Note that since AckAccounting was set to FALSE, there is no guarantee that the Remote Server successfully processed the request. Since it is a RADIUS Remote Server, the Cisco AR server attempts for MaxTries to send the request to the server and to get back an acknowledgement, but if that fails, there will be no indication to the client about that event. The acknowledgement to the client has been sent long before.
Note It is not valid to have Services of type Group, EAP_LEAP, or EAP-MD5 referenced from a Service of type Group.
View-Only Administrator
Cisco Access Registrar 3.0R6 introduces the view-only administrator option to aregcmd. When you launch aregcmd with the -V option, an aregcmd session opens in view-only mode, even if the administrator is not a view-only administrator.
You can also create or modify administrative users to be view-only administrators by setting the new View-Only attribute to TRUE. The default setting of the View-Only property for any new administrator is FALSE. When the View-Only property is set to FALSE, an aregcmd session functions as it did previously.
At least one administrator must not be a view-only administrator. When you save your configuration, validation will fail if none of the administrators have the View-Only property set FALSE.
When you upgrade your Cisco Access Registrar 3.0 software to version R6, any existing administrators will have the View-Only property added and set to FALSE.
When you open an aregcmd session in view-only mode, an error occurs if you attempt to issue a command that modifies the configuration. The following commands issued in a view-only session will cause the error: add, delete, set, unset, insert, validate, save, start, stop, reload, reset-stats, release-sessions, and trace. The error is reported as follows:
316 Command failed: session is View-Only
When the session is not view-only, but the server is a slave server, the following commands cause an error message when the object or property being affected is not under /Radius/Replication, /Radius/Advanced/Ports, /Radius/Advanced/Interfaces, or any properties in /Radius/Advanced: add, delete, set, unset, and insert. The error is reported as follows:
317 Command failed: session is a Replication Slave
Oracle 9 Support
Cisco Access Registrar 3.0R6 provides support for Oracle 9. Oracle 9 support is in addition to Oracle 8.1.6 and 8.1.7 when an ODBC type service is used. When using Oracle 9, set ORACLE_HOME to the location where you have installed Oracle software.
The following changes have been made to support Oracle 9:
•The file liboraodbc.so has been renamed to liboraodbc8.so.
•The file liboraodbc9.so has been added.
MySQL Support
Cisco Access Registrar 3.0R7 provides support for MySQL to support querying user records from a MySQL database. Cisco Access Registrar 3.0 has been tested with MySQL 4.0.18 and MyODBC 3.51.06 (reentrant).
For the Cisco AR server to use MySQL, you must create and configure an ODBCDataSource object of type myodbc and a RemoteServer object set to protocol odbc.
Configuring MySQL
To configure the Cisco AR server to query records form a MySQL database, complete the following configuration:
Step 1 Log in to the Cisco AR server and launch aregcmd.
Log in as a user with administrative rights such as user admin.
Step 2 Change directory to the /Radius/Advanced/ODBCDataSources and add a new ODBCDataSource.
cd /Radius/Advanced/ODBCDataSources
add mysql
Step 3 Set the new ODBCDatasource type to myodbc.
cd mysql
set type myodbc
Step 4 Set the Driver property to the path of the MyODBC library.
Step 5 Set the UserID property to a valid username for the MyODBC database and provide a valid password for this user.
Step 6 Provide a DataBase name and the name of the Cisco AR RemoteServer object to associate with the ODBCDataSource.
Step 7 Change directory to /Radius/RemoteServers and add a RemoteServer object to associate with the new ODBCDatasource.
cd /Radius/RemoteServers
add mysql
Step 8 Change directory to the new RemoteServer and set its protocol to odbc.
cd mysql
set protocol odbc
Step 9 Set the ODBCDataSource property to the name of the ODBCDataSource to associate with this RemoteServer object.
set ODBCDataSource mysql
Example Configuration
The following shows an example configuration for a MySQL ODBC data source.
[ //localhost/Radius/Advanced/ODBCDataSources/mysql ]
Driver = /tmp/libmyodbc3_r.so
The following shows an example configuration for a RemoteServer
[ //localhost/Radius/RemoteServers/mysql-a ]
ReactivateTimerInterval = 300000
DataSourceConnections = 8
KeepAliveTimerInterval = 0
ODBCToEnvironmentMappings/
Changes from Previous Versions of Cisco AR
Several significant changes were made in Cisco Access Registrar 3.0. This section provides a summary of those changes.
Changes to Package Name
The Cisco Access Registrar software is now in a package named CSCOar. The previous package name was AICar1. The default location for installing the Cisco AR software is now /opt/CSCOar.
Changes to Environment Variables
Table 1 lists four environment variables that have new names in Cisco AR 3.0. If you have been using an earlier version of Cisco AR and have written scripts that use these environment variables, you will have to modify the scripts to use the new names.
Table 1 Environment Variable Name Changes
Old Name
|
New Name
|
AIC_CONF
|
CAR_CONF
|
AIC_CLUSTER
|
CAR_CLUSTER
|
AIC_NAME
|
CAR_NAME
|
AIC_PASSWORD
|
CAR_PASSWORD
|
Changes to Subdirectories
In Cisco Access Registrar 3.0, the directory structure has been changed to include a new .system directory. Programs in .system should never be run directly. Programs that should be run directly have been moved to the /opt/CSCOar/bin directory, where one would expect to find executable shell scripts.
Executables and shell scripts had previously been located in /opt/AICar1/bin and /opt/AICar1/usrbin. The bin subdirectory is now under /opt/CSCOar. The usrbin subdirectory has been removed, and there is a symbolic link from usrbin to bin.
Relocation of Executables
In previous versions of Cisco AR, executables were divided into the bin and usrbin subdirectories. Executables in the /opt/AICar1/bin were almost all executable link format (ELF) binary SPARC executables not intended to be run directly. Executables in the /opt/AICar1/usrbin were almost all shell scripts that acted as wrappers for the ELFs and were intended to be run directly.
In Cisco AR 3.0, shell scripts have been moved to the bin and the ELFs have been moved to the new .system directory.
Executable Name Changes
Two executable scripts have been renamed. Table 2 lists the two name changes. The new arserver now resides in the /opt/CSCOar/bin directory.
Table 2 Executable Script Name Changes
Old Name
|
New Name
|
screen
|
share-access
|
/etc/init.d/arservagt
|
arserver
|
Removal of Wrapper Scripts
To maintain backward compatibility, a symbolic link in Cisco AR 3.0 ties usrbin to bin. In addition, the wrapper scripts have been removed, meaning that there is only one file in the Cisco AR package named aregcmd, for example.
Changes in aregcmd
aregcmd was changed in the Cisco AR 3.0R1 release to correct a security vulnerability. The changes cause an incompatibility between releases of Cisco AR 3.0R1 and all Cisco AR releases prior to it.
After installing Cisco Access Registrar 3.0R1 (or later) software, you will be unable to remotely configure other Cisco AR servers if the software on the remote server is running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier). Conversely, you will also be unable to modify a Cisco AR server running release 3.0R1 (or later) from a remote server running Cisco AR 3.0R0 or Cisco AR 1.7R6 (or earlier).
Attempts to log in to use aregcmd where this incompatibility exists will result in command line responses like the following:
Login to cluster 'hostname' failed
and:
402 Login failed: version of aregcmd is incompatible with server
Attempts to use aregcmd to remotely configure Cisco AR servers affected by this incompatibility will result in log entries like the following:
07/21/2003 11:38:49 config/mcd/1 Info Protocol 0 new connection 0x981d0 from
[10.1.9.104]
07/21/2003 11:38:49 config/mcd/1 Warning Protocol 0 got bad program-number/version,
closing connection 0x981d0
If this problem occurs, you can log in to the affected server locally to modify its configuration. If the server is remote, you can use telnet or rlogin to log in remotely, then launch aregcmd.
Related Documentation
The following documents describe Cisco Access Registrar and are available online via CCO and on the Cisco Documentation CD-ROM:
•Cisco Access Registrar User's Guide (part number OL-2681-02)
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/users/index.htm
The Cisco Access Registrar User's Guide describes Cisco Access Registrar components and how to use them.
•Cisco Access Registrar Installation and Configuration Guide (part number OL-2682-03)
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/install/index.htm
The Cisco Access Registrar Installation and Configuration Guide describes how to install and configure the Cisco Access Registrar 3.0 software, and how to customize your site.
•Cisco Access Registrar Concepts and Reference Guide (part number OL-2683-01)
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/concepts/index.htm
The Cisco Access Registrar Concepts and Reference Guide provides information to help you gain a better understanding of Cisco Access Registrar features and concepts.
System Requirements
This section describes the system requirements for installing theCisco Access Registrar 3.0 software.
Cisco Access Registrar Full Installation
Table 3 lists the system requirements for a full installation of Cisco Access Registrar3.0.
Table 3 Cisco Access Registrar Full Installation Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC
|
OS Version
|
Solaris 8
|
Minimum RAM
|
64 MB
|
Recommended RAM
|
128 MB
|
Recommended Disk Space
|
175 MB
|
Cisco Access Registrar Server-only Installation
Table 4 lists the system requirements for installing the server-only component of Cisco Access Registrar 3.0.
Table 4 Cisco Access Registrar Server-only Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC
|
OS Version
|
Solaris 8
|
Minimum RAM
|
64 MB
|
Recommended RAM
|
128 MB
|
Recommended Disk Space
|
130 MB
|
Cisco Access Registrar Configuration-only Installation
Table 5 lists the system requirements for installing the configuration-only component of Cisco Access Registrar 3.0.
Table 5 Cisco Access Registrar Configuration-only Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC
|
OS Version
|
Solaris 8
|
Minimum RAM
|
32 MB
|
Recommended RAM
|
64 MB
|
Recommended Disk Space
|
50 MB
|
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco Access Registrar disk. If Cisco Access Registrar runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Cisco Access Registrar should be the only application running on a single machine. You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure Cisco Access Registrar to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no another application can be configured to use SNMP on the Cisco AR machine.
Note Cisco Network Registrar and Cisco Access Registrar cannot co-exist on the same workstation.
Downloading Cisco Access Registrar Software
You can download the Cisco Access Registrar software from Cisco Connection Online (CCO) at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar
You will need your active CCO username and password to achieve access. All current versions of Cisco Access Registrar software including the most recent maintenance releases are available for download. The link for Cisco Access Registrar 3.0R9 software is ar-3.0r9-sunos58.tar.gz. You might also need the zcat program file to unpack the software file (.tar.gz suffix).
Cisco AR provides extensions that can be written in Java. If you intend to write Java extensions, the Java Runtime Environment (JRE) is required. You can download a current version of the JRE from http://java.sun.com.
Upgrading Cisco Access Registrar Software
The software upgrade procedure has been changed in Cisco Access Registrar 3.0. If you are upgrading from a previous release, you are no longer required to export your existing database to retain it.
The installation process provides the following options to consider before you begin to upgrade your software:
•Upgrade from an earlier version of Cisco AR and erase your previous configuration
•Upgrade from an earlier version of Cisco AR and retain your previous configuration
•Install Cisco AR on a system for the first time
Before you install the software, the following tasks must be done:
•Ensure that replication is disabled
Note If you are using Cisco Access Registrar's replication feature, you must disable it during the upgrade process or the upgrade will fail. When completed, refer to "Restarting Replication" section for the correct way to restart replication.
•Use pkgrm to remove the earlier version of Cisco Access Registrar executables
•If you plan to use Cisco Access Registrar's SNMP features:
–Disable the current Sun SNMP daemon
–Prevent the Sun SNMP daemon from restarting after a reboot
To upgrade your software to Cisco AR 3.0, login as user root and complete the following steps:
Step 1 Login as administrator and use aregcmd to ensure that replication is disabled.
cd /radius/replication
[ //localhost/Radius/Replication ]
RepType = None
RepTransactionSyncInterval = 60000
RepTransactionArchiveLimit = 100
RepIPAddress = 0.0.0.0
RepPort = 1645
RepSecret = NotSet
RepIsMaster = FALSE
RepMasterIPAddress = 0.0.0.0
RepMasterPort = 1645
Rep Members/
Make sure that RepType is set to None.
Step 2 If you made changes, save them and exit the aregcmd command interface.
Step 3 Remove the existing Cisco Access Registrar software package.
To remove Cisco AR 1.7 (or earlier) software, enter the following:
pkgrm AICar1
To remove Cisco AR 3.0 software, enter the following:
pkgrm CSCOar
Step 4 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:
/etc/rc3.d/S76snmpdx stop
/etc/rc3.d/S77dmi stop
Step 5 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:
mkdir /etc/rc3.d/.disabled
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled
mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled
Preparing to Install Downloaded Cisco Access Registrar Software
This section provides you with information to help you prepare to install downloaded software. The current version is named ar-3.0r9-sunos58.tar.gz.
You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in chmod 555 zcat.
Complete the following steps to prepare for software installation.
Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.
Step 2 Become root user by entering su and the root password.
Step 3 Change directory to the location where you have stored the downloaded software package.
host# cd /tmp/AR
Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.
host# ./zcat ar-3.0r9-sunos58.tar.gz | tar xvf -
Designating the JRE Location
If you plan to use Java extensions, you must indicate during the software installation process the directory location where the JRE is installed. If you reply that you plan to use Java extensions, the installation process requests the directory where the JRE is installed.
If you already have JRE installed, please enter the directory
where it is installed. Press return otherwise.
Where is the current JRE installed? [?,q] /directory/j2re1.4.0
Step 5 Enter the directory where the JRE is installed, as shown above.
If you do not enter a directory and simply press Enter, the following message will display:
You can download the JRE from:
http://java.sun.com/products/archive
pkgadd: ERROR: request script did not complete successfully
Installation of <CSCOar> failed.
No changes were made to the system.
If you enter an invalid directory, the following message will display:
Where is the current JRE installed? [?,q] /foo
The directory specified does not contain java, please
download a compatible one from:
http://java.sun.com/products/archive
pkgadd: ERROR: request script did not complete successfully
Installation of <CSCOar> failed.
No changes were made to the system.
In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.
Upgrade Cisco Access Registrar Software and Retain Your Configuration
This section describes how to upgrade your Cisco Access Registrar software and retain your existing configuration database.
Step 1 Become root user by entering su, then the root password.
Step 2 Enter the following command:
pkgadd -d /tmp/AR CSCOar
where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.
Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.
You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.
Step 4 Select the default for a Full installation.
The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:
The AR local database contains:"
* all server object definitions"
Do you want to preserve the local database in /opt/CSCOar [y,n,?,q] y
Step 5 Because you want to retain your configuration, enter y.
You are prompted to provide an Cisco AR administrator username and password.
Step 6 Enter the username for an Cisco AR administrator and the password, then retype the password.
The upgrade process asks if you want to remove old session information.
Remove old sessions in /opt/CSCOar/data/radius [y,n,?,q]
Step 7 If you want to remove the old session information, enter y. If you enter n, you will retain the old session information.
Step 8 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.
Step 9 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.
The software installation process begins.
Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/conf/screen.orig
## Executing postinstall script.
# setting up command script /opt/CSCOar/usrbin/screen
# setting up command script /opt/CSCOar/usrbin/arstatus
# setting up command script /opt/CSCOar/usrbin/mcdadmin
# setting up command script /opt/CSCOar/usrbin/mcdshadow
# setting up command script /opt/CSCOar/usrbin/radclient
# setting up command script /opt/CSCOar/usrbin/aregcmd
# setting up control script /etc/init.d/arserver
# linking /etc/init.d/arserver to /etc/rc.d files
# setting up product configuration file /opt/CSCOar/conf/car.conf
Starting Access Registrar Server Agent..completed.
# Upgrade of the configuration db is in progress
# Backing up configuration.
Back-up Copy of Original Configuration
At this point, the upgrade process displays a message like the following to indicate where a copy of your original configuration has been stored.
###############################################################
# A backup copy of your original configuration has been
# /opt/CSCOar/temp/10062.origconfig-backup
# If you need to restore the original configuration,
# enter the following command:
# mcdadmin -coi /opt/CSCOar/temp/10062.origconfig-backup
###############################################################
Removing Old VSA Names
The upgrade process continues with an analysis of the configuration database, addition of new database elements, and a search for obsolete VSA names. When this is complete, a message like the following is displayed:
##############################################################
# Sometimes VSAs get renamed from version to version of AR.
# The upgrade process does not automatically remove the
# old names. The upgrade process has generated a script
# to remove the old names. The script is located in:
# /opt/CSCOar/temp/10062.manual-deletes
# Review the script to make sure you are not using any of
# these old VSAs. Modify your configuration and your
# scripts to use the new names before you attempt to run
# To run the removal script, type:
# aregcmd -sf /opt/CSCOar/temp/10062.manual-deletes
##############################################################
At this point, you should examine the script produced by the upgrade process to make sure that your site is not using any of the old VSAs. In the example above, the script can be found at /opt/CSCOar/temp/10062.manual-deletes.
Note The number preceding manual.deletes is produced from the PID of the upgrade process.
Step 10 Modify your configuration and your scripts to use the new names before you attempt to run the script generated by the upgrade process.
VSA Update Script
The upgrade process continues and builds a script you can use to update VSAs in your system.
##############################################################
# VSAs for the old AR version are not updated
# automatically. The upgrade process generated a script
# to perform the update. The script is located in:
# /opt/CSCOar/temp/10062.manual-changes
# Review the script to make sure it does not conflict with
# any of your VSA changes. Make sure you modify the script,
# if necessary, before you attempt to run it.
# To run the update script, type:
# aregcmd -sf /opt/CSCOar/temp/10062.manual-changes
##############################################################
Step 11 Review the script and make sure that the changes it will make do not conflict with any changes you might have made to the VSAs. Modify the script if necessary.
Step 12 Record the location of the upgrade messages for future reference.
##############################################################
# These upgrade messages are saved in:
# /opt/CSCOar/temp/10062.upgrade-log
##############################################################
Starting the Cisco AR Server
After you have completed the upgrade steps describe above, you can start the Cisco AR server.
/etc/init.d/arserver start
Configuring SNMP
If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.
Upgrade Cisco Access Registrar Software and Erase Your Configuration
This section describes how to upgrade your Cisco Access Registrar software and erase your existing configuration database.
Step 1 Become root user by entering su, then the root password.
Step 2 Enter the following command:
pkgadd -d /tmp/AR CSCOar
where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.
Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 3 Select the location where you first installed the package, or accept the default location of /opt/CSCOar.
Cisco AR provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime
Environment (JRE) is required.
Do you require the Cisco AR Java extension? [No]: [?,q]
Step 4 If you do not plan to use Java extensions, enter No, and skip to Step 6. If you do plan to use Java extensions, enter Yes.
If you already have JRE installed, please enter the directory
where it is installed. Press return otherwise.
Where is the current JRE installed? [?,q]
Step 5 If you entered Yes, enter the directory where the JRE is installed.
Where is the current JRE installed? [?,q] /directory/j2re1.4.0
You are prompted for the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only.
Step 6 Select the default for a Full installation.
The upgrade process detects an earlier version of Cisco Access Registrar and displays the following message:
The AR local database contains:"
* all server object definitions"
Do you want to preserve the local database in /opt/CSCOar [y,n,?,q]
Step 7 Because you are erasing your original configuration, enter n.
The upgrade process displays a message about example configurations that can be installed with the software. These examples can help you with initial configuration of Cisco Access Registrar.
Do you want to install the example configuration now [y,n,?,q]
Step 8 Enter y to install the example configuration, or n if you do not want to install it.
You can delete the example configuration at any time by running the following command:
$INSTALL/usrbin/aregcmd -f $INSTALL/examples/cli/delete-example-configuration.rc
Step 9 The upgrade process informs you that files are being installed with setuid and/or setgid permissions and prompts you whether or not to install these files as setuid/setgid files. Reply Yes to continue.
Step 10 The upgrade process informs you that scripts requiring super-user permission will be executed during the installation. Reply Yes to continue.
The software installation process begins.
Installing Access Registrar 3.0R9 [SunOS-5.8, ns30, gcc] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/conf/screen.orig
# installing example configuration
Starting Access Registrar Server Agent..completed.
The Radius server is now running.
If SNMP needs to be reconfigured please follow the following procedure:
(1) stop AR: /etc/init.d/arserver stop
(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf
(3) restart AR: /etc/init.d/arserver start
Installation of <CSCOar> was successful.
If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the configuration procedure described in SNMP Configuration.
Restarting Replication
Before you enable replication, you must first upgrade all replication slave servers to the same version of Cisco Access Registrar software as the master server. Do not enable replication on the master server until all slave servers have been upgraded.
Use the same process you used to upgrade the master server to upgrade any slave servers. If you retained your configuration on the master, retain the configuration on the slaves, too.
After the same version of Cisco Access Registrar software has been installed on all slave servers, you can enable replication on the master server again. After enabling replication on the master server, you can enable replication on each of the slave servers.
Installing Cisco Access Registrar Software For the First Time
This section provides information to help you install Cisco Access Registrar software on a system for the first time.
Adding Group Staff
Before you begin to install the software, check your workstation's group file and make sure that group staff exists. Software installation will fail if group staff does not exist before installing the software.
Installing from CD-ROM
To begin installing software from the product CD, complete the following steps:
Step 1 Become root user by entering su, then the root password.
Step 2 Enter the following command:
pkgadd -d /cdrom/cdrom0/kit/sunos58 CSCOar
Step 3 Proceed to Installing Software.
