Table Of Contents
Release Notes for Cisco Access Registrar, 4.1
Contents
New Features
New Features In Cisco AR 4.1.5
Phantom Session Determination
Multiple Source Port Proxy
Reader Thread Priority Tuning
Enhanced Logs to Include Milliseconds Field
Support of Binary LDAP Passwords
Incoming Traffic Throttling
Backing Store Parsing Tool
Suppression of a Specific Log Message
Addressed the Server Freeze Problem
New Properties in Cisco AR 4.1.5
New Features In Cisco AR 4.1.4
Query-Notify Enhancement
Session Memory Consumption Enhancement
XML Query Identity Enhancement
Backing Store Enhancement
Configurable Worker Threads Enhancement
Session Magic Number Enhancement
Policy Engine Enhancement To ExecRealmRule and ExecSuffixRule
WiMax Attribute Support
New Properties In Cisco AR 4.1.4
New Features In Cisco AR 4.1.3
Support for Solaris 10
New Properties In Cisco AR 4.1.3
New Options in car.conf File
New aregcmd Option
New Environment Variables
New Features In Cisco AR 4.1.2
Support for Red Hat Enterprise Linux, Version 4.0
Multiple LDAP Binds
Enhancements to arbug
New Features In Cisco AR 4.1.1
EAP-TTLS
Wireless Provisioning Service
Query-Notify
System Requirements
Full Installation
Client-Only Installation
Co-Existence With Other Network Management Applications
Solaris 8 Patch Requirement
Related Documentation
Cisco AR 4.1 Licensing
Licensed Features
Getting Cisco AR 4.1 Feature Licenses
Installing Cisco AR 4.1 Licenses
Upgrading Your Cisco AR 4.1 License File
Sample License File
Displaying License Information
aregcmd Command-Line Option
Launching aregcmd
Installing Cisco AR 4.1 Software on Solaris
Deciding Where to Install
Installing Cisco AR Software from CD-ROM
Installing Downloaded Software
Common Solaris Installation Steps
Configuring SNMP
RPC Bind Services
Installing Cisco AR 4.1 Software on Linux
Deciding Where to Install
Installing Cisco AR Software from CD-ROM
Common Linux Installation Steps
Configuring SNMP
Cisco AR Performance
General Performance
Cisco AR 4.1.4 on Solaris 10
Performance of Proxy Server with Local Database with Pruning
Cisco AR 4.1.5 on Solaris 9
EAP Performance
EAP-SIM
PEAP
EAP-TTLS
Caveats
Known Anomalies in Cisco AR 4.1.5
Anomalies Fixed in Cisco AR 4.1.5
Known Anomalies in Cisco AR 4.1.4
Anomalies Fixed in Cisco AR 4.1.4
Anomalies Fixed in Cisco AR 4.1.3
Anomalies Fixed in Cisco AR 4.1.2
Anomalies Fixed in Cisco AR 4.1.1
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Access Registrar, 4.1
Revised: April 6, 2008, OL-8557-07
Cisco Access Registrar (AR) 4.1 provides RADIUS authentication, authorization, and accounting (AAA) services for service providers and enterprises. Cisco AR supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management.
Cisco AR is a standards-based Remote Authentication Dial-in User Service (RADIUS) and proxy RADIUS server designed for high-performance, extensibility, and integration with external data stores and systems.
Cisco AR supports a range of access technologies from traditional dial and broadband to wireless LANs and mobile wireless. Cisco AR supports the latest wireless authentication protocols such as Extensible Authentication Protocol and Protected EAP used in wireless LAN deployments. Cisco AR also is able to make real-time AAA requests to billing systems to support prepaid applications.
These release notes provide information about the 4.1.5 release of Cisco AR.
Note 
Cisco AR 4.1.5 can be used with Solaris 9, Solaris 10, or Red Hat Enterprise Linux 4.0 32-bit operating system using kernel 2.6.9-22.0.2.EL or later, and Glibc version: glibc-2.3.4-2.13 or later.
Releases of Cisco AR from the 4.1.4 version onwards do not support the Solaris 8 operating system.
Contents
This release note contains the following sections:
•New Features
•System Requirements
•Related Documentation
•Cisco AR 4.1 Licensing
•Installing Cisco AR 4.1 Software on Solaris
•Installing Cisco AR 4.1 Software on Linux
•Cisco AR Performance
•Caveats
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features
The following sections describe new features in each release:
•New Features In Cisco AR 4.1.5
•New Features In Cisco AR 4.1.4
•New Features In Cisco AR 4.1.3
•New Features In Cisco AR 4.1.2
•New Features In Cisco AR 4.1.1
New Features In Cisco AR 4.1.5
Cisco AR 4.1.5 introduces these features:
•Phantom Session Determination
•Multiple Source Port Proxy
•Reader Thread Priority Tuning
•Enhanced Logs to Include Milliseconds Field
•Support of Binary LDAP Passwords
•Incoming Traffic Throttling
•Backing Store Parsing Tool
•Suppression of a Specific Log Message
•Addressed the Server Freeze Problem
•New Properties in Cisco AR 4.1.5
Phantom Session Determination
Phantom Session Determination feature enhances the performance of Cisco AR by releasing all phantom sessions and resources associated with those sessions. A new property, PhantomSessionTimeOut, is included under Session Manager configuration. You can enable this feature by configuring the PhantomSessionTimeOut property.
Note Sessions that do not receive an Accounting-Start packet are called phantom sessions.
Multiple Source Port Proxy
The Multiple Source Port Proxy feature in Cisco AR 4.1.5 provides a more reliable proxy mechanism that is free of congestion. Releases earlier than Cisco AR 4.1.5 used only one source port to communicate with all remote RADIUS servers. This feature allows remote servers to share and use multiple sockets and ports when making proxy requests. A new property, NumberOfRemoteUDPServerSockets, is included under /Radius/Advanced.
Reader Thread Priority Tuning
This Cisco AR release provides a more robust and reliable proxy mechanism by tuning the reader thread's priority. This increase in reader thread's priority compared to the worker, remote server, and other daemon threads facilitates the reader thread to read data immediately when a response arrives.
Enhanced Logs to Include Milliseconds Field
Cisco AR 4.1.5 logs now consist of a new millisecond field for greater accuracy. The log files that reflect this change are:
•Name_radius_1_log
•Name_radius_1_trace
•Agent_server_1_log
•Config_mcd_1_log
•Accounting logs
Support of Binary LDAP Passwords
This Cisco AR release supports binary password comparison for authentication using an LDAP server. A new property, UseBinaryPasswordComparison, is included under LDAP remoteserver configuration. This property, when set to TRUE, enables binary password comparison. By default, this property is set to FALSE (disabled).
Incoming Traffic Throttling
This release makes Cisco AR more resilient to traffic bursts by placing limits on the incoming traffic. Releases earlier than Cisco AR 4.1.5 had some performance issues caused by heavy incoming traffic. Two new properties, MaximumIncomingRequestRate and MaximumOutstandingRequests, are included under /Radius/Advanced. These properties can be configured to enable the Incoming Traffic Throttling feature and thus enhance performance.
Note You can enable either of these properties independent of the other.
To configure the MaximumIncomingRequestRate or MaximumOutstandingRequests property:
Step 1 Log in to aregcmd.
Step 2 Change directory to /Radius/Advanced.
Step 3 Set the MaximumIncomingRequestRate or MaximumOutstandingRequests property to nonzero value using these commands, respectively:
set MaximumIncomingRequestRate n
or
set MaximumOutstandingRequests n
where n is any nonzero value.
Step 4 Save the configuration; enter:
Step 5 Reload the server; enter:
Backing Store Parsing Tool
Cisco AR 4.1.5 introduces a new tool, carbs.pl, to parse session backing store files. Using this tool, you can:
•Get information on active, stopped, and stale RADIUS sessions.
•Clear phantom sessions manually.
•Process the binary log files and get information in a user-readable format.
Suppression of a Specific Log Message
Cisco AR 4.1.5 now blocks a specific log message from being printed thousands of times, thereby reducing the number of I/O operations involved in logging this message. A log message similar to the one suppressed is given below:
01/30/2008 3:32:26 name/radius/1 Error Server 0 Packet being dropped because Remote Server WAP_Gateway (A.B.C.D) has not responded in 1 tries, but Remote Server seems to still be active
This log message is not considered significant; however, this message is converted to a trace for you to optionally enable it.
Addressed the Server Freeze Problem
This release ensures that Cisco AR does not go into a frozen state when incoming traffic is heavy. Releases earlier than Cisco AR 4.1.5, when faced with heavy incoming traffic, go into a frozen state and take a long time to recover. This release also ensures that latency levels at higher transactions per second (tps) would be the same as or better than previous levels.
New Properties in Cisco AR 4.1.5
Five new properties have been introduced in Cisco AR 4.1.5:
•PhantomSessionTimeOut
•NumberOfRemoteUDPServerSockets
•MaximumIncomingRequestRate
•MaximumOutstandingRequests
•UseBinaryPasswordComparison
PhantomSessionTimeOut
PhantomSessionTimeOut property is found under Session Manager configuration, and when used in conjunction with /Radius/Advanced/SessionPurgeInterval, enables the phantom session timeout feature for Session Manager. The default value for this property is zero (disabled).
You can configure the PhantomSessionTimeOut property under Session Manager to release all phantom sessions and resources associated with those sessions when its timeout occurs.
For example, if the PhantomSessionTimeOut property is set to a value under a session manager, all sessions that belong to that session manager will be checked for receipt of an Accounting-Start packet. Sessions that do not receive an Accounting-Start packet from creation until its timeout will be released.
The PhantomSessionTimeOut value consists of a number and a units indicator, as in n units, where a unit is one of minutes, hours, days, or weeks.
NumberOfRemoteUDPServerSockets
NumberOfRemoteUDPServerSockets property is found under /Radius/Advanced. You can configure this property with the number of source ports to be used for making proxy requests to a remote server. The default value for this property is 4.
You can set a value n to the NumberOfRemoteUDPServerSockets property for all remote servers to share and use n sockets.
The value n should be less than or equal to the current process file descriptor limit divided by 2.
MaximumIncomingRequestRate
MaximumIncomingRequestRate property is found under /Radius/Advanced and provides you an option to limit incoming traffic in terms of "allowed requests per second". The default value for this property is zero (disabled).
For example, if you configure MaximumIncomingRequestRate to n, then at any given second, only n requests are accepted for processing. In the next second, another n requests are accepted for processing regardless of the status of the requests accepted earlier. This condition serves as a soft limit.
You can set the MaximumIncomingRequestRate property to any nonzero value.
MaximumOutstandingRequests
MaximumOutstandingRequests property is found under /Radius/Advanced and provides you an option to limit incoming traffic in terms of "requests processed". The default value for this property is zero (disabled).
For example, if you configure the MaximumOutstandingRequests to n, then n requests are accepted for processing. Further requests are accepted only after processing some of these requests and sending replies back. This condition serves as a hard limit.
You can set the MaximumOutstandingRequests property to any nonzero value.
UseBinaryPasswordComparison
UseBinaryPasswordComparison property is found under LDAP remoteserver configuration. This property when set to TRUE, enables binary password comparison for authentication using an LDAP server. By default, this property is set to FALSE.
New Features In Cisco AR 4.1.4
Cisco AR 4.1.4 introduces these enhancements:
•Query-Notify Enhancement
•Session Memory Consumption Enhancement
•XML Query Identity Enhancement
•Backing Store Enhancement
•Configurable Worker Threads Enhancement
•Session Magic Number Enhancement
•Policy Engine Enhancement To ExecRealmRule and ExecSuffixRule
•WiMax Attribute Support
•New Properties In Cisco AR 4.1.4
Query-Notify Enhancement
The Query-Notify feature has been enhanced in Cisco AR 4.1.4 to update the session cache with the attribute-value pairs of an interim Accounting-Update packet. This enhancement ensures that the most recent information is provided to the WAP gateway during the proxy of interim records or a query of the session cache.
Session Memory Consumption Enhancement
The session memory consumption enhancement significantly reduces the memory consumed per session record with session management including identity caching sessions. This enhancement has enabled the Cisco AR server to accommodate 50-60% more sessions without increasing server memory.
Note If EnableNotifications is set to TRUE in the client, the sessions created from that client will occupy the same amount of memory as in previous versions of Cisco AR.
XML Query Identity Enhancement
When deployed as an Identity Cache Engine (ICE), the Cisco AR server supports User-Name lookup based on the Framed IP address of an existing session. The XML Query Identity enhancement enables Framed IP address lookup based on the User-Name in an existing session.
The XML Query Identity enhancement requires changes to the original ICE configuration. The following example shows how to enable the XML Query Identity enhancement.
Configuring Identity Caching
To configure identity caching:
Step 1 Launch aregcmd.
Step 2 Define a client object for each client that will send either RADIUS or XML packets to the Cisco AR server performing identity caching.
There should be one client object for each GGSN, one for each CSM and one for each packet simulator (if used in a test environment).
For example, if a packet simulator will be used on the same server where you perform identity caching, add a client object as in the following:
cd /Radius/Clients
add xml-client
cd xml-client
[ //localhost/Radius/Clients/xml-client ]
This client object is very similar to the localhost object defined in the example configuration. The SharedSecret property will be ignored if the client is an XML client, but still must be set to a non-null value. The Type property is also ignored for XML clients.
Step 3 Define a port object for each RADIUS port and each XML port to be used. Two RADIUS ports, the second immediately following the first in numeric value, must be defined even if only one is needed. A typical identity caching installation requires the following port configuration:
cd /Radius/Advanced/Ports
add 1645
add 1646
add 8080
Note Although ports 1645 and 1646 are the default ports for Cisco AR, you must add them to /Radius/Advanced/Ports to also add port 8080.
Step 4 Change directory to the 1645 port and set its type to Radius-Access.
cd /Radius/Advanced/Ports/1645
set Type Radius-Access
Step 5 Change directory to the 1646 port and set its type to Radius-Accounting.
cd /Radius/Advanced/Ports/1646
set Type Radius-Accounting
Step 6 Change directory to the 8080 port and set its type to XML.
cd /Radius/Advanced/Ports/8080
set Type XML
Step 7 Define and configure an accounting service of type file and set it as the DefaultAccountingService.