Uncompressing the Tarfile and Extracting Files
If you downloaded the Cisco Access Registrar 3.0 software from the Cisco Access Registrar Resource Center, the software package is contained within a compressed tarfile named ar-3.0sunos58.tar.gz.
Note You might also need to download the file zcat (from the same location as the software package) and use the chmod command to make zcat executable, as in
chmod 555 zcat.
Complete the following steps to prepare for software installation.
Step 1 Create a temporary directory, such as /tmp/AR, to hold the downloaded software package.
Step 2 Become root user by entering su and the root password.
Step 3 Change directory to the location where you have stored the uncompressed tarfile.
host# cd /tmp/AR
Step 4 Use the following command line to uncompress the tarfile and extract the installation package files.
host# ./zcat ar-3.0r9-sunos58.tar.gz | tar xvf -
Preparing to Use SNMP
If you plan to use the SNMP features of Cisco Access Registrar, complete the following steps:
Step 1 Become root user by entering su, then the root password.
Step 2 Enter the following commands to disable the Sun SNMP daemon and allow Cisco AR's SNMP daemon to function:
/etc/rc3.d/S76snmpdx stop
/etc/rc3.d/S77dmi stop
Step 3 Enter the following commands to prevent the Sun SNMP daemon from restarting after a reboot by entering the following:
mkdir /etc/rc3.d/.disabled
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled
mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled
Installing Software
To begin installing downloaded software, complete the following steps:
Step 1 Become root user by entering su, then the root password.
Note If you do not plan to use Cisco Access Registrar's SNMP features, skip steps 2 and 3 and proceed to step 4.
Step 2 If you plan to use Cisco Access Registrar's SNMP features, disable the Sun SNMP daemon by entering the following:
/etc/rc3.d/S76snmpdx stop
/etc/rc3.d/S77dmi stop
Step 3 If you plan to use Cisco Access Registrar's SNMP features, prevent the Sun SNMP daemon from restarting after a reboot by entering the following:
mkdir /etc/rc3.d/.disabled
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.disabled
mv /etc/rc3.d/S77dmi /etc/rc3.d/.disabled
Step 4 Enter the following command:
pkgadd -d /tmp/AR CSCOar
where /tmp/AR is the temporary directory you created to uncompress and extract the installation files.
Processing package instance <CSCOar> from
<source_directory/ar-3.0r9-sunos58>
Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
Copyright (C) 1998-2004 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 5 Select the location where you want to install the package, or accept the default location of /opt/CSCOar.
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 6 If the directory does not exist, you are asked if you want it created. Choose Yes to continue the installation.
Cisco AR provides extensions that can be written in Java.
If you intend to write Java extensions, the Java Runtime
Environment (JRE) is required.
Do you require the Cisco AR Java extension? [No]: [?,q]
Step 7 If you plan to use Cisco AR Java extensions, reply Yes. If you do not plan to use Cisco AR Java extensions reply No and skip to Step 6.
When using Cisco AR Java extensions, the installation process requests the directory where the JRE is installed.
If you already have JRE installed, please enter the directory
where it is installed. Press return otherwise.
Where is the current JRE installed? [?,q] /directory/j2re1.4.0
Step 8 Enter the directory where the JRE is installed, as shown above.
If you do not enter a directory, and simply press Enter, the following message will display, and the installation will fail without making changes to the system.
You can download the JRE from:
ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official
The filename is:j2re-1_4_1-solaris-sparc.sh
After you have installed the JRE, re-initiate the Cisco AR
pkgadd:ERROR:request script did not complete successfully
Installation of <CSCOar> failed.
No changes were made to the system.
If you enter an invalid directory, the following message will display, and the installation will fail without making changes to the system.
Where is the current JRE installed? [?,q] /foo
The directory specified does not contain java, please
download a compatible one from:
ftp://ftpeng.cisco.com/ftp/cnsar/3.0/official
The filename is:j2re-1_4_1-solaris-sparc.sh
pkgadd:ERROR:request script did not complete successfully
Installation of <CSCOar> failed.
No changes were made to the system.
In either case, you must install a current JRE or provide the correct location where the JRE is installed. Refer to "Downloading Cisco Access Registrar Software" section.
This package contains the Access Registrar Server and the Access
Registrar Configuration Utility. You can choose to perform a Full
installation, just install the Server, or just install the
What type of installation: Full, Server only, Config only [Full] [?,q]
Step 9 Select the type of installation you want: Full (both the server and the configuration utility), Server-only, or Configuration-only. Select the default for a Full installation.
To select Server-only, enter Server. To select configuration-only, enter Config.
Note If you choose to install the server over a previous installation, the installation will prompt you with the following questions.
a. If the installation detects a configuration database from a previous installation of Cisco Access Registrar, it asks you if you want to overwrite the database. If you want to start with a clean configuration and remove your session information answer Yes. If you want to keep your original configuration information, answer No.
b. If you answer No to overwriting the database, the installation asks you if you want to overwrite the session information. If you want to start with an empty session information, answer Yes. If you want to keep your original information, answer No.
The AR local database contains:"
* all server object definitions"
Do you want to preserve the local database in /opt/CSCOar [y,n,?,q]
Step 10 When prompted whether to preserve the local database, reply Yes or No to continue.
If you choose to preserve the local database, you are required to enter the administrator's User ID and password.
The upgrade procedure needs administrator access to your
configuration so that it can upgrade it.
Enter an AR administrator username and password:
If you choose to preserve the local database, you are prompted whether to remove old sessions.
Remove old sessions in /opt/CSCOar/data/radius [y,n,?,q]
Step 11 When prompted whether to remove old sessions, reply Yes or No to continue.
If you want to learn about Access Registrar by following the examples
in the Installation and Configuration Guide, you need to populate the
database with the example configuration.
Do you want to install the example configuration now [y,n,?,q]
Step 12 When prompted whether to install the example configuration now, reply Yes to continue.
Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.
The installation process displays a message about using ODBC.
If you are not using ODBC, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script
Where is ORACLE installed ? [] [?,q]
Step 13 If you plan to use Oracle and ODBC, enter the path to the Oracle installation directory; otherwise, press Enter to continue.
The following files are being installed with setuid and/or setgid
/opt/CSCOar/.system/screen <setuid root>
/opt/CSCOar/bin/aregcmd <setgid staff>
Do you want to install these as setuid/setgid files [y,n,?,q]
Step 14 The installation process prompts you whether or not to install files as setuid/setgid files. Reply Yes to continue.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSCOar> [y,n,?] y
Note After you reply Yes to the following step, the Cisco Access Registrar 3.0 software is installed on the target workstation.
Step 15 The installation informs you that it will install scripts that will run as the superuser (su). Reply Yes t o begin the software installation. (If you reply No, the installation will abort.)
Installing Cisco Access Registrar 3.0R9 [SunOS-5.8, official] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/.system/screen
The installation copies all of the files and starts the Access Registrar Server Agent which, in turn, starts the Cisco Access Registrar server (if you chose to install the server).
## Executing postinstall script.
# setting up product configuration file /opt/CSCOar/conf/car.conf
# linking /etc/init.d/arserver to /etc/rc.d files
# setting ORACLE_HOME variable in arserver
Starting Access Registrar Server Agent..completed.
The Radius server is now running.
Note If you plan to use SNMP, note the following message.
If SNMP needs to be reconfigured please follow the following
(1) stop AR: /opt/CSCOar/bin/arserver stop
(2) edit: /cisco-ar/ucd-snmp/share/snmp/snmpd.conf
(3) restart AR: /opt/CSCOar/bin/arserver start
Installation of <CSCOar> was successful.
The installation process displays a message informing you it completed successfully.
The following packages are available:
1 CSCOar Cisco Access Registrar 3.0R9 [SunOS-5.8, official]
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: q
Step 16 The installation returns to the opening prompt. Choose q to quit the pkgadd program.
If you choose not to use the SNMP features of Cisco Access Registrar, the installation process is completed. To use SNMP features, complete the procedure described in "SNMP Configuration" section.
Modifying Your Environment
The following scripts are provided to make access to Cisco AR programs and documentation easier. You can insert one of the following scripts into your login script to set up your environment properly. When you use these scripts, you do not have to enter long path names to run Cisco AR programs. For example, instead of entering $INSTALLPATH/usrbin/aregcmd, you can now enter aregcmd.
Borne, Korn, Bash, or zsh
If you are using a Bourne shell (sh), Korn shell (ksh), bash, or zsh, add the following lines to your .profile file.
## (or replace with your install path
if [ "$LD_LIBRARY_PATH" = "" ]; then
LD_LIBRARY_PATH=$INSTALLPATH/lib:$INSTALLPATH/ucd-snmp/lib
LD_LIBRARY_PATH=$INSTALLPATH/ucd-snmp/lib:$LD_LIBRARY_PATH
LD_LIBRARY_PATH=$INSTALLPATH/lib:$LD_LIBRARY_PATH
if [ "$PATH" = "" ]; then
PATH=$INSTALLPATH/usrbin:$INSTALLPATH/bin
PATH=$PATH:$INSTALLPATH/ucd-snmp/bin
PATH=$PATH:$INSTALLPATH/ucd-snmp/sbin
PATH=$INSTALLPATH/ucd-snmp/sbin:$PATH
PATH=$INSTALLPATH/ucd-snmp/bin:$PATH
PATH=$INSTALLPATH/bin:$PATH
PATH=$INSTALLPATH/usrbin:$PATH
if [ "$MANPATH" = "" ]; then
MANPATH=$INSTALLPATH/ucd-snmp/man:/usr/share/man
MANPATH=$INSTALLPATH/ucd-snmp/man:$MANPATH
CAR_CONF=$INSTALLPATH/conf/car.conf
csh or tcsh
If you are using a csh or tcsh, add the following lines to your .cshrc file.
set INSTALLPATH = /opt/CSCOar
## (or replace with your install path)
if ( "$LD_LIBRARY_PATH" == "" ) then
setenv LD_LIBRARY_PATH $INSTALLPATH/lib:$INSTALLPATH/ucd-snmp/lib
setenv LD_LIBRARY_PATH $INSTALLPATH/ucd-snmp/lib:$LD_LIBRARY_PATH
setenv LD_LIBRARY_PATH $INSTALLPATH/lib:$LD_LIBRARY_PATH
setenv PATH $INSTALLPATH/usrbin:$INSTALLPATH/bin
setenv PATH $PATH:$INSTALLPATH/ucd-snmp/bin
setenv PATH $PATH:$INSTALLPATH/ucd-snmp/sbin
setenv PATH $INSTALLPATH/ucd-snmp/sbin:$PATH
setenv PATH $INSTALLPATH/ucd-snmp/bin:$PATH
setenv PATH $INSTALLPATH/bin:$PATH
setenv PATH $INSTALLPATH/usrbin:$PATH
if ( "$MANPATH" = "" ) then
setenv MANPATH $INSTALLPATH/ucd-snmp/man:/usr/share/man
setenv MANPATH $INSTALLPATH/ucd-snmp/man:$MANPATH
setenv CAR_CONF $INSTALLPATH/conf/car.conf
Changing Log Directory
By default Cisco Access Registrar log files are stored in the $INSTALLPATH/log directory. You can change the directory where log messages are stored by adding the following line in the $INSTALLPATH/conf/car.conf file.
LOGDIR full_path
Where full_path is a full path to the directory where you want to store the log messages.
For example, to store all system logs in /var/log/CSCOar, add the following line in the $INSTALLPATH/conf/car.conf file:
LOGDIR /var/log/CSCOar
You must first stop the Cisco AR server prior to changing the car.conf file. After changing the car.conf file, copy all existing log files to the new directory, then restart the server.
SNMP Configuration
Before you can perform SNMP configuration, you must first stop the SNMP master agent, then configure your local snmpd.conf file. The snmpd.conf file is the configuration file which defines how the Cisco AR server's SNMP agent operates. The snmpd.conf file may contain any of the directives found in the DIRECTIVES section.
Stopping the Master Agent
You stop the Cisco AR SNMP master agent by stopping the Cisco Access Registrar server.
arserver stop
Modifying the snmpd.conf File
The path to the snmpd.conf file is /cisco-ar/ucd-snmp/share/snmp. Use vi (or another text editor) to edit the snmpd.conf file. There are three parts of this file to modify:
•Access Control
•Trap Recipient
•System Contact Information
Access Control
Access control defines who can query the system. By default, the agent responds to the public community for read-only access, if run without any configuration file in place.
The following example from the default snmpd.conf file shows how to configure the agent so that you can change the community names, and give yourself write access as well.
Complete the following steps to modify the snmpd.conf file.
Step 1 Look for the following lines in the snmpd.conf file for the location in the file to make modifications:
###############################################################################
# Access Control
###############################################################################
Step 2 First map the community name (COMMUNITY) into a security name that is relevant to your site, depending on where the request is coming from:
# sec.name source community
com2sec local localhost private
com2sec mynetwork 10.1.9.0/24 public
The com2sec directive specifies the mapping from a source/community pair to a security name. The format of com2sec is: NAME SOURCE COMMUNITY
SOURCE can be a hostname, a subnet, or the word default. A subnet can be specified as IP/MASK or IP/BITS. The first source/community combination that matches the incoming packet is selected.
Step 3 Map the security names into group names. The group directive defines the mapping from securitymodel/securityname to group. Model is one of v1, v2c, or usm. The format of the group directive is:
group NAME MODEL SECURITY
# sec.model sec.name
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
Step 4 Create a view to enable the groups to have rights. The view directive defines the named view. The format of the view directive is: view NAME MODEL SECURITY
# incl/excl subtree mask
view all included .1 80
Step 5 Finally, you grant the two groups access to the one view with different write permissions.
The access directive maps from group/security model/security level to a view.
MODEL is one of any v1, v2c, or usm. LEVEL is one of noauth, auth, or prev. PREFX specifies how CONTEXT should be matched against the context of the incoming pdu, either exact or prefix. READ, WRITE, and NOTIFY specifies the view to be used for the corresponding access. For v1 or v2c access, LEVEL will be noauth, and CONTEXT will be empty.
# context sec.model sec.level match read write notif
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
Trap Recipient
The following example shows the default configuration that sets up traps for SNMP versions v1 and v2c.
Note Most sites use a single NMS, not two as shown below.
# -----------------------------------------------------------------------------
trapcommunity trapcom
trapsink zubat trapcom 162
trap2sink ponyta trapcom 162
###############################################################################
Note trapsink is used in SNMP version 1; trap2sink is used in SNMP version 2.
The trapcommunity directive defines the default community string to be used when sending traps. This command must appear prior to trapsink or trap2sink which use this community string.
trapsink and trap2sink are defined as follows:
trapsink hostname community port
trap2sink hostname community port
System Contact Information
System contact information is provided in two variables through the snmpd.conf file, syslocation and syscontact.
Look for the following lines in the snmpd.conf file:
###############################################################################
# System contact information
#
#
syslocation Your Location, A Building, 8th Floor
syscontact A. Person <someone@somewhere.org>
Starting the Master Agent
You start the master agent by starting the Cisco Access Registrar server.
arserver start
Enabling SNMP
After you have started the Cisco Access Registrar server again, you can enable SNMP and begin using the feature. To enable SNMP on the Cisco AR server, complete the following steps:
Step 1 As an admin, launch the aregcmd and cd to /Radius/Advanced/SNMP.
aregcmd
cd /Radius/adv/snmp
[ //localhost/Radius/Advanced/SNMP ]
InputQueueHighThreshold = 90
InputQueueLowThreshold = 60
MasterAgentEnabled = TRUE
Step 2 Enter the following command:
set enabled True
Step 3 Exit aregcmd and stop the Cisco AR server; enter the following:
arserver stop
Step 4 Start the Cisco AR server; enter the following:
arserver start
Note SNMP is not enabled until you stop and restart the server.
Cisco Access Registrar Subdirectories
The installation process populates the /opt/CSCOar directory with the subdirectories listed in Table 6.
Table 6 CSCOar Subdirectories
Subdirectory
|
Description
|
.system
|
Contains executables that should not be run directly
|
bin
|
Contains the program executables
|
usrbin
|
Contains a symbolic link that points to bin.
|
data
|
Contains the radius directory that contains session backing files, the db directory that contains configuration database files, the db.bak directory that contains backup files, and the archive directory that contains the replication archive.
|
logs
|
Contains system logs and is the default directory for RADIUS accounting
|
scripts
|
Contains sample scripts that you can use to customize your RADIUS server
|
examples
|
Contains documentation, sample configuration scripts, and shared library scripts
|
lib
|
Contains Cisco Access Registrar software library files
|
ucd-snmp
|
Contains the UCD-SNMP software Cisco Access Registrar uses
|
temp
|
Used for temporary storage
|
conf
|
Contains configuration files
|
Using the Cisco AR License
Cisco Access Registrar licensing controls your ability to configure your servers. Every copy of Cisco Access Registrar requires a license. You must enter your license the first time you configure each cluster.
To get your Cisco Access Registrar license, send EMail to car-license@cisco.com. If you have purchased Cisco AR, include your sales order or purchase order number in the EMail content. You will receive your Cisco AR license key in return EMail, usually within 24-48 hours.
If you have a permanent license, you will not see the license prompt again unless you reinstall and overwrite the database.
If you have an evaluation copy of Cisco Access Registrar, you have a license that will expire. When the license key expires you will not be able to configure or manage the Cisco Access Registrar RADIUS server. The server itself however, will continue to function normally.
If you have an invalid or missing licensing key, you will not be able to configure or manage the Cisco Access Registrar RADIUS server.
Specifying the License Key
Use the aregcmd command and specify a license key.
Note You have three tries to log in successfully before Cisco Access Registrar logs you out.
Step 1 Enter the aregcmd command and log in to the Cisco AR server.
aregcmd
Type your cluster administrator name and password. The installation default is admin for the user and aicuser for the password.
Step 2 If you see the message that you have an invalid license key, you must enter a valid key.
Step 3 Cisco Access Registrar displays the license key at the cluster level and displays the number of days left on the license. For example:
LicenseKey = WXYZ-WXYZ-WXYZ-WXYZ (expires in 30 days)
Changing the License Key
If your license key has expired, and you have received a new license key from Cisco, you can enter the new key by using the set command.
Step 1 Enter the aregcmd command.
aregcmd
Step 2 Type your cluster administrator name and password. The installation default is admin for the administrator and aicuser for the password.
Step 3 Use the set command and specify the new license key. Note, the license key is not case sensitive.
--> set LicenseKey <ABCD>-<ABCD>-<ABCD>-<ABCD>
Testing Cisco Access Registrar
After you have installed Cisco Access Registrar, the Cisco AR Server Agent starts automatically. You can verify that the server is running correctly with the arstatus command. (Successfully running this command ensures that you can communicate with the database, and determine whether the server is running or stopped. You can run the aregcmd to log in to the server. You can also run the radclient command to create and send a simple Access-Request.
Checking the Servers
Step 1 Check that the servers are running. Enter the arstatus command:
arstatus
Server Agent running (pid: 2098)
MCD server running (pid: 2102)
SNMP Master Agent running (pid: 2090)
RADIUS server running (pid: 2106)
MCD lock manager running (pid: 2103)
Note The SNMP Master Agent process is optional and only present if you are using SNMP.
Step 2 If the servers are not running, do the following:
a. Become superuser (su).
b. Change to the /etc/init.d directory.
c. Type the arserver command with the start argument:
./arserver start
Starting AIC Server Agent for Access Registrar
Logging into Cisco AR
Step 1 After the servers are running, run the aregcmd command in interactive mode:
aregcmd
Step 2 Cisco Access Registrar prompts you for the cluster. Type the cluster name or press Enter for localhost.
Cisco Access Registrar prompts you for the admin login and password. Use admin for the user name, and aicuser for the password.
Step 3 Cisco Access Registrar prompts you to enter a valid license key. Enter the license key that is located on the back of the Cisco Access Registrar CD case.
For more information about the license key, see the "Using the Cisco AR License" section.
Testing a Packet
Step 1 Run the radclient command.
> radclient
Cisco Access Registrar prompts you for the cluster.
Step 2 Type the cluster name or press Enter for localhost.
Cisco Access Registrar prompts you for the admin login and password. Use admin for the user name, and aicuser for the password.
Step 3 Create a simple Access-Request packet for User-Name bob and User-Password bob. At the prompt, type:
simple bob bob
The radclient command displays the ID of the packet p001.
Step 4 Send the request to the default host (localhost):
p001 send
p002
Packet: code = Access-Accept, id = 1, length = 62,
attributes =
Service-Type = Framed
Framed-Protocol = PPP
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = VJ TCP/IP header compression
Ascend-Idle-Limit = 1800
The radclient command displays the response, an Access-Accept, when the server is running properly.
Caveats
This section provides information about known anomalies in Cisco Access Registrar 3.0 and anomalies (from previous versions of Cisco AR) that have been fixed. This section also has information about known problems with the Solaris 8 operating environment.
Known Anomalies in Cisco Access Registrar 3.0R9
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R9.
Table 7 Known Anomalies in Cisco AR 3.0R9
Bug
|
Description
|
CSCai02102
|
Session backing store can become corrupted if the disk partition becomes full
Symptoms: aregcmd fails while logging in or aregcmd fails while saving with an error message similar to "500 Internal Error / Checking to see if we needed to synchronize with external changes to database failed." or after a reload AR's knowledge of user sessions is missing information that it had before the reload.
Conditions: The disk partition upon which Cisco AR is installed is full.
Workaround: Make more space available on the partition. Cisco AR might need to be restarted.
|
CSCdw74227
|
Increasing the maximum number of file descriptors in /etc/system causes aregcmd to stop working
Symptoms: aregcmd cannot login to the server, even on a fresh install.
Conditions: The administrator has raised the maximum number of file descriptors in /etc/system to increase the maximum number of open file handles.
Workaround: Remove the maximum number of file descriptors lines and reboot the Cisco AR server.
|
CSCdy04282
|
Cisco AR may not handle non-tagged attributes correctly from proxy
Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.
Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.
Workaround: Have the downstream server return tagged attributes instead of untagged ones.
|
CSCdy29522
|
Access Registrar trap MIB not on CCO nor MIB-police submitted
Problem description: The Access Registrar MIB referenced at /en/US/docs/net_mgmt/access_registrar/1.7/concepts/guide/snmp.html#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.
Workaround: None.
|
CSCdy51365
|
Java services not hot-configured properly
Symptoms: Java services do not work until the server is reloaded.
Conditions: A Java service is added and saved, and the server is not reloaded.
Workaround: Reload the server on adding a Java service.
|
CSCdy71586
|
Class file not located if classpath set after java script configuration
Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.
Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.
Workaround: Set the classpath for Java extensions before configuring the script or restart the server.
|
CSCdy87379
|
Script with invalid class requires restart even after correction
Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.
Conditions: The class configured for the script is not valid.
Workaround: Restart the server.
|
CSCdz21344
|
Concurrency control problem with user attributes
Symptoms: Attributes in a user's attributes or check-items directory are deleted in two different aregcmd sessions. Only one of the two attributes shows up as deleted in subsequent aregcmd sessions.
Conditions: This only occurs when these attributes are deleted in two different aregcmd sessions.
Workaround: Remove the attribute which was not deleted a second time.
|
CSCdz36245
|
Alternate threading library causes AX_EWOULDBLOCK messages
Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.
Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.
Workaround: Use the default library in /usr/lib rather than the alternate one.
|
CSCeb05384
|
Memory leak in third-party libraries while reloading
Symptoms: Memory leaks found in TCL and nramia while analyzing with Purify.
Conditions: While reloading Cisco AR software.
Workaround: Restart the Cisco AR processes.
|
CSCeb11506
|
Add Rule arguments not aligned with properties
Symptoms: Setting rule properties with the add command fails.
Conditions: After executing the following:
add /Radius/Rules/myrule "" ExecRealmRule
Added /Radius/Rules/myrule
ls myrule
Workaround: Use the following configuration:
add /Radius/Rules/myrule ExecRealmRule
Added /Radius/Rules/myrule
ls myrule
Description = ExecRealmRule
|
CSCeb19955
|
Changing name of pre-existing administrator requires you to delete the previous name
Symptoms: Unable to change the name of an existing administrator.
Conditions: The name of an existing administrator may be changed, but will remain unchanged the next time aregcmd is used.
Workaround: If the name of a administrator must be changed, delete it and add a new administrator.
|
CSCeb46418
|
Misleading aregcmd error when swap space consumed
Symptoms: aregcmd indicates that it was unable to read the internal configuration.
Conditions: This might occur when all swap space on a machine is in use.
Workaround: Redistribute applications so there is adequate swap space on the machine.
|
CSCeb80164
|
Retrace-Packet prints erroneous trace information
Symptoms: The trace shows two response packets to a single request. The first response trace shows an invalid length, as shown in this example:
07/30/2003 20:52:32: P712: Tcl: environ put Retrace-Packet TRUE -> OK
07/30/2003 20:52:32: P712: Using Client: localhost (127.0.0.1)
7/30/2003 20:52:32: P712: Using NAS: localhost (127.0.0.1)
07/30/2003 20:52:32: P712: Request is directly from a NAS: TRUE
07/30/2003 20:52:32: P712: Trace of Access-Request packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70
07/30/2003 20:52:32: P712: reqauth =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: User-Name = user1@domain1.com
07/30/2003 20:52:32: P712: User-Password =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: NAS-Port = 1
07/30/2003 20:52:32: P712: NAS-Identifier = localhost
07/30/2003 20:52:32: P712: Authenticating and Authorizing with Service aalocal
07/30/2003 20:52:32: P712: Getting User user1@domain1.com's UserRecord from UserList local
07/30/2003 20:52:32: P712: User user1@domain1.com's password matches07/30/2003 20:52:32: P712: Merging BaseProfile 1 into response dictionary
07/30/2003 20:52:32: P712: Merging attributes into the Response Dictionary:
07/30/2003 20:52:32: P712: Adding attribute Cisco-AVPair, value = ip:addr-pool=public
07/30/2003 20:52:32: P712: No default Remote Session Service defined.
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70 <====== INCORRECT
07/30/2003 20:52:32: P712: reqauth =
53:a3:5b:73:3d:58:3b:2c:f2:3c:59:7d:c9:dc:78:0d
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 47
07/30/2003 20:52:32: P712: reqauth =
02:7d:9c:1f:d9:c5:be:9a:0b:7d:6d:70:96:6a:21:16
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Sending response to 127.0.0.1
Conditions: The Retrace-Packet AR environment variable has been set to TRUE and the trace level has been set to four or above.
Workaround: None
|
CSCeb86676
|
Error message for malformed packet wrong with LDAP.
Symptoms: Trace messages indicate that poorly-formatted packets were rejected due to unknown user names or incorrect passwords.
Conditions: This might occur when LDAP is used for authentication or authorization.
Workaround: In some cases, it may be necessary to turn trace levels up and examine the contents of packets. Generally this will not be required.
|
CSCec11705
|
An error message for ODBC and FDS is confusing
Symptoms: ODBC is configured properly, but the following message appears in the log:
/opt/CSCOar/logs/name_radius_1_log:08/22/2003 9:35:29 name/radius/1 Error
Server 0 ODBC client (Connection 30): SQLConnect failed: IM002
[unixODBC][Driver Manager]Data source name not found, and no default driver specified
Conditions: This might occur when the number of open file descriptors exceeds the system limit.
Workaround: Increase the number of open file descriptors permitted, or ignore the message when it occurs.
|
CSCec22061
|
OutagePolicy of AcceptAll leads to strange responses
Symptoms: An Access-Accept for an HTTP Digest message does not contain an MS-MPPE-Recv key attribute or a Session-Timeout.
Conditions: This might occur if the authentication or authorization service is down and the outage policy is set to AcceptAll.
Workaround: Set the outage policy to RejectAll.
|
CSCec53453
|
Parse errors appear in Replication messages
Symptoms: The message parse failed \<unknown user\> appears in the log.
Conditions: This might occur with replication configured.
Workaround: Ignore these messages; the server should recover without intervention.
|
CSCec56101
|
After lock is manager killed, all servers die
Symptoms: After the lock manager is killed, all other servers die.
Conditions: This may occur if the lock manager is manually killed on busy multi-processor machines.
Workaround: None
|
CSCec61714
|
Rapid memory growth in arservagt
Symptoms: The arservagt process becomes quite large.
Conditions: This has been observed occasionally, under conditions of extreme stress.
Workaround: Restart the arservagt process.
|
CSCec71481
|
Invalid attribute message given for good accounting requests
Symptom: Excessive invalid attribute messages appear in the name_radius_1_log file such as the following:
10/27/2003 17:21:54 name/radius/1 Warning Protocol 0 Accounting Request from
localhost (127.0.0.1) contains invalid at tributes in packet user9020%PPP
Conditions: The server is processing accounting packets and is under high load (over 500 RPPS) with packet latency of over 10ms (load with session management).
Workaround: None. However, the RADIUS protocol should recover and try to resend the accounting requests.
|
CSCed03397
|
USR VSAs have incorrect format
Symptom: 3Com PDSN complains about the USR VSAs being returned to it from AR
Condition: Cisco AR is configured to use USR VSAs. Cisco AR uses the normal VSA format of:
type, length, vendor, vendor type, length, data
instead of the USR format:
type, length, vendor, vendor type, data
Workaround: Use an extension point script to configure the USR VSAs.
|
CSCed77005
|
Response-Type not read at ServiceOutgoing
Symptoms:Cisco AR ignores the Response-Type environment variable at the service outgoing scripting point.
Conditions: An LDAP service was in use for authentication and authorization. An outgoing script on this service checked if the request was rejected. If it was, the script changed the Response-Type to Access-Accept.
Workaround: If the same script is placed at the server outgoing scripting point, the script successfully accepts the user.
|
CSCed82478
|
Minor memory leak with ODBC failure connect attempts with myodbc
Symptoms: Radius process memory size increases.
Condition: When invalid myodbc datasource is configured in remote odbc server and ReactivateTimeInterval is configured to very low value.
Workaround: None.
|
CSCed83041
|
After load of large user file with replication, packets are dropped
Symptoms: The master replication server ceases responding to packets after a very large number of users are loaded.
Conditions: This might occur with very large numbers of users and probably also with large numbers of profiles.
Workaround: Load larger user files into both master and member servers prior to starting up replication, or load in large files during very off-peak problems when a backup server is available.
|
CSCee88854
|
The unset 0 command causes decrement of entry index in indexed lists
Symptom: The unset 0 command causes the entry indices in indexed lists to be decremented by one, and aregcmd segmentation faults on subsequent commands with valid indices.
Condition: The unset command is used with index 0.
Workaround: Use the unset command with valid indices only.
|
CSCef20109
|
Session management performance degradation
Symptom: Performance peaks at about 500 requests per second.
Condition: Session management is in use.
Workaround: None.
|
CSCef34090
|
File descriptor count not consistent across Cisco AR server reloads
Symptoms: Radius process file descriptor count not consistent
Condition: Occurs after executing aregcmd reload, stop, and start.
Workaround: None
|
CSCef70457
|
With HTTP digest, Reply-Message not sent when UserPasswordInvalid
Symptoms: Reply-Message not present in Access-Reject
Condition: With HTTP digest authentication and local-users service, send an Access-Request with digest response generated from invalid password.
Workaround: None
|
CSCef90638
|
Cisco AR log files need to check log size at startup and roll if needed
Symptoms: The aregcmd log does not roll when it gets to the configured rolling size.
Conditions: The aregcmd log grows to a size that is larger than the LogFileSize property, but it does not roll.
Workaround: An aregcmd session must have 25 commands after reaching the roll size before the log will roll.
|
CSCin45016
|
Session Manager hangs while changing the system date
Symptoms: The release-session command of aregcmd hangs and also the RADIUS does not give response for access-requests and hangs in session management.
Conditions: Changing the system date to some time in previous and not restarting the server.
Workaround: Restart the Cisco AR after changing the system date/time.
|
CSCin46551
|
RADIUS server is reloaded when enabling SNMP and doing restart immediately thereafter.
Symptoms: RADIUS is reloaded automatically.
Conditions: Enabling SNMP in Cisco AR and restarting the server immediately.
Workaround: None.
|
CSCin53226
|
On heavy load odbc.ini file becomes empty
Symptoms: The log reports that the ODBC datasource cannot be found.
Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.
Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.
|
CSCin57842
|
LEAP challenge not sent when setting Response-Type to accept
Symptoms: User accepted without sending EAP challenge.
Conditions: Setting the Response-Type to accept using rex or java script.
Workaround: None
|
CSCin64112
|
With SNMP, armcdsvr occasionally reloads itself
Symptoms: Occasionally armcdsvr process restarted automatically by Cisco AR server.
Conditions: Enabling SNMP and restarting the Cisco AR server
Workaround: None
|
CSCin64207
|
Upgrade fails when setting ARIsCaseInSensitive to false
Symptoms: Upgrade to 1.7R7 fails with the following error message
307 Object not found/Path ambiguous
Condition: /Radius/Advanced/ARIsCaseInSensitive flag is set to false in AR
Workaround: Before upgrading to 1.7R7 kit, set /Radius/Advanced/ARIsCaseInSensitive to True. After upgrade revert the /Radius/Advanced/ARIsCaseInSensitive to false.
|
Anomalies Fixed in Cisco Access Registrar 3.0R9
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R9.
Table 8 Anomalies Fixed in Cisco AR 3.0R9
Bug
|
Description
|
CSCdy09195
|
The aregcmd_log file does not show NULL values
Symptoms: The aregcmd_log file does not show all values that were set.
Conditions: When setting a property to NULL (set property ""), the aregcmd_log file does not change the expression "" to NULL.
Workaround: None
|
CSCdy59596
|
arserver script should set umask to 113
Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.
Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.
Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.
|
CSCea06535
|
Service outgoing script fails to run when the service type is Authenticate Only
Symptoms: Service outgoing script fails to run.
Conditions: The request contains the attribute, Service-Type = Authenticate-Only.
Workaround: None
|
CSCea87237
|
Check-items checked even if a password is incorrect
Symptoms: A user is rejected due to invalid check-items.
Conditions: The user's password is incorrect, therefore check-items are irrelevant.
Workaround: None.
|
CSCeb37136
|
totalPacketsinUse goes negative after reset
Symptoms: The value for totalPacketsInUse may be briefly negative.
Conditions: After using the reset command, the value for totalPacketsInUse might be negative briefly.
Workaround: Ignore the value for totalPacketsInUse immediately after a reset command is issued.
|
CSCeb54417
|
The aregcmd_log file has different output than what was done in the resource manager
Symptom: The aregcmd_log shows a different command than what was issued after changing the IP range of a resource manager.
Conditions: A resource manager that manages an IP range (such as ip-dynamic) was changed such that an existing pool had the start or end address moved.
Workaround: None, however using an explicit command such as set <start IP>-<end IP> will show the correct command or changing directory to the IP range to use the set end <IP> or set start <IP> commands.
|
CSCec21944
|
Cisco AR HTTP digest and Cisco SIP Provisioning Server are incompatible
Symptoms: Cisco AR and Cisco SIP Provisioning Server will not inter-operate.
Conditions: This might occur if the algorithm is md5-sess or if the QOP in use is none.
Workaround: None.
|
CSCed35533
|
The aregcmd_log file does not roll according to LogFileSize property
Symptom: aregcmd_log file does not roll according to the /Radius/Advanced/LogFileSize property.
Conditions: The /Radius/Advanced/LogFileSize property was changed to something other than the default.
Workaround: None
|
CSCed60493
|
The maximum setting from Event-Timestamp is incorrect
Symptoms: Cisco AR states that Event-Timestamp value is out of range even though it is 2^32-1, the legal range specified in the RFC.
Conditions: Unable to set full range of values allowed by Event-Timestamp, in aregcmd, radclient,
or via extension point scripting.
Workaround: Edit the maximum setting for Event-Timestamp in the Cisco AR attribute dictionary to the legal maximum:
set "/Radius/Advanced/Attribute Dictionary/Event-Timestamp/Max" 4294967295
save
reload
|
CSCee74431
|
Unloading java extensions while processing requests causes an exception
Symptoms: Core file produced when shutting down with traffic.
Conditions: Java extensions are being used while the server is shutting down and traffic is still flowing into the server.
Workaround: None, but server will recover on its own.
|
CSCee88859
|
Upgrade to server-only install fails because aregcmd is not present
Symptom: Upgrade to server-only installs fails.
Condition: Cisco AR is upgraded to a later version and the Server only' installation option is selected.
Workaround: None.
|
CSCee91780
|
Custom java Services will not start
Symptoms: A custom service using Java does not start.
Conditions: The server has been configured to use a script as one of the AAA services and the script language is Java. After saving, the restart will fail and the server never recovers.
Workaround: None
|
CSCef03772
|
Sending too big RADIUS packet cores server
Symptoms: Cisco AR cores after sending a response packet.
Conditions: The RADIUS response packet is larger than 4 KB.
Workaround: Decrease the response packet size to fit in the RADIUS packet (RFC mandated 4KB).
|
CSCef20423
|
Access-Request without User-Name attribute causes Cisco AR to drop RADIUS packets
Symptoms: Some Access-Request packets are dropped by Cisco AR as retransmissions. By looking at the aregcmd stats output we can see that difference between totalAccessRequests and totalAccessResponses is increasing rapidly, while totalPacketsInUse is higher over time.
Trace log shows increasing number of error messages:
"Dropping packet: packet is a retransmission of one we are currently working on" in name_radius_1_log:
"No User-Name attribute in packet <unknown user>"
Conditions: Problem affects only service type LDAP.
Workaround: Reload aregcmd or restart Server Agent.
|
CSCef35083
|
Need bypass for accounting broadcast
Symptoms: Accounting-On and Accounting-Off requests are broadcast to every remote server (sometimes more than once).
Conditions: Remote server objects have been defined and accounting broadcast packets are received.
Workaround: None required if local session management is used.
|
CSCef41407
|
Empty column filled with leftover from previous query
Symptoms: Data returned from an ODBC query contains information from a pervious query.
Conditions: ODBC is used to store users and their authorization parameters.
Workaround: None
|
CSCef63397
|
Core in _default_terminate using example Java Accounting Service
Symptom: Intermittent cores occur when a Java AccountingService is used.
Condition: This might occur when the example Java AccountingService is used as an accounting service.
Workaround: None
|
CSCef66780
|
Java services are not functional in AR 3.0
Symptom: Java services are not functional on AR 3.0.
Condition: Java services are configured.
Workaround: None.
|
CSCef75797
|
Cannot change administrator password in replication slave
Symptom: Replication slave administrator password cannot be changed using the CLI.
Condition: This might occur when attempting to change the administrator's password in the Replication slave configuration.
Workaround: Disable the replication in the slave and save the configuration. Open another aregcmd session to change the administrator password and enable the replication.
|
CSCin70770
|
Memory leak in armcdsvr
Symptoms: Memory footprint of the armcdsvr process grows continuously on repeated aregcmd logins.
Condition: Login and logout from aregcmd continuously
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R8
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R8.
Table 9 Anomalies Fixed in Cisco AR 3.0R8
Bug
|
Description
|
CSCea43192
|
Enum values are not validated properly
Symptoms: Enum values outside the specified range are not validated properly.
Conditions: An enum value outside the specified range is set.
Workaround: Restrict enums to those within the specified range.
|
CSCea60081
|
LicenseKey property does not autocomplete
Symptoms: The LicenseKey property in aregcmd does not autocomplete.
Conditions: The <Tab> key is used to autocomplete the /LicenseKey property.
Workaround: None, but this does not prevent the property from being set.
|
CSCeb19831
|
Cannot reload with enum out of range
Symptoms: The server will not restart or it is not possible to use radclient, and the error messages indicate that an enumeration is outside of specified Minimum and Maximum range.
Conditions: An attribute of type ENUM has been defined, and one of the enumerated values is not in the range between the minimum and maximum values.
Workaround: Modify the maximum value for the attribute so that all enumerations are included in the allowed range.
|
CSCed83003
|
Cannot commit change with modifications to session managers or resource managers
Symptoms: A change is not replicated to a member, and the member log indicates "Could not commit transaction."
Conditions: This might occur when deletions and additions of resource managers and session managers are included in a single save operation.
Workaround: Perform full resynchronization as described in the User Guide. More frequent aregcmd save operations may also be beneficial.
|
CSCed83165
|
Two unset commands of DefaultSessionManager results in replication failure
Symptoms: A member replication log indicates that a transaction was not committed.
Conditions: This might occur when values such as the DefaultSessionManager are unset multiple times.
Workaround: Perform a full database synchronization.
|
CSCed84906
|
Cisco AR accounting RollOverSchedule has problem on February 29th (Leap Year).
Symptom: Accounting logs do not roll over at preconfigured time when using the rollover schedule feature.
Conditions: The administrator has configured the server to rollover accounting files using the schedule rather than max age or size. Also, this is seen only on the Leap Day (February 29).
Workaround: None
|
CSCee03199
|
ODBC authorization-only service should not reject if no data is found
Symptoms: Cisco AR rejects the Access-Request with an InternalError indication.
Condition: This occurs when an ODBC service is configured as authorization-only service and no data is returned for the user from database table during authorization.
Workaround: None.
|
CSCee47129
|
Tunnel-Password values are angled for certain tag numbers
Symptoms: A tunnel password attribute is mangled, even if the configuration was correct. Also, the attribute may be missing from the response.
Conditions: The tunnel-password attribute is configured to be sent back in an access-accept packet. However, certain tag numbers are always mangled or are missing.
Workaround: Try to use a different tag number (for example, use tag4 rather than tag3).
|
CSCee59794
|
Cisco AR rejects a user with internal error when the database package is recompiled
Symptoms: Cisco AR rejects the Access-Request with and InternalError indication.
Condition: When PL/SQL packages at database were recompiled while AR is running.
Workaround: Reload the Cisco AR server.
|
CSCin43901
|
Accounting file rollover not happening at daylight savings time (DST)
Symptoms: Accounting file rollover will not happen at DST but it will happen one hour before or after the DST change.
Conditions: The configured rollover schedule is same as DST and the system time reaches the configured rollover schedule.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R7
This section describes the anomalies in fixed Cisco Access Registrar, Release 3.0R7.
Table 10 Anomalies Fixed in Cisco AR 3.0R7
Bug
|
Description
|
CSCdy72758
|
After a Cisco AR server agent restart, SNMP MIBs walks stops working
Symptoms: SNMP MIBs walk stop working
Conditions: When Cisco AR server agent dies and is restarted by trampoline.
Workaround: restart Cisco AR server using the /etc/init.d/arservagt restart command
|
CSCea10104
|
Reload/stop and start of Cisco AR gives core file when SNMP is enabled
Symptoms: When SNMP is enabled, reload, stop and start from aregcmd gives core file and displays 'Unable to access server.' However, the radius process will be restarted and packet processing will be continued.
Conditions: SNMP is enabled in Cisco AR.