An accounting service is required for Cisco AR to cache identity information, even if no accounting service is needed otherwise. If you added the example configuration during installation, a local-file accounting service is already configured.
If you did not add the example configuration during software installation, refer to the following section in the RADIUS Accounting chapter of the User Guide for Cisco Access Registrar, 4.1:
Setting Up Accounting
Step 8 Define and configure a ResourceManager for identity caching.
cd /Radius/ResourceManagers
add cache
Step 9 Set the ResourceManager to type session-cache for identity caching.
cd cache
set type session-cache
The following shows the default properties of a session-cache ResourceManager:
[ //localhost/Radius/ResourceManagers/cache ]
OverwriteAttributes = FALSE
Step 10 Set the QueryKey to a RADIUS attribute you want to key on.
For example, use the following command to set the QueryKey to User-Name:
set QueryKey User-Name
The QueryKey must match the string on the right-hand side of one of the pairs you list in QueryMappings. It is not necessary for the QueryKey to be configured under AttributesToBeCached because the QueryKey will always be cached by default.
Note The QueryKey property must always be a RADIUS attribute. The Cisco AR server forces a NULL IP address (0.0.0.0) if it detects an incorrectly configured QueryKey.
Step 11 Change directory to AttributesToBeCached and use the set command to provide a list of RADIUS attributes you want to store in cache.
cd AttributesToBeCached
set 1 Calling-Station-ID
Set 2 User-Name
Set 3 Framed-IP-Address
The attributes a session-cache resource manager caches can be queried through both RADIUS Query and XML Query packets. When you cache attributes Framed-IP-Address or User-Name, or when you use XML-Address-format-IPv4 or XML-UserId-id_type-subscriber_id as the QueryKey, you must map the XML attributes to RADIUS attributes in the QueryMappings subdirectory.
Step 12 Change directory to QueryMappings and use the set command to list the attribute pairs, mapping the XML attributes on the left-hand side to the RADIUS attribute on the right-hand side.
set XML-Address-format-IPv4 Framed-IP-Address
set XML-UserId-id_type-subscriber_id User-Name
Step 13 Change directory to /Radius/SessionManagers and add a SessionManager for identity caching.
cd /Radius/SessionManagers
add IDcache
Step 14 Change directory to the new identity caching SessionManager, then change directory to the ResourceManager list.
cd IDcache/ResourceManagers
Step 15 Use the set command to associate the identity caching ResourceManager with this SessionManager.
set 1 cache
Step 16 Change directory to /Radius and set the DefaultSessionManager to the identity caching SessionManager.
cd /Radius
set DefaultSessionManager IDcache
Step 17 Run the save, reload, and exit commands:
save
reload
exit
Starting Identity Caching
To start identity caching, you must send an Accounting-Request to the specified accounting port (The default accounting port is 1646.) A minimal Accounting-Request will contain the following attributes:
•NAS-Identifier or NAS-IP-Address
•NAS-Port
•Framed-IP-Address
•User-Name
•Acct-Status-Type
•Acct-Session-Id
To start identity caching:
Step 1 Launch radclient:
cd /opt/CSCOar/bin
radclient -C localhost -N admin -P aicuser
Step 2 Enter the following radclient commands:
set p [ acct_request Start joeuser@cisco.com ]
$p set attrib [ attrib Framed-IP-Address 123.123.123.123 ]
$p send
This assumes that you are running radclient on the same server and using 1646 as the accounting port.
Step 3 Send XML requests to the specified XML port (Cisco suggests port 8080 as shown above). A typical XML packet will look like the following:
<UserId id_type="subscriber_id">bob</UserId>
To do this using xmlclient, put the XML text into a file, then enter the following command:
cd /opt/CSCOar/bin
./xmlclient -srd <file>
Note This assumes that xmlclient is running on the same server as identity caching and that 8080 is the XML port. Use the command xmlclient -H for information about how to use a different port or how to run xmlclient from a different server.
Note For a successful query, xml response will have the IPAddress associated with the requested user-name and for an unsuccessful query, it returns 0.0.0.0 as the IPAddress.
Backing Store Enhancement
In releases earlier than Cisco AR 4.1.3, a latency issue was detected that was caused by backend servers performing backing store log file pruning to reduce the number of log files while also performing regular persisting operations. Cisco AR 4.1.4 has been enhanced to separate these operations, and the pruning operation has been made more efficient.
Two properties have been added under /Radius/Advanced:
•SessionBackingStorePruneInterval
•PacketBackingStorePruneInterval
You can use these new properties under /Radius/Advanced to set the number of hours to wait before performing log file pruning and session packet pruning.
Configurable Worker Threads Enhancement
Cisco AR 4.1.4 provides a newly-configurable variable you can use to increase the number of worker threads to handle a greater number of RADIUS packets during peak operating periods. In releases earlier than Cisco AR 4.1.3, a latency issue was detected that was caused by the Cisco AR processing a greater number of RADIUS packets than expected during peak operating periods.
The variable, RADIUS_WORKER_THREAD_COUNT, is found in the arserver file under /cisco-ar/bin/arserver and controls the number of worker threads the Cisco AR server creates. You can increase the number of worker threads to help make more efficient use of the server's CPU.
Before you increase the setting for RADIUS_WORKER_THREAD_COUNT, you should be certain that you are running into a worker thread starvation issue. If you use scripts that consume a lot of processing and memory, you might run out of memory if you create too many worker threads. Increasing the number of worker threads also increases memory utilization.
The default value of RADIUS_WORKER_THREAD_COUNT for servers running a Solaris operating system is 256. The default value for servers running Red Hat Enterprise Linux is 64.
The purpose of this enhancement is to take advantage of spare CPU bandwidth, which was not being used in earlier releases of Cisco AR due to a lower number of worker threads. At times, the worker threads would be stuck doing work that took a long time to complete, like running a script. Having more threads will help mitigate these situations and will help improve on the latency created due to lack of free worker threads.
Note Before modifying the RADIUS_WORKER_THREAD_COUNT variable, consult with a TAC representative to ensure that modifying the RADIUS_WORKER_THREAD_COUNT is warranted. You should be certain you are running into a worker thread starvation issue before increasing this parameter.
To modify the RADIUS_WORKER_THREAD_COUNT variable:
Step 1 Log in to the Cisco AR server as a root user and change directory to /cisco-ar/bin.
Step 2 Use a text editor and open the arserver file.
Step 3 Locate the line with the RADIUS_WORKER_THREAD_COUNT variable.
#change this to configure number of worker threads
RADIUS_WORKER_THREAD_COUNT=256
Step 4 Modify the number of RADIUS worker threads to the number you choose.
Note There is no upper limit to the number of RADIUS worker threads you can enable in your Cisco AR server, but you should take care not to exceed your server's memory capacity.
Step 5 Save the file and restart the Cisco AR server.
Session Magic Number Enhancement
The session magic number is a unique number created for all sessions when the session is created or reused and the DetectOutOfOrderAccountingPacket property is set to TRUE in /Radius/Advanced. The DetectOutOfOrderAccountingPacket property is used to detect out-of-order Accounting-Stop packets in roaming scenarios by comparing the magic number value in the session with the magic number value contained in the Accounting packet.
The DetectOutOfOrderAccountingPacket property is the property used to turn on and turn off the session magic number feature.
When the DetectOutOfOrderAccountingPacket property is enabled, a new Class attribute is included in all outgoing Accept packets. The value for this Class attribute will contain the session magic number. The client will echo this value in the accounting packets, and this will be used for comparison.
The value of 0xffffffff is considered by the Cisco AR server to be a wild card magic number. If any accounting stop packets contain the value of 0xffffffff, it will pass the session magic validation even if the session's magic number is something else.
The format of the class attribute is as follows:
<4-byte Magic Prefix><4-byte server IP address><4-byte Magic value>
Policy Engine Enhancement To ExecRealmRule and ExecSuffixRule
Prior to Cisco AR 4.1.4, ExecRealmRule and ExecSuffixRule were interpreted as regular expression patterns and were evaluated accordingly. As of Cisco AR 4.1.4, ExecRealmRule and ExecSuffixRule now do a simple case insensitive comparison by default and optionally perform regular expression matching.
ExecRealmRule
Beginning with the Cisco AR 4.1.4 release, the Cisco AR server does a case-insensitive comparison of the value specified for the realm attribute for the realm of a user name.
With the Cisco AR 4.1.4 release, you can also specify a pattern using the following notation:
~/pattern/
Where pattern is a string of alpha-numeric characters that might include wild card characters, as in "@*cisco.com" to match patterns (realms) that end in cisco.com.
Note The question mark (?) should not be used without a character pattern preceding it. Specifying ? as the first character might have undesirable results. (For regexp terminology, the question mark should be preceded by an atom.)
The ExecRealmRule script checks the request packet for the Realm and applies the values set for the following attributes:
•Authentication-Service
•Authorization-Service
•Policy
ExecSuffixRule
Beginning with the Cisco AR 4.1.4 release, the Cisco AR server does a case-insensitive comparison of the value specified for the suffix attribute for the suffix of a user name.
With the Cisco AR 4.1.4 release, you can also specify a pattern using the following notation:
~/pattern/
Where pattern is a string of alpha-numeric characters that might include wild card characters, as in "@*cisco.com" to match patterns (realms) that end in cisco.com.
Note The question mark (?) should not be used without a character pattern preceding it. Specifying ? as the first character might have undesirable results. (For regexp terminology, the question mark should be preceded by an atom.)
WiMax Attribute Support
Cisco AR 4.1.4 provides support for the WiMax vendor-specific attributes (VSAs) listed in Table 1. The vendor ID for WiMax VSAs is 24757.
Table 1 lists the WiMax vendor-specific attributes.
Table 1 WiMax Vendor-Specific Attributes
Attribute Name
|
Type
|
Min/Max Value
|
Description
|
HA-IP-MIP4
|
IP Address
|
0-253
|
IP address of the HA making this request.
|
HA-IP-MIP6
|
IP Address
|
0-253
|
IP address of the HA making this request.
|
GMT-Time-Zone-Offset
|
String
|
0-253
|
Offset in seconds from GMT at the NAS.
|
NAP-ID
|
String
|
0-253
|
Indicates the operator ID of the NAP at the time the message was delivered.
|
NSP-ID
|
String
|
0-253
|
Operator ID of the NSP.
|
Hotline-Indicator
|
String
|
0-253
|
Indicates that the flow is hot lined.
|
BS-ID
|
String
|
0-253
|
Octet string that uniquely identifies the NAP-ID Base Station that is serving the MS at the time the UDR is generated.
|
See the following location for information about all VSAs by Cisco AR 4.1.4:
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/a_attrib.html
New Properties In Cisco AR 4.1.4
Two new properties have been added to Cisco AR 4.1.4:
•SessionBackingStorePruneInterval
•PacketBackingStorePruneInterval
SessionBackingStorePruneInterval
SessionBackingStorePruneInterval is found under /Radius/Advanced and specifies the sleep time interval of the session backing store pruning thread. The recommended and default value is 6 hours, but you can modify this based on the traffic patterns you experience.
With SessionBackingStorePruneInterval set to 6 hours, pruning will occur 6 hours after you restart or reload the Cisco AR server and recur every 6 hours.
You can set a very low value for this property to make pruning continuous, but there might not be enough data accumulated for the pruning to occur and pruning might be less effective compared to the default setting.
PacketBackingStorePruneInterval
PacketBackingStorePruneInterval is found under /Radius/Advanced and specifies the sleep time interval of the packet backing store pruning thread. The recommended value is 6 hours, but you can modify this based on the traffic patterns you experience.
When PacketBackingStorePruneInterval is set to 6 hours, pruning will occur 6 hours after you restart or reload the Cisco AR server and recur every 6 hours.
You can set a very low value for this property to make pruning continuous, but there might not be enough data accumulated for the pruning to occur and pruning might be less effective compared to the default setting.
New Features In Cisco AR 4.1.3
Cisco AR 4.1.3 introduces these enhancements:
•Support for Solaris 10
•New Properties In Cisco AR 4.1.3
•New Options in car.conf File
•New aregcmd Option
•New Environment Variables
–Dynamic-Search-Scope
–Set-Session-Mgr-And-Key-Upon-Lookup
–Skip-Overriding-Username-With-LDAP-UID
Support for Solaris 10
Cisco AR 4.1.3 introduces support for the Solaris 10 operating system.
New Properties In Cisco AR 4.1.3
The following new properties have been added to Cisco AR 4.1.3:
•DetectOutOfOrderAccountingPackets
•ReuseIPForSameSessionKeyAndUser
•SearchScope
•BackingStoreDiscThreshold
•TraceFileSize
•TraceFileCount
DetectOutOfOrderAccountingPackets
DetectOutOfOrderAccountingPackets has been added to the /Radius/Advanced directory. DetectOutOfOrderAccountingPackets turns on and off detection of out of order accounting packets by generating unique valued class attributes.
ReuseIPForSameSessionKeyAndUser
ReuseIPForSameSessionKeyAndUser has been added to IP-Dynamic Resource Manager. The default value for this property is TRUE which enables Cisco AR to reuse the resources (IP addresses) of a session when user authentication is performed for an existing session.
SearchScope
SearchScope has been added to specify the LDAP SearchScope under remote LDAP server. Also, a new environment variable Dynamic-Search-Scope has been added to dynamically set SearchScope on a per packet basis. A search scope defines how deep to search within the search path.
BackingStoreDiscThreshold
BackingStoreDiscThreshold property has been added under /Radius/Advanced to ensure that the data log files generated exclusively by each of the backing store instances will not cross the configured BackingStoreDiscThreshold.
When the configured limit is reached for any of the backing stores, the Cisco AR server promotes the log file pruning task for that particular backing store to a greater extent and starts pruning continuously until the accumulated size of the log files falls below 80% (clears 20% of the log files) of BackingStoreDiscThreshold.
TraceFileSize
The TraceFileSize property under /Radius/Advanced specifies the number of trace files to be kept on the system. A new trace file is created when the trace file size reaches TraceFileSize.
TraceFileCount
The value of TraceFileCount must be from 1 to 100, and the default is 2. The TraceFileCount property under /Radius/Advanced specifies the number of trace files to maintain. A value of 1 indicates that no file rolling occurs.
New Options in car.conf File
Two new parameters have been added to the car.conf file with Cisco AR 4.1.3:
•AGENT_SERVER_LOG_SIZE (10 MB by default)
•AGENT_SERVER_LOG_FILES (2 by default)
You will find these new parameters at the beginning of the file. When the log file size reaches the value set in AGENT_SERVER_LOG_SIZE, a rollover of the agent_server_log file occurs. The value set in AGENT_SERVER_LOG_FILES specifies the number of log files to be created.
New aregcmd Option
The trace-file-count command has been added to aregcmd. The syntax of this command is:
trace-file-count n
Where n is a number that specifies the number of trace log files. This command changes the trace log file count dynamically without requiring a server reload. This is helpful for debugging situations when you do not want to perform a reload.
New Environment Variables
Three new environment variables have been added to Cisco AR 4.1.3:
•Dynamic-Search-Scope
•Set-Session-Mgr-And-Key-Upon-Lookup
•Skip-Overriding-Username-With-LDAP-UID
Dynamic-Search-Scope
Dynamic-Search-Scope is used to dynamically set the SearchScope property of an LDAP remote server configuration on a per-packet basis.
Set-Session-Mgr-And-Key-Upon-Lookup
When Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE, a session-cache resource manager sets the session-manager and session-key environment variable during a query-lookup, and the Cisco AR server does not cache the response dictionary attributes. Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE by a query-service IncomingScript.
Skip-Overriding-Username-With-LDAP-UID
Skip-Overriding-Username-With-LDAP-UID is used to decide if the username should be replaced with the UID from the LDAP server. When Skip-Overriding-Username-With-LDAP-UID is set to TRUE, the username is not replaced with the UID from the LDAP server.
You can use Skip-Overriding-Username-With-LDAP-UID to retain case sensitivity in usernames when the username given for logging in to the network is in a different case that the UID in the LDAP server database, such as User1 and user1.
New Features In Cisco AR 4.1.2
Cisco AR 4.1.2 introduces these three enhancements:
•Support for Red Hat Enterprise Linux, Version 4.0
•Multiple LDAP Binds
•Enhancements to arbug
Support for Red Hat Enterprise Linux, Version 4.0
Cisco AR 4.1.2 supports Red Hat Enterprise Linux, Version 4.0 (RHEL 4.0) 32-bit operating system. However, support for Red Hat Linux 7.3 was discontinued with the release of Cisco AR 4.1.2. Cisco AR 4.1.1 supports Red Hat Linux 7.3, but not RHEL 4.0.
Multiple LDAP Binds
Cisco AR 4.1.2 introduces the multiple LDAP bind feature. The multiple LDAP bind feature enables the Cisco AR server to open multiple connections to the LDAP server and send multiple requests in parallel.
The multiple LDAP bind feature provides a significant increase in performance for sites that use an LDAP server, especially if session management is used. See the section Cisco AR Performance and Table 9, Performance of Cisco AR 4.1.2 with an LDAP Server for detailed performance information.
The LDAP Remote Server object in Cisco AR 4.1.2 has a new mandatory property called DataSourceConnections. The DataSourceConnections property specifies the number of concurrent connections to the LDAP server. The default value is 8.
The following is the default configuration for an LDAP remote server object. Default values are shown in bold font.
[ //localhost/Radius/RemoteServers/LDAPserver ]
ReactivateTimerInterval = 300000
UserPasswordAttribute = userpassword
LimitOutstandingRequests = FALSE
MaxOutstandingRequests = 0
PasswordEncryptionStyle = Dynamic
EscapeSpecialCharInUserName = FALSE
DNSLookupAndLDAPRebindInterval =
DataSourceConnections = 8
LDAPToEnvironmentMappings/
See the "Using LDAP" chapter in the Cisco Access Registrar 4.1 User Guide for information about the LDAP Remote Server object properties.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/ldap.html
Enhancements to arbug
The arbug script has been enhanced in Cisco AR 4.1.2. You can use the script arbug to collect information about your Cisco AR server that can be sent through e-mail or ftp to Cisco when requested.
The arbug script collects all the relevant information needed to report a problem to Cisco AR support. The goal of the arbug script is to efficiently collect all the necessary information.
New Features In Cisco AR 4.1.1
Cisco AR 4.1.1 introduced these three enhancements:
•EAP-TTLS
•Wireless Provisioning Service
•Query-Notify
EAP-TTLS
Cisco AR supports the Extensible Authentication Protocol Tunneled TLS (EAP-TTLS). EAP-TTLS is an EAP protocol that extends EAP-TLS. In EAP-TLS, a TLS handshake is used to mutually authenticate a client and server. EAP- TTLS extends this authentication negotiation by using the secure connection established by the TLS handshake to exchange additional information between client and server.
EAP-TTLS leverages TLS (RFC 2246) to achieve certificate-based authentication of the server (and optionally the client) and creation of a secure session that can then be used to authenticate the client using a legacy mechanism. EAP-TTLS provides several benefits:
•Industry standard authentication of the server using certificates (TLS)
•Standardized method for session key generation using TLS PRF
•Strong mutual authentication
•Identity privacy
•Fast reconnect using TLS session caching
•EAP message fragmentation
•Secure support for legacy client authentication methods
EAP-TTLS is a two-phase protocol. Phase 1 conducts a complete TLS session and derives the session keys used in Phase 2 to securely tunnel attributes between the server and the client. The attributes tunneled during Phase 2 can be used to perform additional authentication(s) via a number of different mechanisms.
The authentication mechanisms that might be used during Phase 2 include PAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP. If the mechanism is EAP, then several different EAP methods are possible.
The Phase 2 authentication can be performed by the local AAA server (the same server running EAP-TTLS) or it can be forwarded to another server (known as the home AAA server). In the latter case, the home server has no involvement in the EAP-TTLS protocol and can be any AAA service that understands the authentication mechanism in use and is able to authenticate the user. It is not necessary for the home server to understand EAP-TTLS.
See the EAP-TTLS section in the Extensible Authentication Protocols chapter of the User Guide for Cisco Access Registrar for more detailed information about EAP-TTLS, including configuration information.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/eap.html
Wireless Provisioning Service
Cisco AR 4.1 introduces support for Microsoft's Windows Provisioning Service (WPS). WPS provides hotspot users with seamless service to public WLAN hotspots by using Microsoft Windows-based clients.
WPS provides configuration and service information to a wireless client. The Cisco AR server sends the required information using different fragments within the Master URL. The following list summarizes the different fragments the RADIUS server might send to the AP in the Master URL.
•Sign up—This value is passed when the user authenticates as guest. The following is an example value for the URL PEAP-TLV:
http://www.example.com/provisioning/master.xml#sign up
where #sign up is the parameter for this action and a required element of the value.
•Renewal—This value is passed when the user's account is expired and needs renewal before network access can be granted. The following is an example value for the URL PEAP-TLV:
http://www.example.com/provisioning/master.xml#renewal
where #renewal is the parameter for this action and a required element of the value.
•Password change—This value is passed when the user is required to change the account password. An example value for the URL PEAP-TLV is:
http://www.example.com/provisioning/master.xml#passwordchange
where #passwordchange is the parameter for this action and a required element of the value.
•Force update—This value is passed when the WISP requires the Wireless Provisioning Services on the client to download an updated XML master file. This method of updating the XML master file on the client should be used only to correct errors; otherwise, the TTL expiry time in the XML master file is used to provide background updates. The following is an example value for the URL PEAP-TLV:
http://www.example.com/provisioning/master.xml#forceupdate
where #forceupdate is the parameter for this action and a required element of the value.
See the section "Support for Windows Provisioning Service" in the chapter "Using Cisco AR Server Features" of the Cisco AR User Guide for more detailed information about WPS, including configuration information:
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/features.html
Query-Notify
The Query-Notify feature, introduced in Cisco AR 4.1, enables you to store information about Wireless Application Protocol (WAP) gateways that have queried for User Identity-IP Address mapping and send appropriate messages to the WAP gateway when the subscriber logs out of the network.
The Query-Notify feature also enables you to quarantine IP addresses for a configurable amount of time if a WAP gateway does not respond to Accounting-Stop sent by the Cisco AR server.
The Cisco AR server stores information about clients (usually the IP address) that queried for particular user information and send RADIUS Accounting-Stop packets to those clients when the Cisco AR server receives the Accounting-Stop packet. There is no intermediate proxy server between the Cisco AR server and the WAP gateway.
To support the Query-Notify feature, the Cisco AR server's radius-query service has been modified to also store information like the IP address about the clients queried for cached information. The information is stored in the user session record along with the cached information so it is available after a server reload.
See section "Query Notify" in the chapter "Using Cisco AR Server Features" of the Cisco AR User Guide for more detailed information about WPS, including configuration information:
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/features.html
System Requirements
Note Before you begin the software installation, ensure that your server has the most recent OS software including all relevant or recommended patches.
This section describes the system requirements to install and use the Cisco AR software.
Full Installation
Table 2 lists the system requirements for a full installation of Cisco AR.
Table 2 Full Installation Requirements
Component
|
Requirements
|
CPU Architecture
|
SPARC for Solaris or Intel for Linux
|
Cisco AR 4.1.5
OS Versions
|
Solaris 9, Solaris 10 or Red Hat Enterprise Linux 4.0 using kernel version 2.6.9-22.0.2.EL (or later) and glibc version 2.3.4-2.13 (or later).
|
Minimum RAM
|
256 MB
|
Recommended RAM
|
512 MB
|
Recommended Disk Space
|
175 MB
|
Client-Only Installation
Table 3 lists the system requirements for installing the client-only component of Cisco AR.
Table 3 Client-Only Requirements
Component
|
Requirement
|
CPU Architecture
|
SPARC
|
OS Version
|
Solaris 9, or Solaris 10
|
Minimum RAM
|
32 MB
|
Recommended RAM
|
64 MB
|
Recommended Disk Space
|
120 MB
|
Note The client-only installation is available only when using the Solaris operating system.
The recommended disk space does not include the amount of space needed for accounting records which can grow rapidly depending on how frequently you process and remove them from the Cisco AR disk. If Cisco AR runs out of disk space, it could cause the loss of accounting information and the corruption of session management information.
Co-Existence With Other Network Management Applications
To achieve optimal performance, Cisco AR should be the only application running on a single machine.
Note Cisco Network Registrar and Cisco AR cannot co-exist on the same machine.
You can choose to run collaborative servers such as an Oracle or SQL database system, an LDAP server, or another Solaris application. There are no known conflicts with any other Solaris applications.
You can configure Cisco AR to avoid UDP port conflicts with other network management applications. The most common conflicts occur when other applications also use ports 2785 and 2786. Another possible conflict could be SNMP. If you configure and use SNMP on your Cisco AR server, no other application can be configured to use SNMP on the Cisco AR machine.
Solaris 8 Patch Requirement
Cisco AR 4.1 uses OpenSSL software to generate certificates for 'https' communication. OpenSSL software uses Solaris internal devices /dev/urandom and /dev/random devices while generating certificates, but these devices are not in Solaris 8.
You can add /dev/urandom and /dev/random devices to Solaris 8 by installing patch 112438 (sparc) available at the following URL:
http://sunsolve.sun.com
Note If you attempt to install the Cisco AR 4.1.x package in Solaris 8 without this patch, Cisco AR reports an error.
Note The Solaris 8 operating system is supported up to and including the Cisco AR 4.1.3 release.
Related Documentation
The following is a list of the documentation for Cisco AR 4.1. You can access the URLs listed for each document at www.cisco.com on the World Wide Web. Cisco recommends that you refer to the documentation in the following order:
Cisco Access Registrar 4.1 Documentation Guide (78-17299-01)
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/roadmap/ardocgd.html
Cisco Access Registrar 4.1 Installation and Configuration Guide (OL-8559-03)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/release/notes/41relnot.html
Cisco Access Registrar 4.1 User Guide (OL-8558-03)
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/user/guide/users.html
Cisco AR 4.1 Licensing
Cisco AR uses a licensing mechanism that enables you to activate different features in Cisco AR using a combination of different license keys. During system initialization, the Cisco AR server sets up the licensing data model and activates any features that are properly licensed.
Licensed Features
Table 4 lists the Cisco AR names of the features that require licenses. As new licensed features are added to Cisco AR, new license files will also be required.
Table 4 Cisco AR 4.1 Licensed Features
Feature Name
|
Description
|
AR-STANDARD
|
Standard Cisco AR feature set including EAP-FAST and Windows Domain Authentication
|
AR-HLR
|
HLR Proxy feature for EAP-SIM service
Note Cisco AR 4.1 supports EAP-SIM draft v16
|
AR-PREPAID
|
Prepaid Billing feature for Prepaid service
|
AR-CACHE
|
Identity Caching and RADIUS Query features
|
AR-CPU
|
Standard Cisco AR feature set for Cisco AR servers with multiprocessors
|
Getting Cisco AR 4.1 Feature Licenses
When you order the Cisco AR 4.1 product, a text license file will be sent to you through e-mail. If you are evaluating the software, Cisco will provide you with an evaluation license.
If you decide to upgrade your Cisco AR software and add a feature, a new text license file will be sent to you through e-mail when you order the upgrade.
If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs:
•www.cisco.com/go/license
Use this site if you are a registered user of Cisco Connection Online.
•www.cisco.com/go/license/public
Use this site if you are not a registered user of Cisco Connection Online.
Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in email.
Installing Cisco AR 4.1 Licenses
You must have a license in a directory on the Cisco AR machine before you attempt to install Cisco AR software. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.
You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.