Workaround: Restart of Cisco AR using /etc/init.d/arservagt .
|
CSCea49061
|
Cisco AR does not allow port change if default values are used
Symptoms: Cisco AR does not start. During the installation or running the arservagt utility, the following message is displayed:
RADIUS port already occupied, program can not start
Because Cisco AR does not start, aregcmd also fails to start:
Cisco Access Registrar 1.7R5 Configuration Utility
Copyright (C) 1995-2002 by Cisco Systems, Inc. All rights reserved.
Conditions: Another application is using ports 1645, 1646, 1812, or 1813.
Workaround: In the arservagt script, comment out the exit 1 line as follows:
# make sure no other RADIUS server is running
exist=`netstat -an | awk '$1 ~ /\.(1812|1813|1645|1646)$/'`
if [ "$exist" != "" ]; then
echo "RADIUS port already occupied, program can not start."
Start Cisco AR using the following:
/etc/init.d/arservagt start
If there is a port conflict, configure Cisco AR to use alternative ports. For example, in aregcmd:
cd /Radius/Advanced/Ports
add 1812
add 1813
save
reload
|
CSCec25472
|
After restarting the SNMP agent, SNMP MIB walk no longer works
Symptoms: SNMP traps are still seen, but there is no response to SNMP MIB walk commands.
Conditions: This might occur after the SNMP Master Agent crashes and is restarted.
Workaround: Restart the Cisco AR server using /etc/init.d/arservagt restart command.
|
CSCec60339
|
Cisco AR software upgrade from 3.1R2 causes startup error
Symptoms: Cisco AR will not start correctly after an upgrade.
Conditions: An attribute return list in a profile, user group, or user set the Tunnel-Medium-Type attribute with the value of 802. After an upgrade, the name_radius_1_log file contains the following message when the server tries to start:
10/15/2003 12:40:36 name/radius/1 Error Configuration 0 Error in property
/Radius/Profiles/ldapmap-VLAN/Tunnel-Medium-Type_tag1: Invalid value
Workaround: After the server tries to start, login to aregcmd and add the enum back into the dictionary, then issue a save command, and restart the server.
cd "/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums"
set 6 802
save
start
|
CSCec63780
|
Apparent deadlock in the replication master during a replication test
Symptoms: The RADIUS server stops responding to RADIUS packets.
Conditions: This situation occurs extremely rarely when the configuration is being updated after an Accounting-On message is received.
Workaround: Kill the RADIUS server using kill -9. The Cisco AR server will be automatically restarted by the server agent.
|
CSCec71268
|
Adding new ODBC remote server in one shot fails
Symptoms: After adding a new ODBC remote server using a single line within interactive aregcmd, validation fails.
Conditions: The following command format was used to add a remote server:
add /Radius/RemoteServers/server description odbc reactivate timeout connections datasource
keepalive
Workaround: Set each property individually after adding the remote server.
|
CSCec72065
|
Skewed time results in brief corrupt session time
Symptoms: The session time displayed in the response to query-sessions command is 1193046:28:15.
Conditions: This might occur when aregcmd is run on a remote system, the time on the remote system is behind the time on the system running the server, and the session time is less than the difference between the session times. Note that time refers to Universal Time and that differences in time zones should not cause this problem to occur.
Workaround: Ignore session times of 1193046:28:15. Assume that these session times are less than the difference between the system time on the system running aregcmd and the system time running the RADIUS server. Use a time synchronization server to minimize these discrepancies.
|
CSCec74817
|
The query-sessions command displays large NAS-Port incorrectly
Symptoms: A negative value is displayed for a NAS-Port in the output of the query-sessions command.
Conditions: This might occur when the value of the NAS-Port is greater than 65,535.
Workaround: None.
|
CSCed01236
|
Proxy of EAP packets breaks client IP stack
Symptoms: Client cannot ping anything except itself after a successful EAP transaction.
Conditions: A proxy server is placed between the access point (AP) and authentication server to proxy EAP packets between the AP and authentication server.
Workaround: If possible, remove the proxy server from the authentication path.
|
CSCed22089
|
Cisco AR cores on accounting request after configuration change
Symptoms: Cisco AR restarts and creates a core file.
Conditions: Cisco AR has been restarted and a configuration change is performed and saved. Cisco AR restarts on receipt of an accounting request.
Workaround: None
|
CSCed37168
|
A software upgrade will fail if you already have Oracle 8 configured
Symptoms: Cisco AR will not start after a software upgrade to 3.0R6 when the previous system has been configured with Oracle 8. This is because the old Cisco AR used liboraodbc.so to access Oracle 8 and this has been changed in 3.0R6 to liboraodbc8.so for adding support of Oracle 9.
Conditions: Existing Cisco AR has configured ODBC with Oracle 8.
Workaround: Set up a symbolic link before running pkgadd: such as the following:
cd <install-dir>/lib && ln -s liboraodbc8.so liboraodbc.so
|
CSCed42695
|
Too-old unclosed session results in huge session
Symptoms: The following messages appear in the log:
"Log: Backing Store: Error composing log file, item is too large for one page (8192).
Log: Session Backing Store: Unable to save Session 991 to backing store."
Conditions: This might occur when Cisco AR fails to receive an Accounting-Stop, then receives a number of Accounting-Start messages with the same Acct-Session-ID.
Workaround: Manually release the session using the release-sessions option of aregcmd.
|
CSCed50688
|
EAP-SIM pseudonym passed as User-Name too long for ExecRealmRule
Symptoms: The realm rule does not find the realm in the username, even though the trace file shows that the realm is present.
Conditions: A very long username (at least 100 bytes in length) is used.
Workaround: None
|
CSCed51002
|
ExecRealmRule script may overwrite memory
Symptoms: The RADIUS server cores occasionally.
Conditions: Lengthy user names are frequently used, and the ExecRealmRule script is in use.
Workaround: None.
|
CSCed75402
|
Cannot add enumerations to attributes of type TAG_ENUM
Symptoms: It is not possible to add new enumerations to attributes of type TAG_ENUM, or an upgraded configuration containing tagged attributes does not function after upgrade.
Condition: This will occur when 3.0R6 or 1.7R7 is in use.
Workaround: Consult with Cisco Tech Support to get advice about adding the tagged enumerations to your configuration using internal tools.
|
CSCin60005
|
Replication fails when modifying IP addresses of resource manager
Symptoms: Replication fails and replication slaves name_radius_log file shows the following error message:
Internal Error in /Radius/ResourceManagers/new/IPAddresses/: Required property end did not
exist
Conditions: Add a new ip-dynamic resource manager without doing a save, then modify the IP address using aregcmd interactive set command.
Workaround: Do a save before modifying the IP address using interactive set.
|
CSCin62448
|
Cisco AR server reloads itself when rolling accounting file under heavy load
Symptoms: Cisco AR server occasionally reloads by itself
Conditions: Under heavy load, when Cisco AR is unable to open or flush the accounting files.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R6
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R6.
Table 11 Anomalies Fixed in Cisco AR 3.0R6
Bug
|
Description
|
CSCai02102
|
Session backing store can become corrupted if the disk partition becomes full
Symptoms: aregcmd fails while logging in or aregcmd fails while saving with an error message similar to "500 Internal Error / Checking to see if we needed to synchronize with external changes to database failed." or after a reload AR's knowledge of user sessions is missing information that it had before the reload.
Conditions: The disk partition that AR is installed on is full.
Workaround: Make more space available on the partition. AR may need to be restarted.
|
CSCdy04282
|
Cisco AR may not handle non-tagged attributes correctly from proxy
Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.
Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.
Workaround: Have the downstream server return tagged attributes instead of untagged ones.
|
CSCdy29522
|
Access Registrar trap MIB not on CCO nor MIB-police submitted
Problem description: The Access Registrar MIB referenced at /en/US/docs/net_mgmt/access_registrar/1.7/concepts/guide/snmp.html#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.
Workaround: None.
|
CSCdy46148
|
Cisco AR cores when java extension without required interface is used
Symptoms: Cisco AR cores when a Java extension script that does not implement the interface required for such scripts is used.
Conditions: A Java extension script that does not implement the interface required for such scripts is added, set as the server IncomingScript, saved but not reloaded, and an access request is then sent.
Workaround: Reload Cisco AR on adding the Java extension script.
|
CSCdy50196
|
Cisco AR server cores when Java service does not handle stops and starts
Symptoms: Server fails to start when Java service does not handle service starts and stops.
Conditions: You configure then reload a Java service that does not handle service starts and stops.
Workaround: Handle service starts and stops in all Java services.
|
CSCdy51365
|
Java services not hot-configured properly
Symptoms: Java services do not work until the server is reloaded.
Conditions: A Java service is added and saved, and the server is not reloaded.
Workaround: Reload the server on adding a Java service.
|
CSCdy57104
|
Java example accounting script causes core when not initialized
Symptoms: Cisco AR cores when the example Java accounting script is created but not initialized, saved and reloaded.
Conditions: The example Java accounting script is not initialized.
Workaround: Specify the initialization parameter when creating the service.
|
CSCdy59596
|
arserver script should set umask to 113
Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.
Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.
Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.
|
CSCdy71586
|
Class file not located if classpath set after java script configuration
Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.
Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.
Workaround: Set the classpath for Java extensions before configuring the script or restart the server.
|
CSCdy72758
|
After restart of Cisco AR server agent, SNMP MIB walk stops working
Symptoms: SNMP MIB walk stops working
Conditions: When Cisco AR server agent dies and trampoline restarts server
Workaround: restart Cisco AR server by using the following command:
/etc/init.d/arservagt restart
|
SCdy84713
|
Replication of /Radius/Script object logs error message in Slave
Symptoms: Replication of /Radius/Script object logs error message in slave name_radius_log when it is replicated.
Conditions: Configure single master-slave replication, add a script object under /Radius/script to master host
Workaround: None
|
CSCdy87379
|
Script with invalid class requires restart even after correction
Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.
Conditions: The class configured for the script is not valid.
Workaround: Restart the server.
|
CSCdz21344
|
Concurrency control problem with user attributes
Symptoms: Attributes in a user's attributes or check-items directory are deleted in two different aregcmd sessions. Only one of the two attributes shows up as deleted in subsequent aregcmd sessions.
Conditions: This only occurs when these attributes are deleted in two different aregcmd sessions.
Workaround: Remove the attribute which was not deleted a second time.
|
CSCdz36245
|
Alternate threading library causes AX_EWOULDBLOCK messages
Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.
Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.
Workaround: Use the default library in /usr/lib rather than the alternate one.
|
CSCdz71935
|
Insufficient trace message when password incorrect
Symptoms: Local user is rejected but trace does not explain.
Conditions: The user's AllowNullPassword property is set to TRUE and the user's password is incorrect in the access request.
Workaround: Check the log file for explanation.
Log: Request from HA2 (10.8.15.45): User bob rejected (UserPasswordInvalid)
|
CSCea06535
|
Service outgoing script fails to run when the service type is Authenticate Only
Symptoms: Service outgoing script fails to run.
Conditions: The request contains the attribute, Service-Type = Authenticate-Only.
Workaround: None
|
CSCea10104
|
The Cisco AR server gives a core file when SNMP is enabled and you reload, stop, and restart the server.
Symptoms: When SNMP is enabled and you reload, stop, and start the server from aregcmd gives core file and displays Unable to access server. However, RADIUS processes are restarted and packet processing continues.
Conditions: SNMP is enabled in the AR server.
Workaround: Restart of the Cisco AR server using /etc/init.d/arservagt.
|
CSCea43192
|
Enum values are not validated properly
Symptoms: Enum values outside the specified range are not validated properly.
Conditions: An enum value outside the specified range is set.
Workaround: Restrict enums to those within the specified range.
|
CSCea49061
|
Cisco AR does not allow port change if default values are in use
Symptoms: Cisco AR does not start. During the installation or running the arservagt utility, the following message is displayed:
RADIUS port already occupied, program can not start
Because Cisco AR does not start, aregcmd also fails to start:
Cisco Access Registrar 1.7R5 Configuration Utility
Copyright (C) 1995-2002 by Cisco Systems, Inc. All rights reserved.
Conditions: Another application is using ports 1645, 1646, 1812, or 1813.
Workaround: In the arservagt script, comment out the exit 1 line as follows:
# make sure no other RADIUS server is running
exist=`netstat -an | awk '$1 ~ /\.(1812|1813|1645|1646)$/'`
if [ "$exist" != "" ]; then
echo "RADIUS port already occupied, program can not start."
Start Cisco AR using the following:
/etc/init.d/arservagt start
If there is a port conflict, configure Cisco AR to use alternative ports. For example, in aregcmd:
cd /Radius/Advanced/Ports
add 1812
add 1813
save
reload
|
CSCea82594
|
Session count decreases to a negative value
Symptoms: Session count decreases to a negative value when CDMA-Session-Continue attribute is used.
Conditions: This occurs when the CDMA-Session-Continue value TRUE is sent in the accounting request packet, then its session is released by sending CDMA-Session-Continue value FALSE. Session count shows as -1 instead of zero when the session is released.
Workaround: None
|
CSCea87237
|
Check-items checked even if a password is incorrect
Symptoms: A user is rejected due to invalid check-items.
Conditions: The user's password is incorrect, therefore check-items are irrelevant.
Workaround: None.
|
CSCea89613
|
Cisco AR cores while running odbc-authorize-envmap
Symptoms: The Cisco AR server cores after a reload.
Conditions: This might occur when two different ODBC servers are used (one for authentication and one for authorization) and the authorization server is configured to perform environment mappings.
Workaround: None. The Cisco AR server will be restarted by the server agent and will function properly.
|
CSCeb04281
|
IPX networks displayed in decimal
Symptoms: IPX network numbers are occasionally displayed in decimal format.
Conditions: After a save, IPX network numbers are displayed in decimal format.
Workaround: None.
|
CSCeb04316
|
Command completion not working for resource manager directories
Symptoms: Command completion does not work for resource manager subdirectories.
Conditions: When in a resource manager subdirectory, pressing the tab key will not complete subdirectory names.
Workaround: In most cases, hitting the return key rather than the tab key will perform the desired action.
|
CSCeb05384
|
Memory leak in third-party libraries while reloading
Symptoms: Memory leaks found in TCL and nramia while analyzing with Purify.
Conditions: While reloading Cisco AR software.
Workaround: Restart the Cisco AR processes.
|
CSCeb11506
|
Add Rule arguments not aligned with properties
Symptoms: Setting rule properties with the add command fails.
Conditions: After executing the following:
add /Radius/Rules/myrule "" ExecRealmRule
Added /Radius/Rules/myrule
ls myrule
Workaround: Use the following configuration:
add /Radius/Rules/myrule ExecRealmRule
Added /Radius/Rules/myrule
ls myrule
Description = ExecRealmRule
|
CSCeb19955
|
Changing name of pre-existing administrator requires you to delete the previous name
Symptoms: Unable to change the name of an existing administrator.
Conditions: The name of an existing administrator may be changed, but will remain unchanged the next time aregcmd is used.
Workaround: If the name of a administrator must be changed, delete it and add a new administrator.
|
CSCeb37136
|
totalPacketsinUse goes negative after reset
Symptoms: The value for totalPacketsInUse may be briefly negative.
Conditions: After using the reset command, the value for totalPacketsInUse might be negative briefly.
Workaround: Ignore the value for totalPacketsInUse immediately after a reset command is issued.
|
CSCeb40158
|
Confusing error message for sendto
Symptoms: Log messages about the results of sendto include inconsistent numbers.
Conditions: This occurs in conditions of high stress.
Workaround: Ignore the numeric values in these messages.
|
CSCeb46227
|
Down service messages are displayed while servers appear up
Symptoms: The message "Service name has no active remote servers available" appears frequently in the log.
Conditions: This message appears occasionally in high load conditions, even when the associated servers are responding to requests.
Workaround: Ignore these messages.
|
CSCeb46418
|
Misleading aregcmd error when swap space consumed
Symptoms: aregcmd indicates that it was unable to read the internal configuration.
Conditions: This might occur when all swap space on a machine is in use.
Workaround: Redistribute applications so there is adequate swap space on the machine.
|
CSCeb80164
|
Retrace-Packet prints erroneous trace information
Symptoms: The trace shows two response packets to a single request. The first response trace shows an invalid length, as shown in this example:
07/30/2003 20:52:32: P712: Tcl: environ put Retrace-Packet TRUE -> OK
07/30/2003 20:52:32: P712: Using Client: localhost (127.0.0.1)
7/30/2003 20:52:32: P712: Using NAS: localhost (127.0.0.1)
07/30/2003 20:52:32: P712: Request is directly from a NAS: TRUE
07/30/2003 20:52:32: P712: Trace of Access-Request packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70
07/30/2003 20:52:32: P712: reqauth =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: User-Name = user1@domain1.com
07/30/2003 20:52:32: P712: User-Password =
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
07/30/2003 20:52:32: P712: NAS-Port = 1
07/30/2003 20:52:32: P712: NAS-Identifier = localhost
07/30/2003 20:52:32: P712: Authenticating and Authorizing with Service aalocal
07/30/2003 20:52:32: P712: Getting User user1@domain1.com's UserRecord from UserList local
07/30/2003 20:52:32: P712: User user1@domain1.com's password matches07/30/2003 20:52:32: P712: Merging BaseProfile 1 into response dictionary
07/30/2003 20:52:32: P712: Merging attributes into the Response Dictionary:
07/30/2003 20:52:32: P712: Adding attribute Cisco-AVPair, value = ip:addr-pool=public
07/30/2003 20:52:32: P712: No default Remote Session Service defined.
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 70 <====== INCORRECT
07/30/2003 20:52:32: P712: reqauth =
53:a3:5b:73:3d:58:3b:2c:f2:3c:59:7d:c9:dc:78:0d
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Trace of Access-Accept packet
07/30/2003 20:52:32: P712: identifier = 2
07/30/2003 20:52:32: P712: length = 47
07/30/2003 20:52:32: P712: reqauth =
02:7d:9c:1f:d9:c5:be:9a:0b:7d:6d:70:96:6a:21:16
07/30/2003 20:52:32: P712: Cisco-AVPair = ip:addr-pool=public
07/30/2003 20:52:32: P712: Sending response to 127.0.0.1
Conditions: The Retrace-Packet AR environment variable has been set to TRUE and the trace level has been set to four or above.
Workaround: None
|
CSCeb86676
|
Error message for malformed packet wrong with LDAP.
Symptoms: Trace messages indicate that poorly-formatted packets were rejected due to unknown user names or incorrect passwords.
Conditions: This might occur when LDAP is used for authentication or authorization.
Workaround: In some cases, it may be necessary to turn trace levels up and examine the contents of packets. Generally this will not be required.
|
CSCec11705
|
An error message for ODBC and FDS is confusing
Symptoms: ODBC is configured properly, but the following message appears in the log:
/opt/CSCOar/logs/name_radius_1_log:08/22/2003 9:35:29 name/radius/1 Error
Server 0 ODBC client (Connection 30): SQLConnect failed: IM002
[unixODBC][Driver Manager]Data source name not found, and no default driver specified
Conditions: This might occur when the number of open file descriptors exceeds the system limit.
Workaround: Increase the number of open file descriptors permitted, or ignore the message when it occurs.
|
CSCec21944
|
AR HTTP digest and Cisco SPS are incompatible
Symptoms: Cisco AR and Cisco SIP Provisioning Server will not inter-operate.
Conditions: This might occur if the algorithm is md5-sess or if the QOP in use is none.
Workaround: None.
|
CSCec22061
|
OutagePolicy of AcceptAll leads to strange responses
Symptoms: An Access-Accept for an HTTP Digest message does not contain an MS-MPPE-Recv key attribute or a Session-Timeout.
Conditions: This might occur if the authentication or authorization service is down and the outage policy is set to AcceptAll.
Workaround: Set the outage policy to RejectAll.
|
CSCec25472
|
After restarting the SNMP agent, SNMP walk no longer works
Symptoms: SNMP traps are still seen, but there is no response to SNMP walk commands.
Conditions: This might occur after the SNMP Master Agent crashes and is restarted.
Workaround: Restart the Cisco AR server using /etc/init.d/arservagt restart command.
|
CSCec42756
|
Memory growth occurs with replication stress test
Symptoms: Memory grows slowly while replication is enabled.
Conditions: This might occur under conditions of significant stress.
Workaround: None necessary; the increase in memory is slow enough not to cause any system problems.
|
CSCec53453
|
Parse errors appear in Replication messages
Symptoms: The message parse failed \<unknown user\> appears in the log.
Conditions: This might occur with replication configured.
Workaround: Ignore these messages; the server should recover without intervention.
|
CSCec63780
|
Apparent deadlock in master on replication test
Symptoms: The Radius server stops responding to Radius packets.
Conditions: This situation occurs extremely rarely when the configuration is being updated after an Accounting-On message is received.
Workaround: Kill the Radius server using kill -9. The AR server will be automatically restarted by the server agent.
|
CSCec66825
|
Replication documentation does not mention RADIUS port configuration.
Symptoms: Cannot get replication to work.
Conditions: The AR replication documentation does not mention the fact that the UDP port used for replication must be also be configured as a RADIUS port on each master and slave.
Workaround: Configure the port number used in replication under /Radius/Advanced/Ports on the master and all slaves as shown below:
cd /Radius/Advanced/Ports
add 2000
save
reload
|
CSCec68801
|
Documentation: MaximumNumberOfRadiusPackets equal to or greater than 8192 for replication
Symptoms: Incorrect and unsupported replication configuration
Conditions: Default MaximumNumberOfRadiusPackets setting is too low for Cisco AR server replication.