The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Cisco AR license file, you can copy and paste the text into a file, or you can simply save the file you receive through e-mail to an accessible directory.
Upgrading Your Cisco AR 4.1 License File
If you add additional features that require licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix.
If you upgrade your Cisco AR license for additional features, you must restart the Cisco AR server for the new license to take effect. To restart the Cisco AR server, enter the following on the server command line:
/opt/CSCOar/bin/arserver restart
Sample License File
The following is an example of a Cisco AR 4.1 license file.
INCREMENT AR-STANDARD cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-CACHE cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-PREPAID cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-HLR cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
INCREMENT AR-CPU cisco 4.1 27-apr-2007 uncounted HOSTID=ANY \
NOTICE="<LicFileID></LicFileID><LicLineID></LicLineID> \
<PAK>dummyPak</PAK>" SIGN=ABCDEF123456
Displaying License Information
Cisco AR provides two ways of getting license information using aregcmd:
•aregcmd command-line option
•Launching aregcmd
aregcmd Command-Line Option
Cisco AR provides a new -l command-line option to aregcmd. The syntax is:
aregcmd -l directory_name
where directory_name is the directory where the Cisco AR license file is stored. The following is an example of the aregcmd -l command:
aregcmd -l /opt/CSCOar/license
Licensed Application: Cisco Access Registrar (Standard Version)
Following are the licensed components:
AR-Standard 4.1 27-Apr-2007
AR-Prepaid 4.1 27-Apr-2007
Launching aregcmd
The Cisco AR server displays license information when you launch aregcmd, as shown in the following:
aregcmd
Cisco Access Registrar 4.1.5 Configuration Utility
Copyright (C) 1995-2008 by Cisco Systems, Inc. All rights reserved.
LicenseInfo = AR-Standard 4.1 (expires on 27-Apr-2007)
AR-Prepaid 4.1 (expires on 27-Apr-2007)
AR-HLR 4.1 (expires on 27-Apr-2007)
AR-Cache 4.1 (expires on 27-Apr-2007)
AR-CPU 4.1 (expires on 27-Apr-2007)
Server 'Radius' is Running, its health is 10 out of 10
Installing Cisco AR 4.1 Software on Solaris
Note The Cisco AR 4.1.5 release supports Solaris 9 and Solaris 10. Cisco AR 4.1.3 is the last version of Cisco AR to support Solaris 8.
This section describes the software installation process when installing Cisco AR software on a Solaris workstation for the first time. This section includes the following subsections:
•Deciding Where to Install
•Installing Cisco AR Software from CD-ROM
•Installing Downloaded Software
•Common Solaris Installation Steps
Note Cisco AR 4.1 uses OpenSSL software to generate certificates for https communication. OpenSSL software internally uses Solaris /dev/urandom or /dev/random devices while generating certificates. (These devices are not in Solaris 8, but are available by default in Solaris 9.) When installing the Cisco AR 4.1 package in Solaris 8, Cisco AR reports an error if the random number generator has not been seeded with at least 128 bits of randomness. You can add /dev/urandom and /dev/random devices in Solaris 8 by installing patch 112438 (Spark) which is available via the Pathfinder at http://sunsolve.sun.com.
Tips Before you begin to install the software, check your workstation's /etc/group file and make sure that group staff exists. The software installation will fail if group staff does not exist before you begin.
Deciding Where to Install
Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco AR 4.1 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Installing Cisco AR Software from CD-ROM
Note The Cisco AR 4.1.5 software is not available in CD-ROM format.
The following steps describe how to begin the software installation process when installing software from the Cisco AR 4.1 CD-ROM. If you are installing downloaded software, proceed to Installing Downloaded Software.
Step 1 Place the Cisco AR software CD-ROM in the Cisco AR workstation CD-ROM drive.
Step 2 Log in to the Cisco AR workstation as a root user, and enter the following command line for Solaris 9:
pkgadd -d /cdrom/cdrom0/kit/solaris-2.9 CSCOar
or the following for Solaris 10:
pkgadd -d /cdrom/cdrom0/kit/solaris-2.10 CSCOar
Step 3 Proceed to Common Solaris Installation Steps.
Installing Downloaded Software
Note The Cisco AR 4.1.5 software is available for download from Cisco.com at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted
Table 5 lists the tar files for Solaris and RHEL operating systems.
Table 5 Tar Files for Solaris and RHEL
Tar File
|
Operating System
|
CSCOar-4.1.5-sol9-k9.tar.gz
|
Solaris 2.9
|
CSCOar-4.1.5-sol10-k9.tar.gz
|
Solaris 2.10
|
CSCOar-4.1.5-lnsx26-install.sh
|
RHEL 4
|
This section describes how to uncompress and extract downloaded Cisco AR software and begin the software installation.
Step 1 Log in to the Cisco AR workstation as a root user.
Step 2 Change directory to the location where you have stored the uncompressed tarfile.
cd /tmp
Step 3 Use the following command line to uncompress the tarfile and extract the installation package files.
zcat CSCOar-4.1.5-sol9-K9.tar.gz | tar xvf -
Note These instructions are for the Solaris 9 package. There is no difference in download or installation procedures for Solaris 9 or Solaris 10 other than the package name.
Step 4 Enter the following command to begin the installation:
pkgadd -d /tmp CSCOar
where /tmp is the temporary directory where you stored and uncompressed the installation files. The following message appears:
Processing package instance <CSCOar> from </tmp>
Cisco Access Registrar 4.1.5 [SunOS-5.9, official]
Copyright (C) 1998-2008 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written consent.
This package contains the Access Registrar Server and the
Access Registrar Configuration Utility. You can choose to
perform either a Full installation or just install the
What type of installation: Full, Config only [Full] [?,q]
Step 5 Proceed to Common Solaris Installation Steps.
Common Solaris Installation Steps
This section describes the installation process immediately after you have issued the pkgadd command installing from CD-ROM or from downloaded software.
Step 1 For a full install, press Enter.
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 2 Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as the base installation directory.
Access Registrar requires FLEXlm license file to operate. A list
of space delimited license files or directories can be supplied as
input; license files must have the extension ".lic".
Where are the FLEXlm license files located? [] [?,q]
Step 3 Enter the directory where you have stored the Cisco AR 4.1 license file.
Access Registrar provides a Web GUI. It requires J2RE version
1.4.* to be installed on the server.
If you already have a compatible version J2RE installed, please
enter the directory where it is installed. If you do not, the
compatible J2RE version can be downloaded from:
Where is the J2RE installed? [?,q] /nfs/insbu-cnstools/java
The J2RE is required to use the Cisco AR GUI. If you already have a Java 2 platform installed, enter the directory where it is installed.
Note If you do not provide the J2RE path, or if the path is empty or unsupported, the installation process exits.
Step 4 Enter the directory or mount point where the J2RE is installed.
If you are not using ORACLE, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script
Where is ORACLE installed? [] [?,q]
Step 5 If you plan to use Oracle accounting, enter the location where you have installed Oracle; otherwise press Enter.
If you want to learn about Access Registrar by following the
examples in the Installation and Configuration Guide, you need to
populate the database with the example configuration.
Do you want to install the example configuration now [n] [y,n,?,q]
Step 6 When prompted whether to install the example configuration now, reply Y or N to continue.
You can add the example configuration at any time by
/opt/CSCOar/bin/aregcmd -f /opt/CSCOar/examples/cli/add-example-configuration.rc
Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.
## Executing checkinstall script.
The selected base directory </opt/CSCOar> must exist before
installation is attempted.
Do you want this directory created now [y,n,?,q] y
Step 7 Enter Y to enable the installation process to create the /opt/CSCOar directory.
Using </opt/CSCOar> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
The following files are being installed with setuid and/or setgid
/opt/CSCOar/.system/screen <setuid root>
/opt/CSCOar/bin/aregcmd <setgid staff>
/opt/CSCOar/bin/radclient <setgid staff>
Do you want to install these as setuid/setgid files [y,n,?,q]
Step 8 Enter Y to install the setuid/setgid files.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSCOar> [y,n,?]
Step 9 Enter Y to continue with the software installation.
No further interaction is required; the installation process should complete successfully and the arservagt is automatically started.
Installing Cisco Access Registrar 4.1.5 [SunOS-5.9, official] as <CSCOar>
## Installing part 1 of 1.
/opt/CSCOar/.system/add-example-config
/opt/CSCOar/.system/run-ar-scripts
/opt/CSCOar/.system/screen
/opt/CSCOar/bin/nasmonitor
/opt/CSCOar/bin/share-access
/opt/CSCOar/java/javadoc.tar.gz
/opt/CSCOar/lib/getopts.tcl
# setting up product configuration file /opt/CSCOar/conf/car.conf
# linking /etc/init.d/arserver to /etc/rc.d files
# setting ORACLE_HOME and JAVA_HOME variables in arserver
# removing old session information
# flushing old replication archive
# creating initial configuration database
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Fri Mar 10 13:54:54
2007
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Fri Mar 10 13:54:55
2007
# installing example configuration
We will now generate an RSA key-pair and self-signed certificate that
may be used for test purposes
Generating a 1536 bit RSA private key
writing new private key to '/cisco-ar/certs/tomcat/server-key.pem'
Server self-signed certificate now resides in /cisco-ar/certs/tomcat/server-cert.pem
Server private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
Remember to install additional CA certificates for client verification
Tomcat private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
Starting Access Registrar Server Agent...
The Radius server is now running.
Installation of <CSCOar> was successful
Configuring SNMP
If you choose not to use the SNMP features of Cisco AR, the installation process is completed. To use SNMP features, complete the configuration procedure described in the section "Configuring SNMP in Installing and Configuring Cisco Access Registrar, 4.1.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/installation/guide/
config.html#wp1041935
RPC Bind Services
The Cisco AR server and the aregcmd CLI requires RPC services to be running before the server is started. If the RPC services are stopped, you must restart RPC services, then restart the Cisco AR server. Use the following commands to restart RPC services:
/opt/CSCOar/bin/arserver stop
/etc/init.d/rpc start
/opt/CSCOar/bin/arserver start
If RPC services are not running, the following message is displayed when you attempt to start aregcmd:
Login to aregcmd fails with the message:
Installing Cisco AR 4.1 Software on Linux
This section describes the software installation process when installing Cisco AR software on a Linux workstation for the first time. This section includes the following subsections:
•Deciding Where to Install
•Installing Cisco AR Software from CD-ROM
•Common Linux Installation Steps
Tips Before you begin to install the software, check your workstation's /etc/group file and make sure that group staff exists. The software installation will fail if group staff does not exist before you begin.
Deciding Where to Install
Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for Cisco AR 4.1 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Installing Cisco AR Software from CD-ROM
The following steps describe how to begin the software installation process when installing software from the Cisco AR 4.1 CD-ROM. If you are installing downloaded software, proceed to Installing Downloaded Software.
Note Cisco AR 4.1.1 is the only version of Cisco AR 4.1 software available on CD-ROM. Cisco AR 4.1.5 is only available by downloading from Cisco.com.
Step 1 Place the Cisco AR 4.1 software CD-ROM in the Cisco AR workstation CD-ROM drive.
Step 2 Log in to the Cisco AR workstation as a root user and find a temporary directory, such as /tmp, to store the Linux installation file.
Note The temporary directory requires at least 70 MB of free space.
Step 3 Change directory to the CD-ROM.
cd /cdrom/cdrom0/kit/linux-2.4
Step 4 Copy the CSCOar-4.1.1-lnx24-install-K9.sh file to the temporary directory.
cp CSCOar-4.1.1-lnx24-install-K9.sh /tmp
Step 5 Change the permissions of the CSCOar-4.1.1-lnx24-install-K9.sh file to make it executable.
chmod 777 CSCOar-4.1.1-lnx24-install-K9.sh
To continue the installation, proceed to Common Linux Installation Steps.
Common Linux Installation Steps
This section describes how to install the downloaded Cisco AR software for Linux and begin the software installation.
Note The Cisco AR Linux installation automatically installs aregcmd and radclient as setgid programs in group adm.
Step 1 Log in to the Cisco AR workstation as a root user.
Step 2 Change directory to the location where you have stored the CSCOar-4.1.3-lnx26-install-K9.sh file.
cd /tmp
Step 3 Enter the name of the script file to begin the installation:
./CSCOar-4.1.3-lnx26-install-K9.sh
Name : CSCOar Relocations: /opt/CSCOar
Version : 4.1.3 Vendor: Cisco Systems, Inc.
Release : 1151158056 Build Date: Sat 24 Mar 2007
Install Date: (not installed) Build Host:
build_tag: [Linux-2.6.9, official]
Copyright (C) 1998-2007 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written consent.
This package contains the Access Registrar Server and the Access
Registrar Configuration Utility. All the Client, Server, and
Configuration utilities will be installed.
Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]
Step 4 Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as the base installation directory.
Access Registrar requires FLEXlm license file to operate. A list
of space delimited license files or directories can be supplied as
input; license files must have the extension ".lic".
Where are the FLEXlm license files located? [] [?,q]
Step 5 Enter the directory where you have stored the Cisco AR license file.
Access Registrar provides a Web GUI. It requires J2RE version 1.4.*
to be installed on the server.
If you already have a compatible version of J2RE installed, please
enter the directory where it is installed. If you do not, the
compatible J2RE version can be downloaded from:
Where is the J2RE installed? [] [?,q]
The J2RE is required to use the Cisco AR GUI. If you already have a Java 2 platform installed, enter the directory where it is installed.
Note If you do not provide the J2RE path, or if the path is empty or unsupported, the installation process exits.
If you are not using ORACLE, press Enter/Return to skip this step.
ORACLE installation directory is required for ODBC configuration.
ORACLE_HOME variable will be set in /etc/init.d/arserver script
Where is ORACLE installed? [] [?,q]
Step 6 Enter the location where you have installed Oracle, otherwise press Enter.
If you want to learn about Access Registrar by following the examples
in the Installation and Configuration Guide, you need to populate
the database with the example configuration.
Do you want to install the example configuration now? [n]: [y,n,?,q] y
Step 7 When prompted whether to install the example configuration now, reply Y or N to continue.
Note You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.
Preparing... ########################################### [100%]
1:CSCOarui-add ########################################### [100%]
Archive: ./jakarta-tomcat-4.0.6.zip
creating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/bootstrap.jar
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/catalina.bat
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/catalina.sh
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/cpappend.bat
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/digest.bat
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/digest.sh
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/jasper.bat
inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/bin/jasper.sh
Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Fri Mar 10 15:30:40
2007
We will now generate an RSA key-pair and self-signed certificate that
may be used for test purposes
Generating a 1536 bit RSA private key
.....................++++
.........................................++++
writing new private key to '/cisco-ar/certs/tomcat/server-key.pem'
Server self-signed certificate now resides in /cisco-ar/certs/tomcat/server-cert.pem
Server private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
Remember to install additional CA certificates for client verification
Tomcat private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem
Starting Access Registrar Server Agent..completed.
The Radius server is now running.
Configuring SNMP
If you choose not to use the SNMP features of Cisco AR, the installation process is completed. To use SNMP features, complete the configuration procedure described in the section "Configuring SNMP" in Installing and Configuring Cisco Access Registrar, 4.1.
http://cisco.com/en/US/docs/net_mgmt/access_registrar/4.1/installation/guide/
config.html#wp1041935
Cisco AR Performance
The tests cases were run on a Sun Fire V210 with 2GB RAM 2 x 1000 MHz UltraSPARC-3i processors, 36 GB SCSI-UW disks, and Solaris 9 64-bit kernel. The reported numbers are an average of 100 test runs.
The LDAP servers run on an HP Kayak XU with 256MB RAM 2 x 500 MHz Pentium 3 processors, 9.1 GB SCSI-UW disks, and Windows 2000 Service Pack 4. No special performance tuning was made to the servers or to AR. All LDAP tests ran with 3 proxy servers in round robin. The Oracle servers run on the same platform and number of servers in round robin.
The LDAP vendor is the iPlanet Directory Server 4.11. The Oracle server version is 9.2.0.1. Both data stores have 10,000 users. The Oracle tests were run using Sun Fire v210.
General Performance
Numbers are given in RADIUS Pairs Per Second (RPPS). In general, one transaction is one RADIUS request/response pair (as in Access-Request and Access-Accept). Here is the specific pair usage for each test type:
•One AAA transaction uses three RADIUS pairs
•One accounting only transaction uses two RADIUS pairs
Table 6 lists performance results of a local database.
Table 6 Performance Results of Local Database
Test
|
Results
|
AA
|
2206 RPPS
|
AAA
|
2142 RPPS
|
Accounting only
|
2612 RPPS
|
AA with Session Management
|
997 RPPS
|
AAA with Session Management
|
1206 RPPS
|
AA Latency
|
1.003 ms
|
Accounting Latency
|
92.670 ms
|
AA with Session Management Latency
|
121.588 ms
|
Table 7 lists performance results of Cisco AR with a proxy server with a local database.
Table 7 Performance of Proxy Server with Local Database
Test
|
Results
|
AA
|
1991 RPPS
|
AAA
|
2079 RPPS
|
Accounting only
|
1908 RPPS
|
AA with Session Management
|
542 RPPS
|
AAA with Session Management
|
774 RPPS
|
AA Latency
|
2.191 ms
|
Accounting Latency
|
105.565 ms
|
AA with Session Management Latency
|
146.063 ms
|
Table 8 lists performance results of Cisco AR 4.1.1 using an LDAP server.
Table 8 Performance of LDAP Server
Test
|
Results
|
AA
|
1347 RPPS
|
AAA
|
1359 RPPS
|
AA with Session Management
|
223 RPPS
|
AAA with Session Management
|
993 RPPS
|
Table 9 lists performance results of Cisco AR 4.1.2 using the multiple LDAP bind feature with an LDAP server.
Table 9 Performance of Cisco AR 4.1.2 with an LDAP Server
Test
|
Results
|
AA
|
2043 RPPS
|
AAA
|
2259 RPPS
|
AA with Session Management
|
849 RPPS
|
AAA with Session Management
|
1176 RPPS
|
Table 10 lists performance results of Cisco AR using ODBC with local accounting.
Table 10 Performance of ODBC with Local Accounting
Test
|
Results
|
AA
|
1203 RPPS
|
AAA
|
1833 RPPS
|
AA with Session Management
|
686 RPPS
|
AAA with Session Management
|
1029 RPPS
|
Cisco AR 4.1.4 on Solaris 10
Cisco AR 4.1.4 performance tests were done using the Solaris 10 operating system on a Sun Fire V240 machine with 4 GB RAM and two 1503 MHz UltraSPARC-3i processors.
Table 11 shows the performance results for AA and AAA for session management. You can compare these performance numbers to those listed in Table 12 which show the same functions when using the Backing Store Enhancement feature added in Cisco AR 4.1.4.
Table 11 lists the performance results for AA and AAA session management.
Table 11 Cisco AR 4.1.4 Performance of Proxy Server with Local Database
Test
|
Results
|
AA with Session Management
|
907 RPPS
|
AAA with Session Management
|
932 RPPS
|
AA with Session Management Latency
|
120.285 ms
|
AAA with Session Management Latency
|
244.435 ms
|
Performance of Proxy Server with Local Database with Pruning
The performance numbers listed in Table 12 were achieved using the same performance tests used in section Cisco AR 4.1.4 on Solaris 10, but these results were obtained while the Cisco AR server performed session backing store pruning.
Table 12 lists the performance results of proxy server with local database.
Table 12 Cisco AR 4.1.4 Performance of Proxy Server with Local Database
Test
|
Results
|
AA with Session Management plus pruning
|
790 RPPS
|
AAA with Session Management plus pruning
|
792 RPPS
|
AA with Session Management Latency plus pruning
|
131.516 ms
|
AAA with Session Management Latency plus pruning
|
278.270 ms
|
Cisco AR 4.1.5 on Solaris 9
Cisco AR 4.1.5 performance tests were done on a Sun Fire V210 machine with 5 GB RAM, 2 x 1000 MHz UltraSPARC-3i processors, 36 GB SCSI-UW disks, and Solaris 9 64-bit kernal.
Sun One LDAP servers were used for LDAP performance tests.
These performance results are an average of 100 test runs.
Table 13 shows a comparative study on the performance between Cisco AR 4.1.3 on Solaris 8 and Cisco AR 4.1.5 on Solaris 9 with a local database. You can compare these performance numbers with those listed in Table 14 and Table 15, which gives the performance results of proxy server with local database and LDAP server with local database respectively.
Table 13 lists the performance results of Cisco AR 4.1.3 and Cisco AR 4.1.5 with a local database.
Table 13 Performance Results of Cisco AR 4.1.3 and Cisco AR 4.1.5 with Local Database
Test
|
Cisco AR 4.1.3 (On Solaris 8)
|
Cisco AR 4.1.5 (On Solaris 9)
|
AA
|
2206 RPPS
|
2351 RPPS
|
AAA
|
2142 RPPS
|
2447 RPPS
|
Accounting Only1
|
2612 RPPS
|
2583 RPPS
|
AA+SM
|
997 RPPS
|
1008 RPPS
|
AAA+SM
|
1206 RPPS
|
1379 RPPS
|
Table 14 lists the performance results of proxy server with local database.
Table 14 Performance Results of Proxy Server with Local Database
Test
|
Cisco AR 4.1.3 (On Solaris 8)
|
Cisco AR 4.1.5 (On Solaris 9)
|
AA
|
1991 RPPS
|
2313 RPPS
|
AAA
|
2079 RPPS
|
2209 RPPS
|
Accounting Only
|
1908 RPPS
|
1918 RPPS
|
AA+SM
|
542 RPPS
|
856 RPPS
|
AAA+SM
|
774 RPPS
|
937 RPPS
|
Table 15 shows the performance results of Cisco AR 4.1.3 and Cisco AR 4.1.5 with LDAP server.
Table 15 Performance Results of Cisco AR 4.1.3 and Cisco AR 4.1.5 with LDAP Server
Test
|
Cisco AR 4.1.3 (On Solaris 8)
|
Cisco AR 4.1.5 (On Solaris 9)
|
AA
|
2043 RPPS
|
2334 RPPS
|
AAA
|
2259 RPPS
|
2878 RPPS
|
AA+SM
|
849 RPPS
|
991 RPPS
|
AAA+SM
|
1176 RPPS
|
1252 RPPS
|
EAP Performance
EAP performance testing was done using a different test setup.
EAP-SIM
The EAP-SIM test setup included two SunFire V210 machines and one Sun Fire V100 machine. All the machines are loaded with Solaris 9. An ITP simulator was used to determine these performance numbers and a real ITP/HLR was not used. ITP Simulator was installed in one SunFire V210 and another V210 was used as the tested unit. A Sun Fire V100 was used to create EAP-SIM traffic. Performance numbers measured after sending a sequence of 10,000 EAP-SIM messages 100 times.
Cisco AR configuration included:
•Authentications are done for permanent ID
•Triplet caching is not enabled
•Number of triplets used for authentication = 2
•Temporary ID and Reauthentication ID: disabled (no AES)
For EAP-SIM:
•One AA transaction requires three RADIUS pairs
•One AAA transaction requires five RADIUS pairs
EAP-SIM performance largely depends on the EAP-SIM protocol implementation on the client side and the performance of the back-end SIM authentication infrastructure (such as the HLR/AuC, signaling network). The performance numbers that follow give an indication of what can be achieved with a synthetic test client and a TCL script simulating the back-end infrastructure. Real-world server performance might be faster if you use real SIM authentication hardware.
Note An authentication sequence for authentication and authorization requires three request-challenge-accept pairs. An authentication sequence for authentication, authorization, and accounting requires five request-challenge-accept pairs.
Table 16 lists performance results of Cisco AR using EAP-SIM authentication with a permanent ID.
Table 16 EAP-SIM with Permanent ID Test Results
Test
|
Results
|
AA
|
576 (*3)
|
1728 RPPS
|
AAA
|
356 (*5)
|
1780 RPPS
|
AA + SM
|
111 (*3)
|
333 RPPS
|
AAA + SM
|
47 (*5)
|
235 RPPS
|
Table 17 lists performance results of Cisco AR using EAP-SIM authentication with a temporary ID.
Table 17 EAP-SIM with Temporary ID Test Results
Test
|
Results
|
AA
|
544 (*3)
|
1632 RPPS
|
AAA
|
345 (*5)
|
1725 RPPS
|
AA + SM
|
124 (*3)
|
372 RPPS
|
AAA + SM
|
53 (*5)
|
265 RPPS
|
Table 18 lists performance results of Cisco AR using EAP-SIM authentication with a temporary ID.
Table 18 EAP-SIM with Reauthentication ID Test Results
Test
|
Results
|
AA
|
667 (*3)
|
2001 RPPS
|
AAA
|
599 (*5)
|
2995 RPPS
|
AA + SM
|
387 (*3)
|
1161 RPPS
|
AAA + SM
|
565 (*5)
|
2825 RPPS
|
Table 19 lists performance results of Cisco AR using EAP-SIM authentication with a temporary ID.
Table 19 EAP-SIM with Temporary and Reauthentication ID Test Results
Test
|
Results
|
AA
|
654 (*3)
|
1962 RPPS
|
AAA
|
385 (*5)
|
1925 RPPS
|
AA + SM
|
399 (*3)
|
1197 RPPS
|
AAA + SM
|
203 (*5)
|
1015 RPPS
|
PEAP
The PEAP test setup included the following:
•One SunFire V210 with 2GB RAM 2 x 1000 MHz UltraSPARC-3i processors, Solaris 9
•Four Sun Enterprise 250 with 512MB RAM 2 x 296 MHz, Solaris 9
•One Sun Enterprise 250 with 768 MB RAM 2 x 248 MHz, Solaris 9
•Four Sun Fire V100 with 1GB RAM 2 x 500 MHz, Solaris 9
•One Sun Fire V100 with 1 GB RAM 2 x 648 MHz, Solaris 9
The Sun Fire V210 machine is used as the unit under test and Cisco AR is installed in it. All the other machines ran the radclient tool used to generate PEAP traffic. Performance numbers are arrived by sending a sequence of 1,000 PEAP authentication requests 50 times.
Cisco AR configuration included:
•Client certificate verification disabled
•TLS session caching disabled
•Windows Provisioning Service disabled for PeapV0
Configuration for PEAP-V0 with EAP-MSCHAPV2:
•One AA transaction requires 9 RADIUS pairs
•One AAA transaction requires 11 RADIUS pairs
Configuration for PEAP-V1 with EAP-GTC
•One AA transaction requires 8 RADIUS pairs
•One AAA transaction requires 10 RADIUS pairs
Table 20 lists the results of the PEAPV0 with MSCHAPv2 tests.
Table 20 PEAPv0 with MSCHAPv2 Test Results
Test
|
Authentications/Sec
|
RPPS
|
AA
|
73 * (9)
|
657
|
AAA
|
89 * (11)
|
979
|
AA + SM
|
37 * (9)
|
333
|
AAA + SM
|
145 * (11)
|
1595
|
Table 21 lists the results of the PEAPv1 with EAP-GTC tests.
Table 21 PEAPv1 with EAP-GTC Test Results
Test
|
Authentications/Sec
|
RPPS
|
AA
|
75 * (8)
|
600
|
AAA
|
101 * (10)
|
1010
|
AA + SM
|
29 * (8)
|
232
|
AAA + SM
|
144 * (10)
|
1440
|
EAP-TTLS
The EAP-TTLS test setup included:
•One SunFire V210 with 2GB RAM 2 x 1000 MHz UltraSPARC-3i processors, Solaris 9
•Four Sun Enterprise 250 with 512MB RAM 2 x 296 MHz, Solaris 9
•One Sun Enterprise 250 with 768 MB RAM 2 x 248 MHz, Solaris 9
•One Sun Fire V100 with 1 GB RAM 2 x 648 MHz, Solaris 9
A Sun Fire V210 machine is used as the test unit and Cisco AR software is installed on it. All the other machines ran the radclient tool used to generate EAP-TTLS traffic. Performance numbers are determined by sending a sequence of 500 EAP-TTLS authentication requests 50 times.