Workaround: Set the value to at least 8192 on each Cisco AR server configured for replication as follows:
set /Radius/Advanced/MaximumNumberOfRadiusPackets 8192
save
reload
|
CSCin19437
|
Changing Service type from file to group generates error in Replication
Symptoms: In the replication slave, the modified service will not be available for authentication and reload of the replication slave will fail.
Conditions: Changing the service type from file to group in Replication Master
Workaround: In slave delete the group service created by replication, and recreate it manually through aregcmd and reload the slave server.
|
CSCin26428
|
Accounting file rolling fails when reloading Cisco AR server at RolloverSchedule
Symptoms: Accounting file rollover occasionally does not occur.
Conditions: Performing reload of the Cisco AR server at the configured rollover time.
Workaround: Do not reload the Cisco AR server at the configured rollover time.
|
CSCin29894
|
Replication fails after changing the user name
Symptoms: User name change is not replicated to slave.
Conditions: Changing just the user name and issuing a save in the Replication master.
Workaround: None
|
CSCin43901
|
Accounting file rollover not happening at daylight savings time (DST)
Symptoms: Accounting file rollover will not happen at DST but it will happen one hour before or after the DST change.
Conditions: The configured rollover schedule is same as DST and the system time reaches the configured rollover schedule.
Workaround: None
|
CSCin45016
|
Session Manager hangs while changing the system date
Symptoms: The release-session command of aregcmd hangs and also the RADIUS does not give response for access-requests and hangs in session management.
Conditions: Changing the system date to some time in previous and not restarting the server.
Workaround: Restart the Cisco AR after changing the system date/time.
|
CSCin46551
|
RADIUS server is reloaded when enabling SNMP and doing restart immediately thereafter.
Symptoms: RADIUS gets reloaded automatically.
Conditions: Enabling SNMP in Cisco AR and restarting the server immediately.
Workaround: None.
|
CSCin49558
|
Cisco AR server accepts the user, when AuthenticationScript rejects
Symptoms: Cisco AR accepts the user, when the UserGroups AuthenticationScript sets the Response-Type as Reject.
Conditions: Occurs when ODBCToEnvironmentMapping is used to set the User-Group.
Workaround: Set the script which rejects the user in some other scripting point.
|
CSCin53226
|
On heavy load odbc.ini file becomes empty
Symptoms: The log reports that the ODBC datasource cannot be found.
Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.
Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.
|
CSCin57842
|
LEAP challenge not sent when setting Response-Type to accept
Symptoms: User accepted without sending EAP challenge.
Conditions: Setting the Response-Type to accept using rex or java script.
Workaround: None
|
CSCin59303
|
Replication fails when using interactive set
Symptoms: The memory usage of the Radius process increases.
Conditions: This might occur when the IP address range of an ip-dynamic resource manager is set to a range greater than an entire class C network.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R5
This section describes the anomalies fixed in Cisco Access Registrar, Release 3.0R5.
Table 12 Anomalies Fixed in Cisco AR 3.0R5
Bug
|
Description
|
CSCdx52831
|
radius cores while establishing ODBC connections
Symptoms: AR restarts with reload command when ODBC connections to the database are being established.
Conditions: Reloading AR while ODBC connections to the database are getting established.
Workaround: reload AR after all the ODBC connections to the database are established.
|
CSCdy87006
|
Session management fails on central resource server
Symptoms: The central resource AR server rejects session management requests from front-line AR servers.
Conditions: On the central resource AR server, the DefaultAuthenticationService and DefaultAuthorizationService are set to an LDAP service.
Workaround: Set the DefaultAuthenticationService and DefaultAuthorizationService to something other than an LDAP service.
|
CSCeb45577
|
Rapid and irregular memory growth with SNMP traps
Symptoms: The memory required for the Radius server is very large, and increases continually.
Conditions: This might occur if an extremely large volume of SNMP traps (greater than 3 per minute) are being sent.
Workaround: Reset the values InputQueueHighThreshold and InputQueueLowThreshold to their default values to reduce the number of SNMP traps.
|
CSCeb56975
|
ODBC mappings should not override attributes
Symptoms: ODBC mappings will not map all the values returned from database.
Conditions: When more than one database column is mapped to the same attribute.
Workaround: None.
|
CSCin48864
|
Stale ODBC remoteserver threads across reloads.
Symptoms: Radius server is reloaded.
Conditions: Add and delete ODBC configuration, then reload when Oracle server is unreachable (via network) from Cisco AR.
Workaround: Restart AR.
|
Anomalies Fixed in Cisco Access Registrar 3.0R4
This section describes the anomalies fixed in Cisco Access Registrar, Release 3.0R4.
Table 13 Anomalies Fixed in Cisco AR 3.0R4
Bug
|
Description
|
CSCdp91753
|
Logging does not work for files equal to or greater than 2GB
Symptoms: After any log file size exceeds 2 GB, logging to that file stops.
Conditions: Size of log file exceeds 2GB.
Workaround: Rotate the log files. If you are using a version of Cisco AR earlier than 1.6R0, stop the server before moving any log files.
|
CSCdt63165
|
aregcmd allows all administrative users to be deleted
Symptoms: No administrators appear in /Administrators in aregcmd.
Conditions: An administrator deleted all the administrators, effectively causing a lockout.
Workaround: None
|
CSCdu43140
|
In aregcmd query /r the colon character (:) is used some places, but not others
Symptoms:
When a query-sessions is done in aregcmd, the output will look something like the following:
Sessions for /Radius/SessionManagers/session-mgr-2:
S1 Key: localhost:1, NAS: localhost, NAS-Port: 1, User-Name: bob, \
Time: 00:41:58, IP 10.0.1.128, HA 10.10.1.0
Note that Key, NAS, NAS-Port, User-Name and Time are all followed by a colon character and that IP and HA are not. This is obviously inconsistent. It appears that the dynamic resources (IP, IPX, GSL, USL, USR-VPN, and HA) will not be followed by a colon character while the rest will be.
Workaround: Do not write scripts that depend on finding a colon character after or between the type of dynamic resource (such as IP) and its value.
|
CSCdu77687
|
ExecTimeRule script does not run correctly
Symptoms: The ExecTimeRule does not match times correctly.
Conditions: The valid time range for an instance of the ExecTimeRule rule is more complicated than just a time range (multiple time ranges or days are specified).
Workaround: None
|
CSCdv54419
|
SNMP reports average RTT instead of the RTT of the last request
Symptoms: SNMP query reports the average round trip time instead of the round trip time for the last request.
Conditions: This occurs any time you make an SNMP request.
Workaround: Cisco AR is incorrectly reporting the average RTT. To obtain the RTT of the last request, you will need to arithmetically determine it from the previous average RTT, the current average RTT, and the total number of requests sent to the remote server.
|
CSCdw13633
|
ExecTimeRule script never denies access.
Symptoms: Time of Day rule does not work as specified in the user documentation.
|
CSCdw87985
|
Acct-Delay-Time attribute in Accounting-On requests ignored
Symptoms: AR ignores the Acct-Delay-Time attribute and can remove all sessions after a resend of the Accounting-On packet.
Conditions: The problem is basically that when the NAS is rebooted, it sends out an Accounting-On that Cisco AR does not see. 15 seconds later it sends out its first ODAP request, receiving a subnet and creating a session on Cisco AR to record it. 15 seconds after that it resends the Accounting-On (since the first one timed out). Cisco AR receives this second Accounting-On and proceeds to delete all of the sessions associated with the NAS (including the just-received ODAP session). This causes problems because Cisco AR will then go ahead and re-use the subnet for a subsequent request, but as far as the NAS is concerned it is still in use. The second Accounting-On does contain an Acct-Delay-Time attribute with a value of 30 (seconds), so it's possible for Cisco AR to only delete sessions associated with the NAS that were created over 30 seconds ago. We've never paid attention to the Acct-Delay-Time attribute, but it's probably time we did so.
Workaround: None
|
CSCdx27007
|
aregmcd gives a segmentation fault with a particular sequence of commands
Symptoms: Under certain circumstances, if a save command is issued at the aregcmd prompt when no changes have been made, a segmentation fault occurs.
Conditions: Since no data changes have been made, this problem will not result in any loss of data.
Workaround: Do not issue a save command if no changes have been made to the configuration.
|
CSCdx76512
|
Cannot rename users
Symptoms: The administrator changed a user name by setting the Name attribute of the user record.
On the save, aregcmd gives a 310 error with no other info in the logs.
Conditions: Rename a user using the following aregcmd command line:
set Name NewName
Workaround: Delete the old user and create a new one. However, this does lose the user's password.
|
CSCdy11292
|
aregcmd command ls returns 307 error on properties
Symptoms: An administrator uses aregcmd command ls on a property and gets a 307 error.
Conditions: Running ls directly on a property and not a directory (ls /Radius/Version) results in a 307 error by aregcmd.
Workaround: None, but this is not a functional error.
|
CSCdy17353
|
Session-Service not allowed to set in Rule Engine
Symptoms: Session-service is not set through Rule engine
Conditions: Configure a Rules and policies to set Session-Service
Workaround: Use scripts to set Session-Service.
|
CSCdy20675
|
aregcmd set username/password password should not query
Symptoms: The aregcmd command line set username/password should not prompt for password verification if it is already passed on the command line. The current behavior is:
set bob/password foo
Retype password to confirm:
Set bob/Password <encrypted>
The confirmation should only happen if user enter the password with echo off. There is no reason to do this when the password is passed on the command line.
Conditions: When adding a password with the set password command to give to a user .
Workaround: None.
|
CSCdy56082
|
Server crashes on reload using AdvancedDuplicateDetection
Symptoms: After a reload is issued in aregcmd, the following error message appears:
401 Unable to access server
Conditions: The system may crash when Advanced Duplicate Detection is enabled and the server is reloaded.
Workaround: If Advanced Duplicate Detection is in use, avoid reloading the Cisco AR server during peak load times.
|
CSCea35594
|
Cannot reload server after enum with large maximum defined
Symptoms: The RADIUS server stops working. Logging in via aregcmd no longer completes successfully.
Conditions: An enumerated attribute with a very large (greater than 65535) maximum value has been defined.
Workaround: Do not define enumerated attributes with extremely large maximum values.
|
CSCea37697
|
Name change for attributes (26,9,37) and (26,9,38)
Symptoms: Administrator cannot find Cisco VSA when doing per-user policies for Catalyst 10000.
Conditions: The administrator wants to use per-user policies with their Catalyst 10000 box.
Workaround: Change Cisco-Input-Policy to Cisco-Policy-Up and Cisco-Output-Policy to Cisco-Policy-Down.
|
CSCea40782
|
Oracle stored functions are not working with ODBC
Symptoms: ODBC will fail to perform mappings.
Conditions: When aliasing or stored function is used inside select statement in ODBC sql select statement.
Workaround: None
|
CSCea50767
|
Cisco AR vulnerable to CERT CA-2003-10
Symptoms: Random crash after a hack attempt using malformed RPC calls.
Conditions: An RPC attack based on CERT CA-2003-10 is used.
Workaround: None
|
CSCea51887
|
Abrupt shutdown of VHG causes release of newly allocated subnets
Symptoms: Cisco AR sersver ignores the Acct-Delay-Time attribute and can remove all sessions after a resend of the Accounting-On packet.
Conditions: When the NAS is rebooted, it sends out an Accounting-On that Cisco AR does not see. Fifteen seconds later it sends out its first ODAP request, receiving a subnet and creating a session on Cisco AR to record it. Fifteen seconds after that, it resends the Accounting-On (since the first one timed out). Cisco AR receives this second Accounting-On and proceeds to delete all of the sessions associated with the NAS (including the just-received ODAP session). This causes problems because Cisco AR will then go ahead and re-use the subnet for a subsequent request, but as far as the NAS is concerned it is still in use. The second Accounting-On does contain an Acct-Delay-Time attribute with a value of 30 (seconds), so it is possible for Cisco AR to only delete sessions associated with the NAS that were created over 30 seconds ago. Cisco AR has never paid attention to the Acct-Delay-Time attribute, but it is probably time we did so.
Workaround: None
|
CSCea55223
|
Unknown client creates extraneous messages in trace
Symptoms: The name_radius_1_trace file shows extraneous messages (last two lines):
03/24/2003 17:58:30: P336: Packet received from 10.107.132.106
03/24/2003 17:58:30: Log: Packet from 10.107.132.106: that address is not in the Clients list
<unknown user>
03/24/2003 17:58:30: P336: Dropping packet: packet was from an unknown client
03/24/2003 17:58:30: handleServerCounters: pClient=0
03/24/2003 17:58:30: handleServerCounters: pServerPerClientStats=0
Condition:
Tracing is turned on and Access Registrar receives a request from an unknown RADIUS client
Workaround: None
|
CSCea58066
|
Replication slave reload gives core when SNMP enabled is set TRUE
Symptoms: Access Registrar does not start and RADIUS process killed.
Conditions: Reload of Replication slave before the SNMP subagent started and /Radius/Advanced/SNMP/Enabled is set TRUE.
Workaround: Restart the Cisco AR server.
|
CSCea61809
|
Cisco AR is handling concurrent requests serially
Conditions: Cisco AR 3.0R2 might handle concurrent requests serially.
Symptoms: Cisco AR is configured to use an Oracle data store for user lookup.
Workaround: None
|
CSCea65350
|
Cisco AR does not proxy EAP requests correctly
Symptoms: The remote RADIUS server drops EAP requests, received from Access Registrar, due to missing Message-Authenticator.
Conditions: Access Registrar is configured to forward( RADIUS proxy ) EAP RADIUS requests to a remote RADIUS server.
Workaround: None.
|
CSCea76982
|
Checkitem to be applied for usergroup mapped to LDAP or ODBC users
Symptoms: Checkitem is applied to only at user level for LDAP or ODBC users. It will not execute the checkitem configured in the user-group which is mapped to the users.
Conditions: When LDAP or ODBC users are mapped with local user-group
Work Around: None
|
CSCea77045
|
Cisco AR checks neither Group checkitems nor authorizationscript
Symptoms: Group checkitems are not verified and authorizationscript is not executed for certain user groups during authorization phase.
Conditions: This problem is observed only if a user is authenticated remotely. For users that are authenticated locally checkitems are verified correctly.
Workaround: Define new object in LDAP which will be used as CheckItem through LDAPToCheckItemMappings. There is no workaround for authorizationscript.
|
CSCea83966
|
Member replication server resynchronizes for no reason
Symptoms: The member server of a replication network resynchronizes with the master when there is zero or little delay.
Conditions: Two servers in a replication network operate normally except for an occasional (every 90-180 second) resynchronization.
Workaround: None.
|
CSCea84291
|
An 8 KB memory leak occurs after 25 log file rollovers
Symptoms: Cisco AR continually uses more memory over time.
Conditions: There are log files being rolled. This mainly impacts accounting log files, but the effect may be seen with other log files.
Workaround: None
|
CSCea88967
|
SNMP Agent is not sending carServerStop trap when stopping the agent
Symptoms: SNMP Agent is not sending carServerStop trap when we shutdown Cisco AR Server Agent using /etc/init.d/arserver stop command line.
Conditions: Occurs only when we shutdown server agent. Trap carServerStop is normally sent when Cisco AR Server Agent is running and RADIUS server is stopped.
Workaround: Start the snmpd server externally. To do the following:
1. set /Radius/Advanced/SNMP/MasterAgentEnabled to FALSE.
2. stop Cisco AR via /etc/init.d/arserver stop
3. run /cisco-ar/ucd-snmp/sbin/snmpd -f
4. start Cisco AR via /etc/init.d/arserver start
|
CSCea90431
|
snmpTrapEnterprise should have Cisco-specific value
Symptoms: CAR trap message does not have the enterprise specific value in SNMPv2-MIB::snmpTrapEnterprise.0.
Conditions: When snmptrap is configured in Cisco AR.
Workaround: None
|
CSCea92157
|
Corrupted database - unable to save changes
Symptoms: Attempts to change AR's configuration using aregcmd produces the following error in config_mcd_1_log file:
04/10/2003 234713 config/mcd/1 Error System 0 Assertion failed rdmcode == S_OKAY; file
mdb_obj.c, line 583, data 0x3
Conditions: Under very rare circumstances AR's database will become inconsistent. Although the database can be read, attempts to write to the database fail. This is because an internal database key was specified as being unique but the database was put in to a state where it no longer was.
Workaround: Create a backup of the existing database. The following procedure will overwrite it with a new database that will contain the same data but will not contain the invalid database key.
Backup the existing database with the following:
cp <CSCOar_install_directory>/data/db/* <tempdir>
Export the database with the following:
mcdadmin -e <tempfile>
Then recreate the database with the following:
mcdadmin -c -o -l -i <tempfile>
|
CSCeb02746
|
A minor memory leak occurs while reloading
Symptoms: Minor memory leaks found while analyzing with purify.
Conditions: While reloading Cisco AR.
Workaround: Restart the Cisco AR processes.
|
CSCeb12681
|
ODBC timeout does not work for unreachable remote servers
Symptoms: Cisco AR appears to hang when sending an ODBC request to a server that is not
reachable over the network (pings fail).
Conditions: ODBC is setup, but the Oracle server is down or otherwise unreachable.
Workaround: None
|
CSCeb12686
|
ODBC outage policy has no effect until all threads down
Symptoms: Cisco AR does not use the outage policy after the timeout expires. The outage policy does not appear until all threads are down.
Conditions: The ODBC server does not send a response to the ODBC request within the timeout period. The server should mark the thread down and use the outage policy, but it uses another thread.
Workaround: None
|
CSCeb12712
|
Low or high packet pool water mark traps not using configuration numbers
Symptoms: The queue full and queue not so full traps are not sent according to the levels configures in /Radius/Advanced/SNMP.
Conditions: During normal operation, it appears that the traps are being sent with low or high settings of 70/100 instead of the configured settings.
Workaround: None
|
CSCeb12850
|
Remote servers are not marked as down after flapping network
Symptoms: The memory footprint of the RADIUS process grows by 25 MB per day.
Conditions: Unknown
Workaround: None
|
CSCeb17808
|
Setting User-Password to NULL in TCL can fail
Symptoms: When setting User-Password to NULL using tcl script can fail.
Conditions: Setting User-Password to NULL in a tcl script rejects when two access-requests are sent back to back.
Workaround: None
|
CSCeb21400
|
Sessions lost on upgrade from 1.7R5, 1.7P10
Symptoms: Sessions active prior to the upgrade no longer appear using query-sessions after the upgrade.
Conditions: Cisco AR was upgraded from a release prior to 1.7R6 to 1.7R6 and the administrator did not clear existing sessions either in aregcmd or the installer.
Workaround: While it is not possible to retrieve the old sessions, the effect of the problem may be minimized by upgrading Cisco AR with few open sessions. It is highly recommended to upgrade to 1.7R6 during a maintenance period or low traffic time since all open sessions will be lost. Also, to avoid the possibility of double allocating an IP address, any devices with users who have an IP address allocated by Cisco AR should have the user sessions manually removed.
|
CSCeb29224
|
Deadlock from accounting-* plus multiple requests
Symptoms: The RADIUS server uses most of the available CPU and does not respond to requests.
Conditions: A deadlock may occasionally appear on systems where there is a lot of accounting activity.
Workaround: Restart all servers.
|
CSCeb37355
|
Log indicates a user has been rejected due to script when a proxy server rejected the request
Symptoms: The log indicates that a proxied request was rejected due to OutgoingScriptRejectedRequest.
Conditions: This might occur when a proxy server rejects a request.
Workaround: Verify that the user in question is acceptable to the proxy server.
|
CSCeb38271
|
Cisco AR reload gives core when it proxies high volume of packets
Symptoms: Cisco AR gives a core file when it is reloaded.
Conditions: While Cisco AR is heavily loaded with high volume of packets to proxy those, reload of Cisco AR will give a core file.
Workaround: None
|
CSCeb42908
|
Replication master sends two transaction-synchronization packets on startup
Symptoms: Cisco AR server crashed on startup, but no core file appears.
Conditions: Replication is setup and the member starts; on rare occasions the member crashes.
Workaround: None
|
CSCeb53214
|
ODBC performance is seriously degraded
Symptoms: ODBC performance severely lacking.
Conditions: The Cisco AR server has a normal ODBC configuration. The same configuration for 3.0R2 runs significantly faster.
Workaround: None
|
CSCeb54419
|
Replication fails when interactive set is done directories
Symptoms: Changes not replicated when an interactive set is done on a directory (set directory_name or cd directory_name; set) and a few property values are changed and saved.
Conditions: Interactive 'set' done on a directory to change some properties under it.
Workaround: Enter into the directory and set the property values individually.
|
CSCin46346
|
Cisco AR continues to send requests to RemoteServers
Symptoms: Cisco AR sends requests to the remote servers indefinitely.
Conditions: Two or more Radius remote servers are used in a service and each remote server is configured with less ReactivateTimeInterval.
Workaround: Configure the remote servers such that the ReactivateTimeInterval of each server is greater than the time that Cisco AR retries other remote servers. For example, if there are two remote servers and each has an InitialTimeout of 40 seconds and MaxTries as 3. Then ReactivateTimeInterval of each server should be greater than 280 seconds (40 + 80 + 160).
|
CSCin47621
|
Radius server cores on changing configuration while proxying packets to remoteserver
Symptoms: Radius process gets reloaded automatically.
Conditions: This occurs while changing the configuration when Cisco AR is sending requests to the Radius remote server.