The Cisco AR server configuration includes the following:
•Client certificate verification is disabled
•TLS session caching is disabled
For EAP-TTLS with local-users
•One AA transaction requires 5 RADIUS pairs
•One AAA transaction requires 7 RADIUS pairs
For EAP-TTLS with EAP-MSCHAPV2
•One AA transaction requires 7 RADIUS pairs
•One AAA transaction requires 9 RADIUS pairs
Table 22 lists the test results for EAP-TTLS with a local-user database.
Table 22 EAP-TTLS with Local Users Test Results
Test
|
Authentications/Sec
|
RPPS
|
AA
|
76 * (5)
|
380
|
AAA
|
93 * (7)
|
651
|
AA + SM
|
35 * (5)
|
175
|
AAA + SM
|
125 * (7)
|
875
|
Table 23 lists the test results for EAP-TTLS with MSCHAPV2.
Table 23 EAP-TTLS with MSCHAPV2 Test Results
Test
|
Authentications/Sec
|
RPPS
|
AA
|
71 * (7)
|
497
|
AAA
|
87 * (9)
|
783
|
AA + SM
|
36 * (7)
|
252
|
AAA + SM
|
138 * (9)
|
1242
|
Caveats
This section provides information about known anomalies in Cisco AR 4.1.4 and information about anomalies from previous versions of Cisco AR that have been fixed in Cisco AR 4.1.5, Cisco AR 4.1.4, Cisco AR 4.1.3, Cisco AR 4.1.2, andCisco AR 4.1.1:
•Known Anomalies in Cisco AR 4.1.5
•Anomalies Fixed in Cisco AR 4.1.5
•Known Anomalies in Cisco AR 4.1.4
•Anomalies Fixed in Cisco AR 4.1.4
•Anomalies Fixed in Cisco AR 4.1.3
•Anomalies Fixed in Cisco AR 4.1.2
•Anomalies Fixed in Cisco AR 4.1.1
Known Anomalies in Cisco AR 4.1.5
Table 24 lists the known anomalies in Cisco AR 4.1.5.
Table 24 Known Anomalies in Cisco AR 4.1.5
Bug
|
Description
|
CSCsj91620
|
Unable to release certain sessions.
Symptoms: In Cisco AR 4.1.2, users might not be logged out properly. If per-user session limits are used, the affected users might eventually be unable to connect.
Conditions: This issue is seen with user traffic on Cisco AR 4.1.2. The issue is intermittent and does not appear to affect all counts.
Workaround: You can use any one of the following workarounds:
•Use the release-session command several times until it eventually releases the session.
•Release the sessions through the GUI.
•Enable the StaleSessionTimeout property to prevent older sessions from running into this state.
|
CSCsl16760
|
Global TCL procedures are not available above a certain number of scripts.
Symptoms: Several TCL scripts are configured in Cisco AR. Beyond a certain number of scripts, procedures from one script file might not be accessible by another script file.
Conditions: More than 25 script files are configured within Cisco AR, but they make use of common procedures that are written in a global TCL script file.
Workaround: Add an include statement to the script files trying to access the common procedures in the global TCL file.
|
CSCso70606
|
ODBC Accounting fails due to HOT configuration.
Symptoms: Few accounting packets do not get into the ODBC database.
Conditions: This happens when packet buffering is enabled in ODBC accounting service, and HOT configuration happens along with ODBC accounting service processing some accounting packets at the same time.
Workaround: You must do the following:
•Stop Cisco AR using the stop command before saving any changes from aregcmd.
•Save changes using the save command.
•Start the server again using the start command.
|
Anomalies Fixed in Cisco AR 4.1.5
Table 25 lists the anomalies fixed in Cisco AR 4.1.5.
Table 25 Anomalies Fixed in Cisco AR 4.1.5
Bug
|
Description
|
CSCse69411
|
The aregcmd command returns a segmentation fault error when using the tab key.
Symptoms: The aregcmd command returns a segmentation fault error and logs out of the aregcmd tool.
Conditions: This condition occurs when you use the tab key for autocomplete feature with the cursor at the beginning of the command.
Workaround: If you must use the autocomplete feature, do not use the tab key with the cursor at the beginning of the command.
|
CSCsh74595
|
The TraceFileCount property accepts a value greater than 100.
Symptoms: The TraceFileCount property does not throw an error message with a value greater than 100, when you save or validate.
Conditions: This condition occurs when you set a value greater than 100 to TraceFileCount property and save or validate it.
Workaround: None.
|
CSCsk05177
|
Ambiguous error message when setting an invalid value for BackingStoresyncinterval.
Symptoms: An ambiguous error message, similar to, Set to a valid number greater than 0 appears when you set an invalid value for BackingStoresyncinterval.
Conditions: This error message appears when you set a value lower than 4294967295 (2 ^ 32 - 1) for BackingStoresyncinterval.
Workaround: You must set a value greater than 4294967295 for BackingStoresyncinterval.
|
CSCsl06146
|
The ExecPrefixRule script succeeds for users with invalid prefix.
Symptoms: The ExecPrefixRule script accepts packets for processing even when the username has an invalid prefix.
Conditions: This condition occurs when you use the ExecPrefixRule REX script in Cisco AR.
Workaround: None.
|
CSCsl35492
|
Cisco AR 4.1.3 to Cisco AR 4.1.4 upgrade does not update MaxItemsToRollAtATime.
Symptoms: Following an upgrade from 4.1.3 to 4.1.4, the property values for MaxItemsToRollAtATime in logfilebackingstore and logfilepacketbackingstore objects of the mcd file are not updated.
Condition: This condition occurs when you upgrade Cisco AR 4.1.3 to Cisco AR 4.1.4.
Workaround: Modify the MaxItemsToRollAtATime property value in the mcd file manually.
|
CSCsm02635
|
Cisco AR 4.1.3 on Linux fails and generates a core file.
Symptoms: The RADIUS process generates a core file when Cisco AR fails.
Conditions: Not all conditions are known as yet. This condition is seen with Cisco AR 4.1.3 on Linux with 30 remote servers and 8 connections per server. Causes memory usage of 3 GB.
Workaround: Reduce the number of connections per remote server.
|
CSCsm25220
|
Cisco-AVPair attributes missing in ttls-mschapv2 authentication.
Symptoms: Multiple Cisco-AVPair attributes included in user attributes do not get passed in Access-Accept packet using ttls-mschapv2 authentication.
Conditions: Occurs with ttls-mschapv2 authentication.
Workaround: Configure the values to be sent in Cisco-AVPair as different string attributes under the user's profile. For example, for two attributes X and Y under /Radius/Advanced/Attribute Dictionary of type string, you need to configure the attributes with the values you want to assign to Cisco-AVPair under the user profile as:
Attributes/
X="Value for first instance of Cisco-AVPair"
Y="Value for second instance of Cisco-AVPair"
These will be cached during user authentication and will be present in the outgoing Accept packet.
|
CSCsm46165
|
In TCL extension environment, the Windows-Domain-Groups variable is limited to 8192 characters.
Symptoms: TCL extension is not capable of handling the Windows-Domain-Groups variable longer than 8192 characters.
Conditions: This issue occurs when authenticating Cisco AR users through a domain-auth type service. This limitation is not found when using the REX script.
Workaround: You can use either of the following workarounds:
•Increase the number in tcl.h file to some reasonable figure, such as, 12,288.
•Use REX script instead of TCL.
|
CSCsm57325
|
Does not suppress a specific log message on dropping a packet upon timeout.
Symptoms: The following error message is printed many times:
01/30/2008 3:32:26 name/radius/1 Error Server 0 Packet being dropped because Remote Server WAP_Gateway (A.B.C.D) has not responded in 1 tries, but Remote Server seems to still be active
Conditions: This condition occurs when you use a remote RADIUS server that is slow in responding to the requests.
Workaround: None.
|
CSCsm71038
|
The ExecSuffixRule script fails to remove some attributes from request dictionary.
Symptoms: The ExecSuffixRule script does not remove Suffix, StripSuffix, and StripPrefix attributes from request dictionary.
Conditions: This condition occurs when you use Cisco AR Policy Engine in a proxy scenario.
Workaround: None.
|
CSCsm71603
|
Changing username through the GUI causes database corruption in slave Cisco AR server.
Symptoms: Users are lost from the user list on slave server.
Conditions: This database corruption occurs in the slave server when you change the username for an existing user through the GUI. After you change the username through the GUI, when you list the users through the GUI or the CLI, the system lists the users above the user whose username was changed. This does not occur when you change the username through the CLI.
Workaround: You can use either of the following workarounds:
•Change the username through the CLI.
•If GUI must be used, instead of editing the username, delete the user and then add the user again with the new username.
|
CSCsm98155
|
Digest Response Mismatch for devices with password ending in 00.
Symptoms: Digest response does not match for devices that have 00 at the end of their binary password.
Conditions: This mismatch occurs when Cisco AR uses LDAP Digest Authentication, and LDAP remote server is assigned a binary password that ends with 00.
Workaround: None.
|
CSCsm99801
|
Cisco AR suspends operation during traffic bursts of 900-1000 tps.
Symptoms: Cisco AR server stalls when the incoming traffic rate goes above 900 to 1000 tps.
Conditions: This condition occurs when the incoming traffic rate goes above 900 to 1000 tps. Further, it does not process packets even after the traffic levels are reduced.
Workaround: You can use either of the following workarounds:
•Run the server at reduced traffic levels.
•Configure the MaximumIncomingRequestRate or MaximumOutstandingRequests property under /Radius/Advanced to limit the incoming traffic.
|
Known Anomalies in Cisco AR 4.1.4
Table 26 lists known anomalies in Cisco AR 4.1.4:
Table 26 Known Anomalies in Cisco AR 4.1.4
Bug
|
Description
|
CSCei28524
|
Unset done to LDAPTo*Mappings is not saved during concurrent use.
Symptoms: Unset done on LDAPToRadiusMappings is not saved.
Condition: This occurs when you are running multiple aregcmd sessions and editing the LDAPToRadiusMappings of the same LDAP remote server.
Workaround: Edit the mappings using only one aregcmd session.
|
CSCei40188
|
LDAP server does not show some parameters after doing a concurrent save.
Symptoms: The configuration of a remote LDAP server does not show some parameters after concurrent save, but no data loss occurs.
Conditions: This might occur when two aregcmd sessions edit the same LDAP server concurrently.
Workaround: Ignore the missing parameters, or use only one aregcmd session to modify remote LDAP server parameters.
|
CSCse38053
|
aregcmd reports an error after you edit a client object using the GUI, then save the configuration using the aregcmd command save.
Symptoms: aregcmd reports the following error:
"The following errors were found and must be corrected before saving:
/Radius/Clients/localhost/DynamicAuthorizationServer/DynamicAuthSharedSecret: Value not set.
/Radius/Clients/localhost/NotificationProperties/NotificationAttributeGroup: Value not set.
Conditions: The problem occurs when you do the following:
1. Log in to aregcmd and change directory to /Radius/Clients/localhost.
2. Log in to the GUI and select Configure > Clients to display all configured clients.
3. Using the GUI, choose localhost. to detailed information and do the following:
a. Click the Enable Dynamic Auth Server checkbox.
b. Click the Enable Notifications checkbox.
c. Set the Notification group to default.
4. Click Submit.
5. In the aregcmd session, enter the save command.
Workaround: Log in to aregcmd after you click Submit on the GUI to save configuration changes made to clients.
|
CSCse40151
|
When using the GUI to add users, an error occurs when adding users in a specific order.
Symptoms: The GUI occasionally reports an internal exception error when adding a user.
Conditions: This might occur when you add users continuously in reverse alphabetical order.
Workaround: Try to add users in alphabetical order according to their user ID.
|
CSCse45392
|
The SNMP Agent is not sending the carServerStop trap when stopping the Server Agent.
Symptoms: The Cisco AR server occasionally fails to send the carServerStop trap when the server has been stopped.
Condition: This might occur when you attempt to stop the Cisco AR server.
Workaround: When stopping the Cisco AR server using arserver stop, the SNMP process will also go down. When SNMP processes go down properly, the Cisco AR server will send nsNotifyShutdown. When the Cisco AR server sends the nsNotifyShutdown trap with ColdStart, this implies that the Cisco AR server has gone down.
|
CSCse69411
|
aregcmd segmentation fault occurs when using the Tab key from home position after entering a command.
Symptoms: aregcmd gives a segmentation fault and exits.
Condition: This occurs in an aregcmd session after you issue the command cd /Radius, then move the cursor to the beginning of the line and press the Tab key.
Workaround: After typing a command, use the Backspace key to move the cursor backwards. Do not use the Home or arrow keys.
|
CSCse69600
|
Default port for RemoteServer is incorrect when you change an existing RemoteServer type from LDAP to RADIUS.
Symptoms: The default port numbers given for RADIUS remote server is different than the standard port numbers.
Condition: This occurs in aregcmd, when changing the protocol type of existing remote server from LDAP to RADIUS.
Workaround: When you change the type of an existing RemoteServer, change the port numbers manually to standard ports, 1812 (or 1645) for authentication and 1813 (or 1646) for accounting.
|
CSCse92076
|
Too many data source connections on Linux causes a hang on reload with tracing.
Symptoms: The RADIUS server hangs after a reload command is issued on a RHEL 4.0 machine.
Conditions: This might occur if tracing is enabled and the number of data source connections for an LDAP remote server is changed from an excessively large number to a small number.
Workaround: Do not set the number of data source connections to large values. In many cases this will lead to poorer performance.
|
CSCsf14072
|
Inconsistent statistics.
Symptoms: Under heavy load, the counter totalResponses might be slightly low.
Conditions: This might occur under heavy load.
Workaround: The sum of the counters for the different response types will give an accurate figure.
|
CSCsh59354
|
GUI session becomes view-only after validation fails for view-only properties.
Symptom: The GUI session is switched to view-only mode.
Condition: This occurs when the Cisco AR server is configured with only one administrator, and you attempt to change the ViewOnly property of that administrator in the GUI.
Workaround: Create additional administrator accounts before trying to modify your only administrator to view-only.
|
CSCsh94492
|
The Cisco AR server occasionally fails to start if Kernel File Descriptor count is less than 1024.
Symptoms: Occasionally the Cisco AR server fails to start and displays the following message in name_radius_1_log:
"02/23/2007 5:46:37 name/radius/1 Error System 0 wanted to set RLIMIT_NOFILE to 1024, max is
256
02/23/2007 5:46:39 name/radius/1 Error System 0 Server did not start properly, shutting
down"
Condition: This occurs when setting kernel file descriptor count property to a value less than 1024.
Workaround: Set the kernel file descriptor count property to 1024.
|
CSCsi58070
|
SessionKeyLookup feature uses default session manager when queried session is present in pending removal cache.
Symptoms: Cisco AR uses a default session manager to update or create the session when doing a lookup.
Conditions: This occurs when the session being looked up by an Ascend-IPA-Allocate request is present in pending removal cache.
Workaround: Set the pending removal delay to zero in the cache resource manager.
|
CSCsj07025
|
Remote server statistics is not in sync with global statistics.
Symptom: Statistics might show that totalRequestsPending at oracle remote server is greater than totalPacketsInUse at the global statistics.
Conditions: This occurs with the Cisco AR server is running at an optimum load.
Workaround: None.
|
CSCsj91620
|
Unable to release certain sessions.
Symptom: You might encounter conditions in which user sessions are not properly logged out. If per-user session limits are used, affected users might eventually be unable to connect. Use the release-sessions command to check for this. The output will look something like the following:
Evidence of this can be found when running the release-sessions command. If affected, output will be similar to the following:
release-sessions /radius with-User user1@cisco.com
Released 1 session(s) with-User user1@cisco.com for /Radius/SessionManagers
release-sessions /radius with-User user1@cisco.com
Released 1 session(s) with-User user1@cisco.com for /Radius/SessionManagers
query-sessions /radius
Sessions for /Radius/SessionManagers/SessionLM:
S2 Key: 10.0.0.1, NAS: 192.168.0.1, NAS-Port: 0, User-Name: user1@cisco.com, Time:
510:09:24
Conditions: This is an intermittent issue that occurs under normal operating conditions with normal traffic and does not appear to affect all accounts.
Workaround: Enter the release-session command repeatedly to (eventually) release the session. Releasing the sessions using the GUI might occasionally work.
Older sessions can be prevented from running into this by using the Session Manager's Session Timeout property.
|
CSCsk04726
|
Sessions of a deleted session manager are not removed from backingstore.
Symptoms: Log message is printed for every reload:
Session from removed/unknown session manager recovered from backing store. Session x is
being discarded.
Condition: This occurs after a Session Manager has been created, but the session was deleted or renamed.
Workaround: This problem does not affect the operation of the Cisco AR server. Each time the Cisco AR server does a reload, it will do extra processing to read these sessions from disk, then discard the sessions, also freeing the disk space.
|
CSCsl07276
|
After killing the RADIUS process, logins to aregcmd fail.
Symptom: aregcmd login fails with license error.
Conditions: This only happens after you use the command kill -9 to kill the RADIUS process, but it does not occur on all devices.
Workaround: As a root user, login using aregcmd -C <local>. Then restart the Cisco AR server using the arserver restart command.
|
CSCsl16760
|
Global TCL procedures not available after you configure more than 25 TCL scripts.
Symptom: Cisco AR server has several TCL script files configured. Beyond a certain number of scripts, procedures from one script file might not be accessible by another script file.
Conditions: This occurs when you have more than 25 TCL script files configured, and they use common procedures written in a global TCL script file.
Workaround: Put an include statement into the script files to access the common procedures in the global TCL file.
Further Problem Description: This anomaly occurred where the Cisco AR server was using one TCL script with common procedures used by many roaming partner-specific TCL scripts.
A global TCL script containing the common procedures is configured within AR. Among common procedures, it also defines a global ARRAY into which information about all roaming partners is fed. All roaming partner-specific scripts call a common procedure to introduce details about the roaming partner into the common ARRAY.
|
CSCsl29283
|
Authentication passed even though the policy engine failed.
Symptom: Authentication is done even when policy engine fails.
Conditions: This occurs in both ExecRealmRule and ExecSuffixRule when the rules are grouped with & character. and at least one rule is matched, but the policy has failed.
Workaround: None.
|
CSCsl29318
|
Policy engine rules ExecRealmRule and ExecSuffixRule using the question mark (?) in regular expressions not working properly.
Symptom: Both ExecReamRule and ExecSuffixRule match realms and suffixes that they should not match and behave similar to specifying a wild card.
Conditions: This occurs when the question mark is used as the first character in the ExecReamRule or ExecSuffixRule.
Workaround: None.
|
CSCsl29318
|
After a fresh install, you cannot login to aregcmd.
Symptom: After a fresh install of Cisco AR 4.1.4, you cannot login to aregcmd. The following error message displays:
Login to cluster 'localhost' failed
Conditions: This occurs intermittently after a fresh install of Cisco AR 4.1.4 on a Sunfire V100 server.
Workaround: Restart the Cisco AR server processes.
/opt/CSCOar/bin/arserver restart
|
Anomalies Fixed in Cisco AR 4.1.4
Table 27 lists anomalies fixed in Cisco AR 4.1.4.
Table 27 Anomalies Fixed in Cisco AR 4.1.4
Bug
|
Description
|
CSCsi80105
|
Session management using high memory.
Symptom: High growth in memory occurs while using session management and identity caching.
Conditions: This occurs under normal operation conditions while using session management with identity caching.
Workaround: None.
|
CSCsj80430
|
A server reload takes hours when using hundreds of class C client ranges.
Symptom: A server reload takes hours when using hundreds of class C client ranges.
Conditions: When a large number of clients are defined with a Class C subnet, reload from aregcmd takes hours. Tests with around 600 clients (600 class C subnets) took several hours to complete the reload.
Workaround: None.
|
CSCsj84036
|
Session magic number should not be updated upon retries.
Symptom: Session magic gets incremented incorrectly and causes the Accounting-Stop to be rejected.
Conditions: This occurs when there is a retry for the original Access-Request after the response was sent for the first request.
Workaround: Enable the Advanced Duplicate Detection feature under /Radius/Advanced to handle the retries.
|
CSCsk28758
|
Using LDAP or ODBC as an authentication service with EAP-TTLS causes a validation error.
Symptom: aregcmd save will fail validation when using EAP-TTLS and setting the authentication service as LDAP or ODBC.
Conditions: This occurs when you are using EAP-TTLS with LDAP or ODBC.
Workaround: Export the configuration using mcdadmin. Manually set authentication service under EAP-TTLS to ODBC or LDAP. Import the configuration.
|
CSCsk32120
|
ExecRealmRule and ExecSuffixRule need to be case-sensitive.
Symptom: ExecRealmRule and ExecSuffixRule need to be case-sensitive.
Conditions: The rules need to be enhanced to make it flexible to configure case-based realm matching.
Workaround: None.
|
CSCsk63199
|
Packet leak when User-Group is configured as "- -" for an LDAP service.
Symptom: The Cisco AR server stops processing packets and the retried packets are also dropped due to packet leak.
Conditions: This occurs only when the User-Group is set as "--" in a TCL script and configured the same way for the incoming scripting point.
Workaround: None.
|
CSCsk75956
|
The ODBC RemoteServer does not go down after a timeout occurs.
Symptom: After being moved to inactive status, ODBC RemoteServer is not coming back to an active status, even after the ReactivateTimerInterval is over.
Conditions: This occurs under normal operating conditions after a time-out.
Workaround: Reload the Cisco AR server to force the RemoteServer to become Active again.
Further Problem Description: In the trace file, the following messages will be found for successive requests, even after the ReactivateTimerInterval is finished.
Service <service_name>: Remote Server <remote_server_name> is not active
Remote Server List (<service_name>): No active servers found for this service, processing
packet based on the OutagePolicy for this service.
|
CSCsk78303
|
Format of fixed length tunnel attributes wrong.
Symptom: BRAS rejects tunnel attributes sent from the Cisco AR server.
Conditions: This occurs when you use fixed-length tunnel attributes, such as the tunnel-medium-type with tag0.
Workaround: Try using other tag values, if possible.
|
CSCsk92381
|
Cisco AR 4.1.3 crashes when processing a response from a DNS request.
Symptom: When processing a response from a DNS request on a DDNS server, the Cisco AR server crashes with message:
P1000: Processing response from DDNS (10.0.0.1) to proxy request P900 *** 'an_dns.c':1929
ASSERTION 'buf != 0 && blen > 0' failed
Conditions: This has been seen on Cisco AR 4.1.3 when the DNS server uses TSIG keys for zone.
Workaround: Only use the RFCs supported by Cisco AR 4.1 for DDNS update: RFC 2136 and RFC 2845. RFC 3007 is not supported.
|
Anomalies Fixed in Cisco AR 4.1.3
Table 28 lists anomalies fixed in Cisco AR 4.1.3.
Table 28 Anomalies Fixed in Cisco AR 4.1.3
Bug
|
Description
|
CSCsd58399
|
Client NetMask Property should use the subnet pool as customary.
Symptoms: The value configured for the IPAddress property is used as the start address of the subnet pool representing the clients being grouped.
Conditions: When Client object's NetMask property is used along with the IPAddress property for grouping of Clients.
Workaround: Configure Client object's IPAddress property to correctly represent the start address of the subnet pool of clients being grouped.
|
CSCsd97527
|
Need to support Replication when Cisco AR is configured through the GUI.
Symptoms: Data is not replicated from Master server to Slave server when configuration changes are done using the GUI.
Conditions: This occurs when configuration changes are done through WebUI on Master server.
Workaround: Use aregcmd for configuration when replication is configured.
|
CSCse30761
|
arservagt crashes with Solaris 8 and Solaris 9 stress test.
Symptoms: All Cisco AR server processes go down.
Condition: This might occur when the server is stressed with incoming traffic and there are multiple aregcmd sessions going on in parallel.
Workaround: None.
|
CSCse38933
|
Internet Explorer reports an error when help opened for two Cisco AR servers.
Symptoms: Internet Explorer reports the following error message when opening the Help from the GUI:
A Runtime error has occurred. Do you wish to debug?
Condition: This occurs when you do the following:
1. Open two Internet Explorer sessions and log in to two different Cisco AR servers.
2. Open the help window of one of the GUI sessions.
3. Open the Help window of the other GUI session.
Workaround: Do not open Help windows of two different Cisco AR servers using Internet Explorer.
|
CSCse47926
|
In RHEL 4.0, the Cisco AR software installation fails when /cisco-ar directory is present.
Symptoms: Installation fails in RHEL 4.0 with the error message: "openssl utility not found; unable to generate certificate /opt/CSCOar/bin/arserver: line 78: [: too many arguments"
Condition: This occurs when the directory /cisco-ar is already present in the system.
Workaround: Remove the /cisco-ar directory and do the installation again.
|
CSCse55770
|
The installation process does not report an error when given an empty license file.
Symptoms: The install process does not report an error message when given an empty license file. The Cisco AR server failed to start after the installation.
Condition: This occurs when you provide an empty license file when the installation process asks for a license.
Workaround: During software installation, provide the location of a valid license file when the installation process asks for it.
|
CSCse57633
|
No error message if send-notifications indicator is misspelled.
Symptoms: Incorrectly spelled send-notification directives in a release-sessions command are ignored.
Conditions: This will occur if send-notification is misspelled.
Workaround: Spell all arguments to the release-sessions command correctly.
|
CSCse70459
|
Cisco AR server rejects the RADIUS query when a record is present in pending removal cache.
Symptoms: Cisco AR server rejects the RADIUS query when cached record is present in pending cache (after session is released and before pending removal delay elapsed).
Condition: This might occur when a cached session record is present in pending cache.
Workaround: In query-service outgoing scripting point add a script which checks whether the response dictionary contains any one of the AttributesToBeReturned, then set the Response-Type environment variable to Accept.
|
CSCse80958
|
Cisco AR server disconnects from the Remote Agent when the authentication fails with NTError 1168.
Symptoms: The Cisco AR server disconnects from the Remote Agent.
Conditions: When the username had a @domain part in it and an invalid password was used (this was observed on a setup with Win2003 over VMWare).
Workaround: Strip the @domain part from the username using a script.
|
CSCsf06876
|
Segmentation fault in aregcmd when syslog message length exceeds 1024 bytes.
Symptoms: Segmentation fault in aregcmd when command length exceeds 1024 bytes.
Conditions: This occurs when syslog is enabled.
Workaround: None.
|
CSCsf67197
|
If trace is on, trace will stop at 2GB. To rerun trace, reload is required.
Symptoms: If trace file is enabled on Cisco AR, the trace file will stop writing after reaching the 2 gigabytes threshold. To be able to run trace again, you must reload the Cisco AR server.
Conditions: This occurs if the trace file is enabled and reaches 2 gigabytes in size and trace is rerun.
Workaround: None.
|
CSCsf99322
|
ODBC backing store eats HDD space.
Symptom 1: When there is a constant load on the server, the backing store files in /cisco-ar/data/radius grows consistently and the disc clean up operation happens rarely. This depletes the hard disk at some point of time.
Symptom 2: /cisco-ar/data/odbc grows beyond the configured MaximumBufferFileSize.
Conditions for Symptom 1:
When the server is very busy in packet processing (more tuned to session management), it writes the session records to the backing store in /cisco-ar/data/radius directory. When the traffic is high, the backing store will hardly get a chance to clean up this directory. So this condition could potentially pile up large number of files and might deplete the hard disk.