Workaround: None
|
CSCin50569
|
ODBC threads takes two periods of ReactivationTimeInterval to reconnect
Symptoms: ODBC performance is low for few minutes (for the configured ReactivationTimerInterval).
Conditions: Oracle server goes down and comes back again.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R2
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R2.
Table 14 Known Anomalies in Cisco AR 3.0R2
Bug
|
Description
|
CSCai03178
|
Multiple query commands results in RADIUS server not responding
Symptoms: In one of multiple aregcmd sessions open on the same configuration, the command query-sessions will not work.
Conditions: More than one aregcmd sessions submits a query-sessions command to the same session table simultaneously.
Workaround: None.
|
CSCdp91753
|
Logging does not work for files equal to or greater than 2GB
Symptoms: After any log file size exceeds 2GB, logging to that file stops.
Conditions: Size of log file exceeds 2GB.
Workaround: Rotate the log files. If you are using a version of Cisco AR earlier than 1.6R0, stop the server before moving any log files.
|
CSCdt00784
|
Cisco AR server may core dump when the disk is full for long time
Symptoms: RADIUS process cores and messages generated about server not being able to write to session backing store.
Conditions: Server is processing AAA requests, but partition with Cisco AR is full.
Workaround: Free more disk space.
Note In previous versions of Cisco AR, the server would stop processing AAA requests under full partition conditions. This bug seems to indicate that this stopped behavior is no longer in the product. Also, any core files are incomplete due to lack of free disk space. The server will not core immediately when the partition fills.
|
CSCdt63165
|
aregcmd allows all administrative users to be deleted
Symptoms: No administrators appear in /Administrators in aregcmd.
Conditions: An administrator deleted all the administrators, effectively causing a lockout.
Workaround: None
|
CSCdu77687
|
ExecTimeRule script does not run correctly
Symptoms: The ExecTimeRule does not match times correctly.
Conditions: The valid time range for an instance of the ExecTimeRule rule is more complicated than just a time range (multiple time ranges or days are specified).
Workaround: None
|
CSCdv54419
|
SNMP reports average RTT instead of the RTT of the last request
Symptoms: SNMP query reports the average round trip time instead of the round trip time for the last request.
Conditions: This occurs any time you make an SNMP request.
Workaround: Cisco AR is incorrectly reporting the average RTT. To obtain the RTT of the last request, you will need to arithmetically determine it from the previous average RTT, the current average RTT, and the total number of requests sent to the remote server.
|
CSCdv54469
|
radiusAccClientUnknownTypes counter never increases
Symptoms: The radiusAccClientUnknownTypes is never incremented. Instead, the radiusAuthClientUnknownTypes is incremented.
Conditions: An Accounting Response for an Accounting Request has its type changed to unknown and sent back. The radiusAccClientUnknownTypes counter should be incremented on the proxying 78-14556-09 server. The radiusAuthClientUnknownTypes counter is incremented instead.
Workaround: The radiusAuthClientUnknownTypes counter is incremented for any responses that have their types set to unknown. Treat it as the total number, and ignore the radiusAccClientUnknownTypes. If you have a specific server set aside for accounting, then any accounting responses that have unknown types would be marked for that specific remote server's radiusAuthClientUnknownTypes counter.
|
CSCdv76718
|
arlockmgr is not automatically restarted by the RADIUS process
Symptoms: Cisco AR stops authenticating local users.
Conditions: If the arlockmgr process dies, the RADIUS process does not restart it automatically. Running arstatus shows only three of the four required processes running.
Workaround: Run aregcmd to restart the process.
|
CSCdw52741
|
Cannot use replication in NAT environments
Symptoms: The master and member servers of a replication network complain that they either do not know about each other or they cannot communicate with each other.
Conditions: Cisco AR is deployed in a NAT network environment and the customer wants to use server replication to keep the configuration in synchronized.
Workaround: Run Cisco AR on a non-NAT network.
|
CSCdw74227
|
Increasing maximum file descriptors in /etc/system stops aregcmd from working
Symptoms: aregcmd cannot login to the server, even on a fresh install.
Conditions: The administrator has raised the maximum file descriptors via /etc/system to increase the maximum number of open file handles.
Workaround: Remove the maximum file descriptor lines and reboot the server.
|
CSCdx24841
|
mcdadmin gives no error message if a null file is imported
Symptoms: Running the mcdadmin command with an empty import file will not display an error. Cisco AR will not function after this import occurs.
Conditions: This symptom occurs when the mcdadmin command imports an empty file. This will not occur if the documented procedures which use this command are followed.
Workaround: Do not use mcdadmin to import files that are not Cisco AR configuration files.
|
CSCdx27007
|
aregmcd gives a segmentation fault with a particular sequence of commands
Symptoms: Under certain circumstances, if a save command is issued at the aregcmd prompt when no changes have been made, a segmentation fault occurs.
Conditions: Since no data changes have been made, this problem will not result in any loss of data.
Workaround: Do not issue a save command if no changes have been made to the configuration.
|
CSCdx52831
|
Cisco AR server cores while establishing ODBC connections
Symptoms: Cisco AR restarts with reload command when ODBC connections to the database are being established.
Conditions: Reloading Cisco AR while ODBC connections to the database are getting established.
Workaround: reload Cisco AR after all the ODBC connections to the database have been established.
|
CSCdy04282
|
Cisco AR may not handle non-tagged attributes correctly from proxy
Symptoms: Cisco AR returns garbage values in tunnel attributes when returning them from as a proxy server.
Conditions: When Cisco AR is a proxy server (as in dial wholesale), a returning access-accept containing non-tagged tunnel attributes may not be handled correctly.
Workaround: Have the downstream server return tagged attributes instead of untagged ones.
|
CSCdy11292
|
aregcmd command ls returns 307 error on properties
Symptoms: An administrator uses aregcmd command ls on a property and gets a 307 error.
Conditions: Running ls directly on a property and not a directory (ls /Radius/Version) results in a 307 error by aregcmd.
Workaround: None, but no functional error.
|
CSCdy15425
|
The command cd Profiles takes a long time to return the list
Symptoms: When doing cd Profiles, it takes more then four to five minutes to get the list back.
Conditions: This happens when the list is long because Cisco AR needs to sort it first.
Workaround: The workaround is to go to one object lower, such as cd Profiles/<profile-name>, but this is not always possible as it might occur that we do not know the Profile's name and need to look for it.
|
CSCdy20675
|
aregcmd set username/password password should not query
Symptoms: The aregcmd command line set username/password should not prompt for password verification if it is already passed on the command line. The current behavior is:
set bob/password foo
Retype password to confirm:
Set bob/Password <encrypted>
The confirmation should only happen if user enter the password with echo off. There is no reason to do this when the password is passed on the command line.
Conditions: When add password for given user with the set password command.
Workaround: None.
|
CSCdy29522
|
Access Registrar trap MIB not on CCO nor MIB-police submitted
Problem description: The Access Registrar MIB referenced at /en/US/docs/net_mgmt/access_registrar/1.7/concepts/guide/snmp.html#xtocid1 includes the carServerStop trap but the MIB is unavailable to customers.
Workaround: None.
|
CSCdy40001
|
The aregcmd command set fails when path specified with single letter
Symptoms: aregcmd command set fails.
Conditions: The path for the property whose value is being set is specified with a single letter. (For example:
set r/DefaultSessionManager session-mgr-1
Workaround: Use at least two letters when specifying a single-level path for the set command. For example:
set ra/DefaultSessionManager session-mgr-1
|
CSCdy46148
|
Cisco AR cores when java extension without required interface is used
Symptoms: Cisco AR cores when a Java extension script that does not implement the interface required for such scripts is used.
Conditions: A Java extension script that does not implement the interface required for such scripts is added, set as the server IncomingScript, saved but not reloaded, and an access request is then sent.
Workaround: Reload Cisco AR on adding the Java extension script.
|
CSCdy51365
|
Java services not hot-configured properly
Symptoms: Java services do not work until the server is reloaded.
Conditions: A Java service is added and saved, and the server is not reloaded.
Workaround: Reload the server on adding a Java service.
|
CSCdy56082
|
Server crashes on reload using AdvancedDuplicateDetection
Symptoms: After a reload is issued in aregcmd, the following error message appears:
401 Unable to access server
Conditions: The system may crash when Advanced Duplicate Detection is enabled and the server is reloaded.
Workaround: If Advanced Duplicate Detection is in use, avoid reloading the Cisco AR server during peak load times.
|
CSCdy57104
|
Java example accounting script causes core when not initialized
Symptoms: Cisco AR cores when the example Java accounting script is created but not initialized, saved and reloaded.
Conditions: The example Java accounting script is not initialized.
Workaround: Specify the initialization parameter when creating the service.
|
CSCdy59596
|
arserver script should set umask to 113
Symptoms: Administrator cannot login to aregcmd or read aregcmd_log file.
Conditions: The Cisco AR server has rolled the aregcmd_log file, but the permissions do not allow group read or write.
Workaround: When starting Cisco AR, be sure the umask is at least 112 before running arserver.
|
CSCdy71586
|
Class file not located if classpath set after java script configuration
Symptoms: The class file referenced by a Java extension script is not recognized if it is in a location other than the default classpath if the classpath is set to the class file location after the script is configured.
Conditions: The classpath for Java extensions parameter is set after the Java extension script is configured.
Workaround: Set the classpath for Java extensions before configuring the script or restart the server.
|
CSCdy72758
|
After restart of Cisco AR server agent, SNMP MIB walk stops working
Symptoms: SNMP MIB walk stops working
Conditions: When Cisco AR server agent dies and trampoline restarts server
Workaround: restart Cisco AR server by using the following command:
/etc/init.d/arservagt restart
|
CSCdy84713
|
Replication of /Radius/Script object logs error message in Slave
Symptoms: Replication of /Radius/Script object logs error message in slave name_radius_log when it is replicated.
Conditions: Configure single master-slave replication, add a script object under /Radius/script to master host
Workaround: None
|
CSCdy87006
|
Session management fails on central resource server
Symptoms: The central resource Cisco AR server rejects session management requests from front-line Cisco AR servers.
Conditions: On the central resource Cisco AR server, the DefaultAuthenticationService and DefaultAuthorizationService are set to an LDAP service.
Workaround: Set the DefaultAuthenticationService and DefaultAuthorizationService to something other than an LDAP service.
|
CSCdy87379
|
Script with invalid class requires restart even after correction
Symptoms: Configuring a script with an invalid class stops the server. The server does not start on reloads even after the class is corrected.
Conditions: The class configured for the script is not valid.
Workaround: Restart the server.
|
CSCdz36245
|
Alternate threading library causes AX_EWOULDBLOCK messages
Symptoms: The logs have a large number of AX_EWOULDBLOCK messages and the server performance is erratic.
Conditions: Using Solaris 8 with the alternate threading library located in /usr/lib/lwp.
Workaround: Use the default library in /usr/lib rather than the alternate one.
|
CSCdz71935
|
insufficient trace message when password incorrect
Symptoms: Local user is rejected but trace does not explain.
Conditions: The user's AllowNullPassword property is set to TRUE and the user's password is incorrect in the access request.
Workaround: Check the log file for explanation.
Log: Request from HA2 (10.8.15.45): User bob rejected (UserPasswordInvalid)
|
CSCdz82064
|
aregcmd does not timeout when initial connection fails
Symptoms: aregcmd hangs when trying to login to a remote Cisco AR server.
Conditions: The remote server does not exist.
Workaround: None; use CTRL-C to exit aregcmd.
|
CSCea06535
|
Service outgoing script fails to run when Authenticate Only is service type
Symptoms: Service outgoing script fails to run.
Conditions: The request contains the attribute, Service-Type = Authenticate-Only.
Workaround: None
|
CSCin09949
|
ExecTimeRule creates core file when using space in TimeRange
Symptoms: Setting the TimeRange attribute to a space containing value and sending a packet for processing generates core file.
Conditions: Setting TimeRange to a space containing value.
Workaround: Use a comma to separate day and time when setting the TimeRange as in the following: thu,00:00-23:59
|
CSCin17561
|
Cisco AR server cores while sending access-request for user with a VSA.
Symptoms: Cisco AR server reloads automatically.
Conditions: Changing a client vendor type and adding a VSA to the user and sending an access-request with a non-RFC compliant vendor specific attribute.
Workaround: None
|
CSCin19437
|
Changing Service type from file to group generates error in Replication
Symptoms: In replication slave, the modified service will not be available for authentication and reload of the replication slave will fail.
Conditions: Changing the service type from file to group in Replication Master
Workaround: In slave delete the group service created by replication, and recreate it manually through aregcmd and reload the slave server.
|
CSCin26428
|
Accounting file rolling fails when reloading Cisco AR server at RolloverSchedule
Symptoms: Accounting file rollover occasionally does not occur.
Conditions: Reloading the Cisco AR server at the configured rollover time.
Workaround: Do not reload the Cisco AR server at the configured rollover time.
|
CSCin29894
|
Replication fails while changing the user name
Symptoms: User name change is not replicated to slave.
Conditions: Changing just the user name and issuing a save in the Replication master.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R2
This section describes the known anomalies in Cisco Access Registrar, Release 3.0R2.
Table 15 Anomalies Fixed in Cisco AR 3.0R2
Bug
|
Description
|
CSCai03674
|
Call get*byType() REX functions with null might cause unexpected system failure
Symptoms: The RADIUS server performs an unexpected system reload.
Conditions: A script called a get*ByType API function with a null instead of a pointer.
Workaround: Recompile the script to call the function with a valid pointer, then reload the server.
|
CSCai03864
|
Erroneous bad password log in Agent Server from aregcmd
Symptoms: An error message appears in the file agent_server_1_log about a bad password, even though the password was correct.
Conditions: An administrator successfully logs in to aregcmd.
Workaround: None.
|
CSCdk82488
|
Adding a VSA with the same name as a standard attribute should not work
Symptoms: No error message is produced, yet one should be.
Conditions: A VSA has been added with the same name as an existing attribute; this should produce an error.
Workaround: Visually inspect the attribute dictionary to confirm the uniqueness of all attribute names.
|
CSCdp21838
|
The command string ls -R is inconsistent in certain objects
Symptoms: An ls -R command on a list of address ranges (within an ip-dynamic Resource Manager) only shows 20 address ranges.
Conditions: The list of address ranges has more than 20 ranges defined.
Workaround: Use next and prev to see all the address ranges.
|
CSCdu41754
|
No trace messages for LDAP to environment mappings
Symptoms: Cisco Access Registrar does not display any trace information when it sets environment variables through the ldap to environment mapping feature.
Conditions: LDAP to environment mappings exist in an ldap remoteserver object.
Workaround: None
|
CSCdu80329
|
User allowed more sessions than configured when using LDAP for AA
Symptoms: The administrator allowed more sessions than configured when using LDAP for AA
Conditions: If authentication is done against an LDAP server which does not treat user names as case-sensitive strings and Session Management is used, Per-User session limits and other resource tracking may not behave correctly.
If you attempt to login with two user names which are the same when compared in a case-insensitive manner (for example, "joe" and "JOE"), an LDAP server might treat these as the same user (this is determined by the LDAP schema). However, Access Registrar's Session Management, which tracks resources and session limits by User-Name treats these as two distinct users.
Workaround: Normalize the username by using the form stored in the LDAP server. To do this, use the LDAPToEnvironmentMapping feature on the LDAP RemoteServer definition to map the version of the user-id stored in the LDAP server to the User-Name Environment Dictionary variable.
|
CSCdv58227
|
Bad username causes AR to mark LDAP server as temporarily disabled
Symptoms: When using LDAP for authentication, sending an invalid username can cause Cisco AR to temporarily mark the LDAP server as disabled. This can cause users to fail authentication. Service is restored after the ReactivateTimerInterval timer expires (default is 300000 milliseconds, or 5 minutes).
Conditions: An invalid username is anything that contains any of these special characters: *, (,), and \
Workaround: Set EscapeSpecialCharInUserName to TRUE in the LDAP server profile (default is FALSE).
|
CSCdw13692
|
Maximum and Minimum Values of VSA not validated to set within limits
Symptoms: When maximum and minimum value of VSA type Enum/String is set larger than 7FFFFFFF, the command line interface does not do the validation. But an Cisco AR server reload fails.
Conditions: VSA maximum and minimum value is set larger than 7FFFFFFF.
Workaround: None
|
CSCdw24553
|
Cisco AR fails when file handle limit is reached
Symptoms: Cisco AR may stop processing RADIUS requests and fail to start.
The Cisco AR log file, name_radius_1_log, may display messages like:
12/14/2001 17:30:20 name/radius/1 Error System 0 Assertion failed:
IS_VALID_SOCKET( f ); file af_iasocket.h, line 113, data 0x0
12/14/2001 17:30:20 name/radius/1 Info Server 0 Received signal 6
12/14/2001 17:30:20 name/radius/1 Error Server 0 Give up on signal 6
12/14/2001 17:30:20 name/radius/1 Error System 0 Assertion failed: 0;
file rexcontext.cpp, line 249, data 0x0
If tracing is enabled, the Cisco AR trace file, name_radius_1_trace, may display messages like:
12/14/2001 17:24:30: Log: RemoteServer 1137remser (15.136.87.44:1645):
af_socket() failed with -2147418088
*** 'af_iasocket.h':113 ASSERTION 'IS_VALID_SOCKET( f )' failed
12/14/2001 17:30:20: Log: Received signal 6
12/14/2001 17:30:20: Log: Give up on signal 6
*** 'rexcontext.cpp':249 ASSERTION '0' failed
Conditions: In the Cisco AR configuration utility, aregcmd, when trying to start or reload the server, the following message may be displayed:
Trying to execute a command in aregcmd may display the following message:
401 Unable to access server
Workaround: Avoid reaching the file descriptor limit by using no more than 700 file descriptors through configuration.The following list shows which objects consume file descriptors and how many:
Interfaces, Ports: for each network interface, Cisco AR will open a file descriptor for each port it listens on. Include the loopback interface in the calculation. For example, a machine with one network interface will consume 4 file descriptors if listening on ports 1645 and 1646 Services (type file): 1 file descriptor each
RemoteServers (type RADIUS): 1 file descriptor each
RemoteServers (type LDAP): 1 file descriptor each
|
CSCdw53470
|
ExecRealmRule causes SIG11 when user-name does not contain @ or # characters
Symptoms: Cisco AR logs show that ExecTimeRule caused an exception.
Conditions: The ExecRealmRule is used in a policy and the user-name attribute does not contain the # or @ delimiter. If the other checks pass (value is long enough), the check causes an invalid pointer.
Workaround: None
|
CSCdx03796
|
Accounting logs do not roll each minute
Symptoms: Accounting files do not roll on exact time when using cron style rollover.
Conditions: The local accounting service has a cron style rollover schedule. However, the file rolls sometime around the specified time instead of exact time.
Workaround: None
|
CSCdx16371
|
Replication not using DB transactions, may corrupt DB
Symptoms: Unknown
Conditions: Replication was took place during configuration changes in another instance of aregcmd.
Workaround: None
|
CSCdx27041
|
aregcmd segmentation faults for the command set p <prot> under /Radius/RemoteServers
Symptoms: aregcmd cores after you try to set the protocol of a remote server.
Conditions: The administrator tried to set the protocol of a remote server using set p.
Workaround: Use more than the letter p when setting the protocol property of a remote server, such as:
set pr <protocol>
|
CSCdx32329
|
AR fails to rollover accounting files after daylight savings time changes
Symptoms: After daylight savings time change, the Access Registrar server does not adjust to the new time properly. Although the accounting logs have the correct timestamps, the file rollover occurs using the old time.
Conditions: A time change occurs, such as during daylight savings time starting or ending, but AR still rolls accounting logs at the time set prior to the time change. All the date stamps are correct in logs, but log rollover occurs at the wrong time.
Workaround: After a daylight savings time change, stop then restart the Cisco AR server.
arserver stop
arserver restart
|
CSCdx36034
|
aregcmd history is not working for commands of length greater than 98
Symptoms: History does not work in aregcmd
Conditions: When an administrator configures any attribute with length greater than 98.
Workaround: You must manually type the commands again.
|
CSCdx48648
|
Session is not cleaned up after an error
Symptoms: The following error message is displayed:
<date> <time> name/radius/1 Error Protocol 0 Session Manager <name> was unable to process
accounting start since the packet did not contain the Acct-Session-Id field. This must be
present in an accounting start packet.
Conditions: Clean install will examples. Set AllowAccountingStartToCreateSessions to TRUE in default session manager. Submit an Accounting-Start packet that has no Acct-Session-Id attribute.
Workaround: Remove the session.
|
CSCdy43556
|
Cisco AR server cores with reload after particular sequence of commands
Symptoms: Cisco AR cores when reload is given after a particular sequence of commands in aregcmd non-interactive mode.
Conditions: In aregcmd non-interactive mode, a dummy remote server is added and saved, a RADIUS service with the dummy remote server is added and saved, a tcl script is added and set as the incoming script for the new RADIUS service, saved and reloaded.
Workaround: Allow some time delay after saves.
|
CSCdy51974
|
lastRequestTime in stats output not updated
Symptoms: The lastRequestTime of the aregcmd stats output always displays "<no requests have been received>" even when confirmed requests were sent.
Conditions: For a RADIUS remote server, the lastRequestTime is never updated when the trace shows a packet being sent. Also, the display seems backwards since a request would be sent, not received, through a remote server.
Workaround: None
|
CSCdy71500
|
Word validation misspelled from trace log
Symptoms: When working on replication, the trace log showed a CRC mismatch message such as "09/23/2002 19:53:09 name/radius/1 Warning Server 0 Transaction data block element failed validatation - CRC mismatch."
Conditions: The word validation is misspelled.
Workaround: None
|
CSCdy71517
|
Word committed misspelled in trace log for replication
Symptoms: Once the slave synchronizes with the master for replication, the slave's trace log shows elements being committed with the following message:
09/23/2002 19:45:47 name/radius/1 Info Server 0 Replication Transaction #5 With 1 Elements
Commited.
Conditions: The message occurs when the elements are being replicated and committed onto the slave machines.
Workaround: None
|
CSCdy72744
|
Trampoline will not restart if SNMP agent dies by itself
Symptoms: Trampoline will not restart SNMP agent if it dies
Conditions: SNMP agent dies by itself
Workaround: restart AR server using the following command:
/etc/init.d/arservagt restart
|
CSCdy84757
|
Incomplete error message when a port with wrong Type is added
Symptoms: Incomplete path in the error message displayed by aregcmd when a new port with an invalid Type is added.
Conditions: A new port is added with an invalid type.
Workaround: None.
|
CSCdz06157
|
totalPacketsInUse value can become corrupted
Symptoms: The totalPacketsInUse value never goes down, even when there are no packets being processed by the server. When the server proxies its requests, the name_radius_1_log file may contain these messages: 10/18/2002 4:54:55 name/radius/1 Error Server 0 RADIUS has used 1662 of its 1024 request buffers: the server is dropping 1 request; 1056 packets dropped total.
You can see that the server has used more packets than configured for the packet pool.
Conditions: The server was reloaded (using the aregcmd reload command) while processing packets.
Workaround: Completely restart the Cisco AR server using the /etc/init.d/arscript.
|
CSCdz09230
|
enum 6 for Tunnel-Medium-Type incorrect in mcdConfig.txt
Symptoms: Cannot set the Tunnel-Medium-Type to 802, which is in RFC2868.
Conditions: The server did not have this defined correctly.
Workaround: Manually add the value to //localhost/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums using the following commands:
cd //localhost/Radius/Advanced/Attribute Dictionary/Tunnel-Medium-Type/Enums
set 6 806
|
CSCdz19468
|
OBDC does not handle JOIN and DISTINCT SQL queries
Symptoms: The ODBC fails when setting an SQL join query with more than one 'and' condition. When setting such query the ODBC returns an empty row and Cisco AR rejects the existing users.
Conditions: The SQL queries with 'distinct' keyword is not working. The packet processing stops in the authentication stage.
Workaround: Change the SQL join query to use one 'and' condition.
|
CSCdz21901
|
LDAP connections can lose packets
Symptoms: The totalPacketsInUse and totalRequestsPending stick at a value above zero with no traffic going through the server.
Conditions: At least two LDAP servers are in use and the network begins to flap randomly. The problem seems to appear more often with DNSLookupAndLDAPRebindInterval activated.
Workaround: Completely reload the server using the /etc/init.d/arserver script.
|
CSCdz34402
|
OutageScript not invoked when RemoteServer outage occurs
Symptoms: The outage script is not invoked when a remote server outage occurs.
Conditions: Remote server outage occurs.
Workaround: None.
|
CSCdz36359
|
aregcmd incorrectly saves integer values of an ENUM
Symptoms: The administrator added a new ENUM to an attribute in the attribute dictionary, but it does not appear in the list on the next aregcmd instance after saving.
Conditions: The administrator added a new ENUM to an attribute in the attribute dictionary whose value is purely an integer (an example of this is Tunnel-Medium-Type and enum 6).
Workaround: Change the attribute type to an integer instead of ENUM and use the attribute according to the raw enum number instead of the string value (in the above attribute, use a value of 6 instead of 802).
|
CSCdz36374
|
Cisco AR does not start when AV pair ENUM value an integer
Symptoms: Cisco AR does not start properly after setting an AV pair in an attribute list to use an attribute of type ENUM to an integer value.
Conditions: The attribute (such as Tunnel-Medium-Type) is an ENUM type and one of the enums is an integer (for example, 6 = 802). The administrator used this AV pair in an attribute list for a profile, group, or user.
Workaround: Change the attribute to an UINT32 and use the raw integer value of the enum (6 in the above example).
|
CSCdz41072
|
The attributes list in a user not clearing dirty bit after save
Symptoms: aregcmd asks if you wish to save changes immediately after a successful save.
Conditions: An attribute was deleted from the attributes list in the user object.
Workaround: None
|
CSCdz60623
|
Multiple policies not invoked when ARIsCaseInsensitive FALSE
Symptoms: Default SelectPolicy alone will be invoked even multiple policies are configured.
Conditions: When /Rad/Adv/ARIsCaseInsensitive is set to FALSE and multiple policies have been configured, Cisco AR invokes only default SelectPolicy alone.
Workaround: None
|
CSCdz62333
|
Install does not allow JRE 1.4.1_01
Symptoms: Administrator is trying to use Sun JRE 1.4.1_01 with Cisco AR 3.0, but the install fails.
Conditions: The JRE is not the original 1.4.1, but a patch (like 1.4.1_01).
Workaround: None
|
CSCdz64180
|
rexservice.cpp is not Year 2000 compliant
Symptoms: An accounting log file has date stamps that do not have the correct year (they are 3 digits).
Conditions: The server is using the rexservice.cpp without any changes to it.
Workaround: None.
|
CSCdz68565
|
Manual changes file gives 310 error on import
Symptoms: Applying the manual changes file via aregcmd results in a 310 error.
Conditions: The administrator attempted to complete the upgrade process by importing the manual changes file.
Workaround: Remove the line that sets enum 6 in the Tunnel-Medium-Type attribute and reimport. If enum 6 is required, it is necessary to completely remove the attribute, then manually add it again.
|
CSCdz69474
|
RolloverSchedule produces many files after new year
Symptoms: Any filename prefixes associated with a file service setup with a RolloverSchedule produces lots of files after the new year change.
Conditions: A file service is set to rollover using a specific schedule (via the RolloverSchedule) and the new year has just passed (such as 01/01/2003).
Workaround: Reload the server just after midnight on the first day of the new year. However, cleanup of files already present may be difficult to resolve.
|
CSCdz71686
|
ar-status log does not honor car.conf LOGDIR location
Symptoms: Cisco AR continues to write to the default ar-status log file.
Conditions: The car.conf LOGDIR has been modified.
Workaround: Create a symbolic link to the default ar-status file.
|
CSCdz81589
|
Cisco AR processes crashes
Symptoms: Cisco AR processes crashes.
Conditions: Unknown
Workaround: Unknown
|
CSCea11274
|
ODBC to environment mapping does not handle strings greater than 256 bytes
Symptoms: Value of an ODBC mapped environment variable is truncated.
Conditions: An environment variable is used to store information from an ODBC mapping.
Workaround: Split the ODBC value into smaller chunks (use multiple columns) or use multi-row value returns.
|
CSCea20731
|
REX put method may give wrong error in log
Symptoms: The server gives an error that it is out of memory while in a REX script (not TCL).
Conditions: An attempt was made to put an invalid value into an attribute in either the request or response dictionaries. For example, a string was the value to the Framed-IP-Address attribute.
Workaround: Ensure that all values are correct for the attribute type.
|
CSCea20752
|
Upgrade Cisco AR with a large configuration database can fail
Symptoms: Upgrade fails with a "400 Login failed" error even though the credentials supplied are correct.
Conditions: On large configuration databases that cause Cisco AR to take more than 30 seconds to start, the Cisco AR server is not yet ready to accept MCP connections. This causes aregcmd to fail, which causes the upgrade process to fail. Repeated tries usually does not affect the success rate, unless aregcmd runs just after the server starts (race condition).
Workaround: None
|
CSCea26379
|
Upgrade process gives warning message
Symptoms: While upgrading, the following message appears:
Warning: missing newline at end of file /var/sadm/pkg/CSCOar/install/release.batch
Conditions: The administrator is upgrading from a previous version of AR and wishes to keep the config.
Workaround: None
|
CSCea28869
|
The preremove script can delete all files in /lib
Symptoms: All the files in /lib gone.
Conditions: There was an error in the pkgrm, usually because the administrator improperly deleted an installation directory. This causes the preremove script to improperly handle the error.
Workaround: None
|
CSCin10556
|
Cisco AR server cores while setting huge value for database
Symptoms: Reload of the server fails.
Conditions: While adding a remote server of type odbc and inside DataSource setting a huge value to DataBase attribute.
Workaround: None
|
CSCin13784
|
aregcmd should validate tunnel-password length for 239 characters
Symptoms: aregcmd accepts a value with 253 characters for tunnel-password attribute. But the maximum allowed value for this attribute is 239 characters only.
Conditions: Configure a tunnel-password_tag1 attribute with a value having more than 239 characters.
Workaround: None
|
CSCin16951
|
manual.changes file generated in upgrade is not proper
Symptoms: After upgrade, applying the /opt/CSCOar/temp/*manual-changes batch file through aregcmd will throw an error message.
Conditions: Upgrading Cisco AR from 3.0R1 version and using the manual-changes batch file to update the VSAs.
Workaround: In manual-changes file change the lines
cd "/Radius/Advanced/Attribute Dictionary/Vendor-Specific/Vendors/3GPP2/SubAttribute
Dictionary/CDMA-Release-Ind/Enums/1" PPP/"
to
cd "/Radius/Advanced/Attribute Dictionary/Vendor-Specific/Vendors/3GPP2/SubAttribute
Dictionary/CDMA-Release-Ind/Enums/"
set 1 "PPP/Service-Timeout"
|
CSCin18750
|
Incorrect validation for RADIUS attributes under LDAPToRadiusMapping
Symptoms: Vendor names are allowed to configure as valid RADIUS attributes under LDAPToRadiusMappings and LDAPToCheckItemMappings.
Conditions: Vendor name is configured as a valid attribute in RHS of LDAPToRadiusMappings or LDAPToCheckItemMappings.
Workaround: None
|
CSCin21474
|
aregcmd cannot store numbers greater than INT_MAX properly
Symptoms: aregcmd fails to show the correct value entered after saving.
Conditions: When numbers greater than INT_MAX(2147483647) are given as value to a numeric property.
Workaround: Use value less than INT_MAX (2147483647).
|
CSCin22310
|
Accounting files always use UTC timestamp
Symptoms: The Cisco AR uses UTC time stamp in the accounting file, irrespective of UseLocalTimeZone property.
Conditions: Set the UseLocalTimeZone property to True.
Workaround: None.
|
CSCin34840
|
Set command from aregcmd command line fails
Symptoms: The aregcmd will give 'Bus Error'
Conditions: Executing the aregcmd command set, as follows:
aregcmd -s set /Radius/Advanced/ReplyMessages/Default Abc
Workaround: Use the set command in aregcmd interactive mode or write the commands to file and use:
aregcmd -sf filename
|
CSCin36001
|
Accounting file rollover creates empty files
Symptoms: Cisco AR creates many empty accounting rollover files.
Conditions: Setting only the minutes part in RolloverSchedule.
Workaround: None
|
Anomalies Fixed in Cisco Access Registrar 3.0R1
This section describes anomalies in Cisco Access Registrar 3.0R0 that have been fixed in Cisco Access Registrar, Release 3.0R1.
Table 16 Anomalies Fixed in Cisco AR 3.0R1
Bug
|
Description
|
CSCdm06836
|
SessionManager should release a session created by other Session Manager
Symptoms: Cisco AR logs that it could not release a session created by another session manager.
Conditions: A stale session exists in the session table. The next packet on the same NAS ID and port as the stale session triggers a different session manager than the stale session, but the server refuses to clean the stale session.
Workaround: Use release-sessions to manually release the stale session.
|
CSCdt85018
|
No validation for booleans in userlists when run from script
Symptoms: Boolean in a user object set to FALSE when it should be true.
Conditions: The user object was added using a batch file and the value was not set to TRUE (the username might have been misspelled). The validation in batch mode does not cause an error in this case.
Workaround: Manually set the value to TRUE.
|
CSCdu28101
|
Once a session manager added, cannot query sessions on slave
Symptoms: After a SessionManager is configured on an Cisco Access Registrar system using the Single Master Database Replication feature, it is no longer possible to use the query-sessions and release-sessions commands on slave systems.
Workaround: None
|
CSCdu55631
|
NAS-Port is still required even if Session-Key is set
Symptoms: A recent feature allowed an extension point to specify the session key that would be used for session management. When Session-Key is set, it will be used instead of the default combination of NAS-Identifier (or NAS-IP-Address, if NAS-Port is still required even if Session-Key is set
Conditions:
Workaround: Ensure that NAS-Port is present in every request that involves session management.
|
CSCdu78618
|
Cisco AR core dumps under load and proxy down
Symptoms: Cisco Access Registrar can core and restart
Conditions: A remote server object is configured with InitialTimeout = 100 and ACKAccounting = false. The remote server that it represents is down and Access Registrar is receiving accounting requests, to be sent to the remote server, under load.
Workaround: Unknown
|
CSCdw17676
|
Configuration-only install does not produce a working install
Symptoms: aregcmd cores after a configuration-only install.
Conditions: The administrator installed AR with just the configuration pieces. After it is done, running aregcmd results in a core file and an error that it could not find the car.conf file.
Workaround: Manually create the logs directory and car.conf file.
|
CSCdw52859
|
ACK account defaults to FALSE in non-interactive aregcmd
Symptoms: The server does not wait for an accounting-response from a RADIUS proxy server.
Conditions: When the administrator uses batch mode to add remote RADIUS servers, the ACKAccounting field is set to FLASE.
Workaround: Either add the remote server manually or insert a second line into the batch file that explicitly sets ACKAccounting to TRUE.
|
CSCdw67893
|
Error loading second service with DNS timer via script
Conditions: Under certain circumstances, loading a second LDAP server with the DNSLookupAndLDAPRebindInterval parameter set using the -f option of aregcmd will cause the RADIUS server to crash.
Symptoms: The response to aregcmd is 401 Unable to access server.
Workaround: Manually restart the server using the start command, or configure additional LDAP servers manually.
|
CSCdw86578
|
EAP with userservice set to a RADIUS proxy crashes
Symptoms: After setting the UserService to an EAP service to reference a RADIUS service, the server cores on any packet processed by the EAP service.
Conditions: Either an EAP-LEAP or EAP-MD5 conversation starts. The EAP service references a RADIUS service to proxy the packet to another server. This causes AR to core with the server begins to process the packet.
Workaround: None
|
CSCdx03064
|
Cisco-avpair with tag gives core instead of Validation failed
Symptoms: When cisco-avpair with tag number is configured in the Profile attributes, AR gives a core instead of Validation.
Conditions: Adding Tagged cisco-avpair to Profile attribute
Workaround: cisco-avpair_tag1 is not supported and you should only use s. cisco-avpair
|
CSCdx27477
|
32 bit sub attributes are not validated
Symptoms: The administrator can add a 32-bit subattribute using an attribute number higher than (2^32)-1.
Conditions: Validation does not correctly find this configuration error and the server may not work properly.
Workaround: Remove the offending attribute or correct the configuration.
|
CSCdx28240
|
No Validation for many properties and object under /radius/advanced
Symptoms: Invalid values may be configured into /Radius/Advanced properties.
Conditions: Validation does not work for these properties. Reloading AR with the invalid values causes it to fail to start.
Workaround: Ensure that only valid values appear for each property.
|
CSCdx29529
|
Unable to reload AR after sending an EAP Identity response packet
Symptoms: AR does not correctly reload after processing EAP packets.
Conditions: You configure AR to process EAP packets. On the next aregcmd reload command, the server hangs and requires a Ctrl-C before you can issue another reload command.
Workaround: Use Ctrl-C after the reload command, then reload the server again.
|
CSCdx34244
|
Large number of Cisco vendor-specific attributes (VSA) is not replicated to slave
Symptoms: Replication fails after adding a large number of attributes to an MVA or a long SQL search string.
Conditions: Configure single master slave replication and add a large number of values to an MVA where the total number of characters for all values exceeds 255. The same can be done with a SQL search string over 255 characters.
Workaround: Make all modifications on the master, then perform a full resynchronization.
|
CSCdx36437
|
Packet pool leak after pool is full for a while
Symptoms: The server writes log messages which state that it has used all of its request buffers and is now dropping a request. The server therefore fails to process new incoming requests until it is restarted using arserver restart.
Conditions: Enough request packets are being sent to the server that network conditions cause the packet pool to be filled for a period of time. The network conditions that might cause this include speed of the hardware, response time of remote servers, retry interval of clients, and other network variables.
Workaround: Increase the packet pool size and modify network conditions to alleviate the packet flow problem. For example, try increasing the timeout intervals on clients.
|
CSCdx38777
|
aregcmd log has trouble with long strings
Symptoms: Extremely long strings entered in aregcmd (approximately 1024 or more characters) appear as invalid characters in aregcmd_log. The command still takes effect.
Conditions: A long string has been entered in aregcmd.
Workaround: There is no workaround, but note that the problem does not impact the configuration or operation of the server.
|
CSCdx39907
|
ODBC select does not see multi-row returns
Symptoms: The administrator configures a user in Oracle to pass back a number of RADIUS Attribute/Value pairs as multiple rows. However, AR sees only one row in the return set.
Conditions: User profile data is stored in ODBC, which returns in a multi-row format from the SQL select statement.
Workaround: Use a BLOB field in Oracle and a script in AR to parse the returned BLOB.
|
CSCdx41457
|
Server should not allow eap-sim service as UserService under eap-md5/leap
Symptoms: Services of type eap-sim are accepted as valid entries for the UserService property under eap-md5 and eap-leap services.
Conditions: eap-sim service is specified as UserService under eap-md5 and eap-leap services.
Workaround: Configure only non-eap services as UserService under eap-md5 and eap-leap services.
|
CSCdx43670
|
ODBC connections do not close with each reload
Symptoms: AR complains that it's out of file handles for ODBC data connections on reload.
Conditions: Administrator reloads the server using aregcmd. The existing ODBC connections should close at this point, but it seems they do not.
Workaround: Completely reload the server using: arserver restart
|
CSCdx51895
|
ODBC RADIUS packet not processed when Null valued column is queried
Symptoms: RADIUS packet will not be processed by Cisco Access Registrar when ODBC remoteserver's SQL is set to query a null valued column.
Conditions: Set ODBC remoteserver's SQL to query a Null value column.
Workaround: None
|
CSCdx51985
|
ODBC RADIUSMappings not done for more than one attribute
Symptoms: ODBCRadiusToMapping will not work when the column name is configured in upper case.
Conditions: When column name is configured in upper case under ODBCToRadiusMapping.
Workaround: Configure the column name in lower case under ODBCToRadiusMapping.
|
CSCdx52688
|
ODBC logs an error message at startup: SQlFetch() failed
Symptoms: ODBC logs an error message at startup:
"ODBC client SQLFetch() failed"
Conditions: When sql string is given with more than password attribute.
Workaround: None.
|
CSCdx55196
|
Cisco specific Traps not working when AR start/stop/restart
Symptoms: Cisco specific traps not generated
Conditions: Do the following to the Cisco AR server: reload, restart, stop, then start
Workaround: None
|
CSCdx56952
|
Cache contents are lost when any property is changed under eap-sim
Symptoms: Cache contents are lost and re-initialized when there is a property change or reload of AWACS. This will result either in requesting new triplets from ITP if the triplet cache is lost or in Access-Rejects with the reason "Authenticator not available" if the authenticator cache is lost.
Conditions: When any property under Services/<servicename> or at /Radius level is changed or when AWACS is reloaded.
Workaround: None.
|
CSCdx59748
|
Problem in deleting remote-server, AR replication fails.
Symptoms: In a replicated environment, AR member server does not reload or start when a replication involving an elided index object arrives at the member site, from the master.
If the replicated indexed object is a hot-configured object, the problem appears immediately after the replicated changes have been committed to the member database. The changes made to the master site after this shall not be replicated to the affected member site.
If it is not a hot-configured object, the issue doesn't appear until a reload or start via aregcmd or a restart of the server. Replication shall continue till the next hot configured object comes to the member site.
Examples of indexed objects afflicted by this issue include the following:
1. RemoteServers configured under a Service
2. ResourceManagers configured under a SessionManager
3. Services configured under a GroupService
name_radius_1_log for case 1 could contain something like the following:
05/27/2002 5:34:42 name/radius/1 Error Configuration 0 Internal Error in
/Services/nest/RemoteServers/: Required property server2/Server did not exist
05/27/2002 5:34:42 name/radius/1 Error Configuration 0 Error in property
//servers/name/radius/1/providers/provider1: Provider Created Was Invalid:
"Default". Reverting To Original Provider Configuration
05/27/2002 10:02:13 name/radius/1 Info Server 0 Stopping Server
name_radius_1_log for case 2 could contain something like the following:
05/27/2002 10:17:09 name/radius/1 Error Configuration 0 Internal Error in
/Radius/SessionManagers/session-mgr-1/ResourceManagers/: Required property
resourcemanager3/ResourceManager did not exist
name_radius_1_log for case 3 could contain something like the following:
05/28/2002 5:15:46 name/radius/1 Error Configuration 0 Error in property
//servers/name/radius/1/providers/provider1: Provider Created Was Invalid:
"Default". Reverting To Original Provider Configuration
Conditions: In a replicated environment, when an indexed object is elided via delete from an object in the master, the replication to the member corrupts the database and prevents the member from further processing.
Workaround: Use unset instead of delete to remove the indexed object in question. If the indexed object has already been deleted, do a full manual resynchronization from the master.
|
CSCdx63195
|
DevicePassword not checked for VPI/VCI authentication
Symptoms: Cisco AR does not reject a password when the incorrect DevicePassword is used.
Conditions: Cisco AR has been setup to use VPI/VCI authentication, but the wrong shared secret or DevicePassword is in the config. AR happily translates the user name when the DeviceName matches, regardless of the DevicePassword.
Workaround: None
|
CSCdx64313
|
Upgrading from Cisco AR from a version prior to version 1.7 will not import SNMP MCD bits
Symptoms: After upgrading from a version of Cisco AR prior to 1.7, such as Cisco AR 1.6, SNMP will not start.
Conditions: Cisco AR was upgraded and the administrator wants to use SNMP. However, the upgrade scripts do not add the MCD bits to start the SNMP daemon.
Workaround: Using the text in the MCD enclosure, use the command: mcdadmin -sli <filename>
|
CSCdx68361
|
aregcmd password sent in the clear
Symptoms: aregcmd sends most of its data in clear text.
Conditions: During login, traversing the configuration tree, or changing any configuration, the data sent from aregcmd is in clear text. A hacker could snoop the wire and get passwords during login from a remote system. The only thing encrypted are fields that are shown as <encrypted>, such as user passwords.
Workaround: None
|
CSCdx71752
|
Tunnel-Password not re-encrypted properly when proxied
Symptoms: When Cisco AR is used as a proxy server, the downstream proxy sends back tunnel attributes from RFC 2868. However, the client shows garbage characters after decryption.
Conditions: Cisco AR is used as a proxy server. Some or all of the server that Cisco AR proxies to send back RFC 2868 tunnel attributes, namely the tunnel-password. This attribute must be decrypted and re-encrypted using the appropriate shared secrets.
Workaround: None
|
CSCdx76512
|
Cannot rename users
Symptoms: The administrator changed a user name by setting the Name attribute of the user record. On the save, aregcmd gives a 310 error with no other info in the logs.
Conditions: Rename a user like this in aregcmd: set Name NewName
Workaround: Delete the old user and create a new one. However, this loses the user password.
|
CSCdx77270
|
ODBC retrieves wrong values from Oracle DB
Symptoms: In ODBC configuration, the values retrieved from a NUMBER field by SQL query are different from the original values stored in the table. When the profile_id for a user is stored as 1000 in the table, the retrieval value for the same is 1000.000000000000.
Conditions: Configure the ODBC service with a RADIUS or checkitem mapping.
Workaround: None (unless it's possible to change the column to type string).
|
CSCdx79284
|
Shutting down a server with busy remote servers can core
Symptoms: The server occasionally creates a core file while being shut down or reloaded.
Conditions: The server has forwarded one or more requests to external RADIUS servers and is waiting for a response.
Workaround: Wait until the server is not waiting for a response to forwarded requests.
|
CSCdx85562
|
Failover outagepolicy in ODBC service should not require reload
Symptoms: Failover outage policy in ODBC service will not switch over automatically from the off-line remoterserver processing to next configured ODBC remoteserver.
Conditions: Configure ODBC service with two or more ODBC remote servers
Workaround: reload the Cisco AR server.
|
CSCdx86632
|
Cisco AR proxies an invalid Tunnel-Password when CHAP-Password is used
Symptoms: Cisco AR sends an invalid encrypted Tunnel-Password to NAS when the access-request packet contains CHAP-Password but without CHAP-Challenge attribute.
Conditions: Cisco Access Registrar server is used as a proxy and a user is configured with tunnel-password attribute in the remote server.
Workaround: Use Chap-Challenge attribute along with CHAP-Password.
|
CSCdy00219
|
aregcmd does not allow a configuration without service and client
Symptoms: Cisco AR doesn't allow to save a configuration without adding any service and client.
Conditions: If the configuration is being modified for the first time and no service or clients are added to it, aregcmd refuses to save the modified configuration.
Workaround: Include at least one service and one client.
|
CSCdy02503
|
Replication of Translationgroup not done properly
Symptoms: Replication of translationgroup object will not be replicated along with the indexed translation object to slave.
Conditions: Configure single master and slave replication and add translation object and translationgroup object to master
Workaround: None
|
CSCdy06347
|
Adding an LDAP remote server with all arguments on one line fails
Symptoms: Adding an LDAP remoteserver with all the property values passed as command line parameters under /Radius/RemoterServers gives validation failed error message in aregcmd.
Conditions: Add a LDAP remote server object with all the arguments passed in the same line under /Radius/RemoterServers
Workaround: Set the LDAP remote server properties after issuing the command
cd /Radius/RemoteServers/ladpRemoteServer
|
CSCdy09191
|
ACHECK fails for service grouping of session services
Symptoms: Cisco AR stops processing packets and a core file appears in $INSTALLPATH.
Conditions: The session service is configured to use a service grouping of multiple session services.
Workaround: None.
|
CSCdy09926
|
Cisco AR cores when two services use the same userlist for AA
Symptoms: Cisco AR restarts while processing the packets and a core file appears in the installation directory.
Conditions: Authentication Service and Authorization service are different with type Local and use the same userlist or different userlists (the user should exist in these userlists).
Workaround: None
|
CSCdy10934
|
EAP-MD5 is not functional
Symptoms: EAP-MD5 is not functional
Conditions: When EAP-MD5 is used for authentication with real devices.
Workaround: None
|
CSCdy15869
|
Dynamic properties not working for individual users
Symptoms: If a dynamic name is used for a user's authentication or authorization script, or for a user group's authorization script, the dynamically determined name will not be used.
Conditions: Dynamically determined names for a user's authentication and authorization scripts and for a user group's authorization scripts do not work.
Workaround: None.
|
CSCdy17156
|
Cisco Access Registrar server cores after receiving Accounting-stop if continued session has different NAS
Symptoms: Cisco Access Registrar server cores occasionally.
Conditions: The product may core if IPX resource management and 3G wireless features are used simultaneously.
Workaround: Do not use IPX resource management if 3G wireless features are also in use.
|
CSCdy17363
|
The command ls -R <TAB> should give the list of objects in the present directory
Symptoms: ls - R <TAB> will not work in aregcmd.
Conditions: An administrator issues the command ls -R <TAB> inside aregcmd and expects the list of objects in the present directory to be displayed for selection.
Workaround: None
|
CSCdy18629
|
Setting an LDAP service to just authorize fails
Symptoms: Cisco AR rejects a user when LDAP is the user store.
Conditions: The LDAP service is on only the authorization service. A different service is on the authentication service.
Workaround: None
|
CSCdy22300
|
Authorization only ODBC service not doing environment mapping
Symptoms: Cisco AR does not do ODBC to environment mappings.
Conditions: The server is configured to use different services for authentication and authorization. The authorization service does ODBC to environment mappings.
Workaround: Use an ODBC to RADIUS mapping.
|
CSCdy22307
|
Authorization-only service asserts on NULL returns
Symptoms: Cisco ARcores during authorization.
Conditions: The server is configured to use different ODBC services on authentication and authorization. During authorization, the search key is not found in the RDBMS, which returns a NULL result and causes the server to core.
Workaround: Put a dummy record into the database to ensure a NULL return never occurs.
|
CSCdy23553
|
Cisco AR 1.7R3 core dumps when adding large userlist
Symptoms: Adding more than 65536 users with aregcmd causes segmentation fault.
Conditions: Only happens when more than 65536 users are added
Workaround: Issue save command after adding each user if userlist is longer than 65536 users.
|
CSCdy26403
|
Server asserts after accounting stop
Symptoms: The server stops processing packets for a short time and a core file appears.
Conditions: An accounting stop released a session with the server under load. There are no known controlled steps to reproduce this error.
Workaround: None
|
CSCdy30737
|
Send State attribute only if Termination-Action was set (1)
Symptoms: The state attribute appears in the access-accept when the termination-action attribute is not set to RADIUS-request.
Conditions: The server does this automatically and cannot be turned off. This behavior is not RFC 2865 compliant.
Workaround: Create a script that is able to remove the state attribute.
|
CSCdy31628
|
Cisco AR cores on reload when first java extension script is configured
Symptoms: Cisco ARcores on reload when java extension script is configured for the first time.
Conditions: Add a java extension script in AR for the first time.
Workaround: None.
|
CSCdy33048
|
Cisco AR asserts modify objects while RADIUS packets are being processed
Symptoms: Cisco AR assertion fails when aregcmd objects are modified while the Cisco AR server is processing RADIUS packets.
Conditions: Configure remoter server and service of type RADIUS and make the remoterserver off line. Send a access-request packets at this point of time modify any user's properties and save.
Workaround: After adding or modifying an object, reload the server after saving.
|
CSCdy43797
|
Security Issue: CERT advisory CA-2002-25 Integer Overflow in XDR
See http://www.cert.org/advisories/CA-2002-25.html
|
CSCdy53733
|
Cisco AR does not reconnect to Oracle
Symptoms: Cisco AR does not reestablish a broken connection to an Oracle database.
Conditions: Due to a network or other condition, the Oracle connection established through Cisco AR server's ODBC configuration is lost.
Workaround: Reload Cisco AR to re-establish the Oracle connection.
|
CSCdy57104
|
Java example accounting script causes core when not initialized
Symptoms: RADIUS cores when the example Java accounting script is created but not initialized, saved and reloaded.
Conditions: The example Java accounting script is not initialized.
Workaround: Specify initialization parameter when creating the service.
|
CSCdy66900
|
LEAP authentication asserts server
Symptoms: During LEAP authentication, a core file appears in $INSTALL.
Conditions: The network is doing LEAP authentication.
Workaround: None
|
CSCdy70256
|
Incorrect time stamps for accounting records during DST rollover
Symptoms: During Daylight Savings Time (DST) rollover, Cisco AR server uses the past time stamps while writing accounting records. For example, when DST rollover occurs on April 7 from 2am to 3am, accounting records still show 2am.
Conditions: DST rollover changes occur.
Workaround: Issue reload via aregcmd or restart the server.
|
CSCdy71515
|
Property values greater than 254 bytes are not replicated properly
Symptoms: We have seen symptoms ranging from CRC Mismatch to outright core files. Reloads may also have errors about a property, then reverting back to the original provider configuration.
Conditions: Replication is in use. A property value has been changed such that it is longer than 253 bytes. On the next reload, CRC mismatches and start problems appear in the log files. Also, the transaction files in the archive are not the same size. At the same time, it is possible to get an object called "/".
Workaround: None
|
CSCin09397
|
aregcmd gives ASSERTION failure on concurrent usage
Symptoms: The command aregcmd asserts.
Conditions: Two users are modifying the configuration using the aregcmd command. One user removes an object and saves the configuration, while another user modifies the object. An assertion occurs when the second user saves the configuration.
Workaround: Do not modify objects which have been deleted by administrators using aregcmd concurrently.
|
CSCin09816
|
The name of objects should not be allowed to set to /
Symptoms: The aregcmd command allows administrators to name objects with the forward slash character (/). It is not possible to edit these objects.
Conditions: Set an object's name to the forward slash character.
Workaround: Do not use the forward slash character in the name of an object.
|
CSCin10556
|
Cisco AR cores while setting huge value for DataBase
Symptoms: Reload of the server will fail.
Conditions: While adding a remote server of type odbc and inside DataSource setting a huge value to DataBase attribute.
Workaround: None
|
CSCin11474
|
Cisco AR cores after adding a new script object
Symptoms: The Cisco AR server restarts after adding a new script object and saving the configuration.
Conditions: Install Cisco AR and add a new script object in /Radius/Scripts, then save the configuration.
Workaround: None required.
|
CSCin12225
|
Deleting any object with complete path gives failure message
Symptoms: aregcmd will give error message when object is deleted with complete path. Also the non-interactive mode of aregcmd fails, if the configuration contains deletion of an object with complete path.
Conditions: While deleting an object with complete path will delete the object but give an error message.
Workaround: None
|
CSCin12715
|
AscendIncomingScript goes into loop
Symptoms: AscendIncomingScript goes into loop and ends with fork failed due to unavailability of memory.
Conditions: Set Client vendor type as Ascend and send an access-request packet with CDMA-HA-Ip-addr attribute.
Workaround: None
|
CSCin13117
|
Replication fails while adding a user with attributes and checkitem
Symptoms: The user object will not be replicated and the slave will try to resynchornize and fails continuously.
Conditions: Configuring replication and adding an user object with attributes or checkitems configured in them.
Workaround: None
|
CSCin14265
|
Cisco AR fails while changing the name of RADIUS IncomingScript
Symptoms: Cisco AR drops the packets when changing the name of the script which is configured as RADIUS IncomingScript with out giving error.
Conditions: Configure a built-in script as a Incomingscript and change the configured script's name under /Radius/Scripts.
Workaround: None
|
CSCin14612
|
UseLocalTimeZone should also be used for RolloverSchedule
Symptoms: Accounting service property UseLocalTimeZone is not used to do rollover based on UTC when the property is set to FALSE. It still rolls over at localtime, however the file names use UTC timing for their naming when the property is set to FALSE.
Conditions: Configure the Rollover schedule to occur in UTC time or Local time.
Workaround: None
|
CSCin15200
|
Changing Reply Messages is not working with ODBC
Symptoms: For invalid user, the default reply message 'Access Denied' will come in access-reject packet.
Conditions: Configuring the Reply Message for UnknownUser is not working with ODBC.
Workaround: None
|
CSCin16358
|
Cisco AR accepts service of type local as DefaultSessionService
Symptoms: Cisco AR will not give validation error or warning, while setting the service of type 'local' as DefaultSessionService.
Conditions: Set the service of type 'local' as DefaultSessionService
Workaround: None
|
CSCin17345
|
Unsetting attribute deletes user from slave during replication
Symptoms: Replication deletes user from slave when attribute or checkitem was unset in the user object at the master.
Conditions: When attribute or checkitem in the user object was unset at the master.
Workaround: Set any property in the user object before saving at the master.
|
CSCin17380
|
Login command gives segmentation fault
Symptoms: aregcmd exits, while issuing the login command with cluster and without username and password.
Conditions: Issuing the login command without username and password.
Workaround: None
|
CSCin18761
|
Cisco AR should reject Access-Requests that do not contain any NAS information
Symptoms: Cisco AR will not reject Access-Request packets that don't have NAS-IP-Address and NAS-Identifier attributes. These packets are processed by Cisco AR server as normal packets. But RFC2865 enforces the presence of either or both of these attributes in the Access-Request packets.
Conditions: Access-Request packet without NAS-IP-Address AND NAS-Identifier - AR should reject Access-Requests that do not contain any NAS info
Conditions: Cisco AR server receives Access-Request packet without NAS-IP-Address and NAS-Identifier attributes is received at Cisco AR server.
Workaround: Use an extension point script at the server incoming script scripting point that checks for the presence of either of these attributes in the Access-Request packet and reject the packets that don't have any of these attributes.
|
Anomalies Fixed in Cisco Access Registrar 3.0R0
This section lists and describes the anomalies from previous versions of Cisco AR that have been fixed in Cisco Access Registrar 3.0R0.
Table 17 Anomalies Fixed in Cisco AR 3.0R0
Bug
|
Description
|
CSCdv46401
|
ReplSalve fails to restore configurations when Error in provider
Symptoms: The user added a new object, which was replicated. The member server attempts to hot-configure the new object, but fails to do so with a assertion error. The server appears to not start correctly.
Conditions: In a replication network, the member could not revert to a previous known good configuration after detecting a bad transaction.
Workaround: Follow resynchronization instructions completely.
|
CSCdw73875
|
Completion for numbered options does not work
Symptoms: Command completion does not work for list of ordered objects or the ports list.
Conditions: The administrator is trying to use command completion on a list of ordered objects or the ports list.
Workaround: Fully type out the command or enough of it for an unambiguous match (standard 1.x method).
|
CSCdw73934
|
Completion for IP addresses and ports does not work
Symptoms: Command completion does not work for IP addresses or ports in /Radius/Advanced.
Conditions: Administrator is trying to use command completion on the IP address or ports list in /Radius/Advanced.
Workaround: Fully type out the command or enough of it for an unambiguous match (standard 1.x method).
|
CSCdw85663
|
Validate does not notice EAP without a Userservice
Symptoms: Cisco AR does not operate correctly with an EAP service
Conditions: The EAP service was defined without a UserService set. This is an illegal configuration that validation does not find.
Workaround: Ensure that a UserService is set.
|
CSCdx08900
|
Removing /radius/incoming or /radius/outgoing scripts are not hot configured
Symptoms: Removing configured /radius/incoming or /radius/outgoing scripts are not detected by the hot-config.
Conditions: When /radius/incomingscript or /radius/outgoing is removed, hot-config is not recognizing.
Workaround: Perform a reload.
|
CSCdx11073
|
Null value for Cisco-AVPair is not validated
Symptoms: Null value for Cisco-AVPair is not validated.
Conditions: When Cisco-AVPair is set to a null value (""), validation passes and the null value is saved successfully. The server fails on reload.
Workaround: Unset Cisco-AVPair instead of setting it to a null value, save and reload.
|
CSCdx13096
|
Cannot install Cisco AR to /CSCOar and use SNMP
Symptoms: After installing AR to /AICar1 and enabling SNMP, the server starts in the stopped state.
Conditions: The customer installed AR into the root directory (such as /AICar1) and enabled SNMP. On the next server reload, the server is stopped and the SNMP master agent is not running.
Workaround: Install in a subdirectory, such as the default /opt/CSCOar.
|
CSCdx15867
|
pkgadd request script has improper check for non-supported OS
Symptoms: pkgadd fails on an unsupported Solaris version without giving the option to continue.
Conditions: You are trying to install Cisco AR on an unsupported OS, such as Solaris 9, and it doesn't ask you if you want to continue.
Workaround: Modify the request script in CSCOar/install, line 55, but replacing the 2 instances of 5 with a 2.
|
CSCdx20901
|
No log messages for ODBC remoteserver connection successful
Symptoms: No log message to indicate a successful connection
Conditions: Configure the 'odbc' remoteserver correctly and perform a reload
Workaround: None
|
CSCdx23369
|
No validation for Port under replication member object
Symptoms: No validation for Port property under /Radius/Replication/Rep Members/<rep member name>.
Conditions: Add a new replication member with port property set to ""(NULL) or a string value like "cisco" and do a validate. Validation won't catch this.
|
CSCdx23947
|
RADIUS server dies during test resourceAR-test
Symptoms: Cisco AR cores when a packet triggers the use of the AscendIncomingScript script.
Conditions: A client's vendor property is set to Ascend and any packet appearing from that client causes AR to core.
Workaround: Use the Cisco vendor.
|
CSCdx26222
|
query-sessions causes 401 and sometimes cores
Symptoms: There is a 401 error in aregcmd after running the query-sessions command. Sometimes there is also a RADIUS core.
Conditions: Default configuration, keep under load for 1-5 minutes, use the customer's packet simulator.
Workaround: Use release-sessions to clear the session table. Of course, the drawback is that the managed resources are released.
|
CSCdx46297
|
Environment dictionary cannot handle strings greater than 200 bytes
Symptoms: Values of an environment variable are truncated.
Conditions: An environment variable is used to store information either within the script or from a mapping via LDAP or ODBC.
Workaround: If possible, try to split the value into smaller chunks.
|
CSCdx48001
|
ODBC environment mapping drops last character
Symptoms: Reading an environment variable in a script set via an ODBC mapping provides a value that is truncated by at least one character.
Conditions: The administrator has configured AR to perform ODBC to environment mappings. When a script goes to read the variable, the value is truncated by at least one character.
Workaround: None
|
CSCdx51895
|
ODBC RADIUS packet is not processed when Null valued column is queried
Symptoms: RADIUS packet will not be processed by AR when ODBC remoteserver's SQL is set to query a null valued column.
Conditions: Set ODBC remoteserver's SQL to query a Null value column.
Workaround: None
|
CSCin05400
|
The Replication not happening when Maxfileage is set as 1D
Symptoms: When the Maxfileage is set as 1D in the accounting service the Replication is not happening. The slave is giving CRC error message.
Workaround: Set the MaxFileAge as "1 Day"
|
CSCin06732
|
Should not allow / as Cisco AR install directory
Symptoms: Cisco AR will not work when the install directory is given as "/".
Conditions: When install directory is selected as "/".
Workaround: Select the sub-level directory as install directory like/opt/CSCOar.
|
CSCin08237
|
Adding service while processing packet with group service cores
Symptoms: When adding a new service while RADIUS is processing a packet with group service the core file is generated.
Workaround: None
|
Known Problems in Solaris 8
This section provides information about known problems with the Solaris 8 operating system or environment that could affect your Sun server's operating capabilities.
Buffer Overflow in Multiple DNS Resolver Libraries (CERT Advisory CA-2002-19)
This defect is a problem with the Solaris Operating Environment and not with the Cisco Access Registrar source code. The fix will be available from Sun since Cisco Access Registrar does not have device control over the Solaris Operating Environment. For more information about this problem including symptoms, conditions, and workaround, refer to the following:
A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system.
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46042&zone_32=category%3Asecurity
Sun is expected to provide an official Solaris patch to correctly repair this defect in the near future.
Systems affected and applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to:
•Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)
•Berkeley Software Distribution (BSD) DNS resolver library (libc)
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2002, 2003, 2004 Cisco Systems, Inc. All rights reserved.