Conditions for Symptom 2:
Configure ODBC-Accounting Service and its associated remote servers with BufferAccountingPackets set to TRUE. This will enable the Packet Backing store. And configure the limit of backing store with MaximumBufferFileSize property. Generate constant influx of accounting packets without any pause in the incoming traffic and in parallel the packets have to be drained to oracle database. This scenario will make the backing store thread suffer from getting a chance to prune the log files.
Workaround: For ODBC accounting, disable the packet backing store to avoid depletion of disk space in the above mentioned scenario provided the oracle connections are deemed to be stable. This can be done by setting the property BufferAccountingPackets to FALSE.
Further Problem Description: Per the design, the backing store does the house keeping whenever there is a pause in its incoming work traffic. As part of the house keeping work it removes unwanted disk files and rolls forward the disk files. If there is constant incoming traffic, the backing store might keep accumulating the disk files, pushing the clean up work to the future (hoping there would be a pause). In reality so far this assumption holds very good. The fact that we have not heard a compliant for years on the backing store is an evident.
In ODBC accounting, the consistent draining of accounting packets pulls down the buffer file size logically from reaching the MaximumBufferFileSize, but not physically. Since, the drained packets are also written into the backing store (this will consume some disk space as well) as deleted packets. The ADD + DELETE record pair for each packet gets pruned only when there is no accounting pending requests. It is assumed that even an high end ISP network might not pump accounting packets continuously forever without giving a break and prevail an environment for this problem to surface.
|
CSCsg10119
|
Cisco AR username memorized in a session always in lowercase.
Symptoms: Session is not getting released.
Conditions: When the logging in user-name has a difference in the case (upper or lower alphabets) with the actual name stored in the LDAP remote server.
Workaround: Use the exact user-name text during logging in as is stored in the LDAP Directory.
|
CSCsg11346
|
aregcmd hangs while reload, when configured with more than 100,000 client IP addresses.
Symptoms: aregcmd is hanging, when configured with more than 100,000 client IP addresses.
Conditions: When you try to configure more than 100,000 client IP addresses, aregcmd hangs during a reload. For each client IP address configured, the Cisco AR server will try to create an internal client object. When we issue reload command from aregcmd, it is trying to create 100,000 internal client objects and taking such a very long time (hanging).
Workaround: Re-configure the client IP addresses to the exact required number and decrease the number of client IP addresses.
|
CSCsg17943
|
Cisco AR using the openssl0.9.7c which is vulnerable to RSA Signature forgery.
This DDTS is included in Cisco Security Response "Multiple vulnerabilities in OpenSSL library" published at:
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
Summary:
This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows:
* RSA Signature Forgery (CVE-2006-4339), described in
http://www.openssl.org/news/secadv_20060905.txt
* ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in:
http://www.openssl.org/news/secadv_20060928.txt
* SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in:
http://www.openssl.org/news/secadv_20060928.txt
* SSLv2 Client Crash (CVE-2006-4343) also in
http://www.openssl.org/news/secadv_20060928.txt
As of this publication there are no work arounds available for any of these vulnerabilities but it might be possible to mitigate some of the exposure.
This Security Response lists the status of each product or application when considered individually. However, in cases where multiple applications are running on the same computer, a vulnerability in one application or component can compromise the entire system. This compromise can then be leveraged against applications that would otherwise be unaffected. Therefore, users must consider all applications when determining their exposure to these vulnerabilities. Cisco strongly recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerabilities. Cisco will update this document in the event of any changes.
|
CSCsg19902
|
Worker threads timing and packet reordering issue.
Symptoms: The Cisco AR server reallocates an IP address that is already in use.
Conditions: In a roaming scenario, Cisco AR receives and processes requests out-of-order.
Workaround: Using an outgoing script, generate unique class attribute and send it in the Access-Accept packet. Using an incoming script verify if the subsequent accounting packets have the same class attribute before processing it. Note that the two scripts should incorporate mechanism to manage and share the generated class attribute values among them.
|
CSCsg22938
|
Tunnel attributes with tag0 with the type TAG_STRING are not decoded.
Symptoms: When there is a tunnel attribute defined under users, it is not translating the attribute name properly.
Conditions: This can be reproduced by the following commands:
cd /r/userlists/default/bob/attributes/
set Tunnel-Client-Endpoint_tag0 10.1.1.24
set Tunnel-Server-Endpoint_tag0 10.44.33.22
save
On radclient:
simple bob bob
p001
p001 send
10/30/2006 7:46:39: P177: attribute-66 = 10.1.1.24
10/30/2006 7:46:39: P177: attribute-67 = 10.44.33.22
Set an attribute on radclient:
simple bob bob
p001
p001 set attrib [attrib Tunnel-Client-Endpoint_tag0 "10.11.12.13" ]
p001 send
Access-request trace:
10/30/2006 7:38:01: P132: NAS-Port = 1
10/30/2006 7:38:01: P132: NAS-Identifier = localhost
10/30/2006 7:38:01: P132: attribute-66 = 10.11.12.13
Access-accept trace:
10/30/2006 7:46:39: P177: attribute-66 = 10.1.1.24
10/30/2006 7:46:39: P177: attribute-67 = 10.44.33.
Workaround: Change the attribute's type from "TAG_STRING" to "STRING" in the attribute dictionary.
set "/Radius/Advanced/Attribute Dictionary/Tunnel-Client-Endpoint_tag0/Type" STRING
|
CSCsg33546
|
arserver script wrong when checking used ports.
Symptoms: The Cisco AR server might report that the GUI ports are in use if some application runs on the ports that ends with 8080, such as: 18080, 28080, or 38080.
Conditions: This occurs under normal operations.
Workaround: It is not recommended to run any other applications, if it is not really required. So we could stop the other application which is running on x8080 port numbers.
|
CSCsg42204
|
The Cisco AR server cores when configured wrong CertificateDBPath.
Symptoms: RADIUS process continuously cores.
Conditions: This occurs when configuring a wrong certificate db path in /Radius/Advanced.
Workaround: Configure the correct path.
|
CSCsg53469
|
Session and PacketBackingStoreSyncInterval do not work.
Symptoms: Modifying the values for SessionBackingStoreSyncInterval and PacketBackingStoreSync-
Interval will not take effect.
Conditions: This occurs under normal operations.
Workaround: None.
|
CSCsg72657
|
UserPasswordAttribute is not checked properly.
Symptoms: Inconsistency in mapping oracle table field with UserPasswordAttribute.
Conditions: This occurs when there is more than one column having the name password embedded in the field name, like password, bin_password, Tagged_Password.
Workaround: Do not used the term 'Password' for more than one field in any combinations.
|
CSCsg74527
|
In Linux, the Cisco AR server sends invalid port numbers in Ascend-Data-Filter attribute.
Symptoms: Router complains about inconsistency in the port numbers used with ACL commands from Ascend-Data-Filter attribute.
Condition: this occurs when Cisco AR is running the Linux platform.
Work around: The problem is due to the Linux platform using host byte ordering and Cisco AR has missed to catch this only in the source and the destination port part of the Ascend-Data-Filter's binary data. The problem could be worked around by running an REX script which performs the htons() operations on the port numbers at the Server Outgoing scripting point.
|
CSCsg76501
|
Problem in mapping, if more than a LDAP attribute points to the same RADIUS attribute.
Symptoms: LDAP to RADIUS mappings are overwritten.
Conditions: This occurs when more than one LDAP field is mapped to a single RADIUS attribute.
Workaround: Either we could use multi-valued LDAP Field to get this implemented or we should not try to map different LDAP field with same RADIUS attribute.
|
CSCsh28215
|
Message-authenticator added while proxying Prepaid Initial authentication request.
Symptoms: Message-Authenticator gets erroneously added while proxying.
Conditions: The proxy packet is a prepaid (is835c) initial authentication request.
Workaround: None.
|
CSCsg51584
|
lastRequestTime in stats output not updated for RADIUS remote server.
Symptoms: The lastRequestTime of the aregcmd command stats output always displays "<no requests have been received>" even when confirmed requests were sent.
Conditions: For a RADIUS remote server, the lastRequestTime is never updated when the trace shows a packet being sent. Also, the display seems backwards since a request would be sent, not received, through a remote server.
Workaround: None.
|
CSCsg78135
|
EAP-GTC does not work with encrypted LDAP passwords.
Symptoms: EAP-GTC does not work with encrypted LDAP password.
Conditions: This has been observed using CiscoWorks Wireless Lan Solution Engine Express with embedded AAA server and all wireless clients.
Workaround: Using non-encrypted passwords on LDAP is working fine. If accepted, can be considered as a workaround.
|
CSCsg81375
|
EAP-GTC does not work with encrypted LDAP passwords.
Symptoms: EAP-GTC does not work with encrypted LDAP password.
Conditions: This has been observed using CiscoWorks Wireless LAN Solution Engine Express with embedded AAA server and all wireless clients.
Workaround: Using non-encrypted passwords on LDAP is working fine. If accepted, can be considered as a workaround.
|
CSCsh28957
|
In Linux, Multi-CPU check has issues.
Symptoms: In a single processor linux machine, if CAR doesn't have a multiple CPU license, then aregcmd command utility throws the following warning message after every 10 command execution from the configuration utility (aregcmd).
=======================================
LICENSE WARNING: The server is running on a multiprocessor machine without appropriate
license.
=======================================
Conditions: Cisco AR 4.x on RHEL.
Workaround: None. The LICENSE WARNING message will not affect the normal operation.
|
CSCsh52795
|
openssl taking rehash-ca-certs from the older version(openssl-0.9.7c).
Since we have upgraded to openssl-0.9.7l, rehash-ca-certs should be used from openssl-0.9.7l. It currently uses openssl-0.9.7c'c rehash-ca-certs.
|
CSCsh77419
|
Session lost while reloading with backing store having too many files.
Symptoms: Session lost upon reload.
Conditions: This occurs when there are too many files in the backing store (/cisco-ar/data/radius).
Workaround: None.
|
CSCsh96608
|
After running stress stats shows totalPacketsInUse greater than 0 without load.
Symptoms: totalPacketsInUse shows wrong values.
Condition: Occasionally this issue pops up, when there is a consistent stress on the server and might happen often when the remote servers configured are slower in sending responses.
Workaround: None.
|
CSCsi20086
|
SNMP library might cause RADIUS core dumps in Linux machine.
Symptoms: RADIUS occasionally cores in Linux machine.
Conditions: SNMP is enabled and a server reload.
Workaround: One possible option is to disable SNMP.
|
CSCsh96626
|
SNMP based remote server statistics are not getting updated for LDAP and ODBC.
Symptoms: SNMP based remote server statistics are not getting updated for LDAP and ODBC.
Conditions: This occurs Under normal operations.
Workaround: None.
|
CSCsh64336
|
RADIUS process fails to start when having client name with 256 characters.
Symptoms: When client name exceeds 256 characters, RADIUS stops.
Conditions: This occurs under normal operations.
Workaround: Client name should be given less than 256 characters.
|
Anomalies Fixed in Cisco AR 4.1.2
Table 29 lists anomalies from earlier releases of Cisco AR that have been fixed in Cisco AR 4.1.2.
Table 29 Anomalies Fixed in Cisco AR 4.1.2
Bug
|
Description
|
CSCei11177
|
xtail is missing from the Linux version of Cisco AR.
Symptoms: Administrator cannot find the xtail utility.
Conditions: The administrator is running the linux version of AR.
Workaround: Use other utilities such as tail, or download and compile your own xtail.
|
CSCei28338
|
Query-Mapping of Session-cache ResourceManager needs XML mapping validation.
Symptoms: XML QueryMapping validation error is not displayed due to wrong format.
Conditions: In a session-cache ResourceManager, QueryMappings are configured to map XML attributes to other than QueryKey RADIUS attribute with RADIUS attribute at left hand side and XML at right hand side.
Workaround: Use proper configuration.
|
CSCsc58833
|
Overloaded remote server causes packet drops in Cisco AR.
Symptoms: Cisco AR server acting as RADIUS proxy is dropping requests.
Conditions: Remote server does not respond to some requests, including their retransmissions.
Workaround: Increase the number of retransmissions.
|
CSCsd25783
|
View-only administrator can set trace level.
Symptoms: View-only administrators are able to change trace levels from the GUI.
Conditions: This might occur when a view-only administrator uses the GUI.
Workaround: Instruct view-only administrators not to modify the trace levels.
|
CSCsd43469
|
Crash while releasing many sessions with send-notification.
Symptoms: The RADIUS server crashes after you run the release-sessions /radius all send-notifications command. The RADIUS server is then restarted.
Conditions: This might occur if there are more than 400 sessions to be released and the sessions have multiple queried clients.
Workaround: Use options for the release-sessions command to release fewer than 400 sessions if there are multiple queried clients for the sessions.
|
CSCsd47468
|
Apply Filter session does not show the default userlists.
Symptoms: Members of a user or client list in the GUI are not displayed.
Conditions: This might occur if something was entered in the Show only userslists beginning with: field the last time the list was viewed.
Workaround: If members of a list are not visible, check the contents of the Show only field and clear this field, then click Apply.
|
CSCsd52110
|
install script throws err msg. when solaris machine has latest patch.
Symptoms: The Cisco AR installation script reports error messages like the following:
/opt/CSCOar/bin/aregcmd -f
/opt/CSCOar/examples/cli/delete-example-configuration.rc
chgrp: /opt/CSCOar/logs: Not owner
chgrp: /opt/CSCOar/logs: Not owner
chmod: WARNING: can't change /opt/CSCOar/logs
Condition: This occurs when you have installed Solaris 9 patch 113713 above revision 16 (such as 113713-18) or the Solaris 8 patch 110934 above revision 19.
Use the following command to determine the installed software version:
showrev -p | grep <patchno>
Workaround: Use the following Solaris patches:
•Solaris 9: 113713-16
•Solaris 8: 110934-19 and below
|
CSCsd56286
|
The trace command does not report an error when setting an invalid option.
Symptoms: Cisco AR server does not show information about the contents of a packet.
Conditions: when using trace command with invalid option like the following:
trace /r -5
trace /r 1-1
Workaround: Use trace command with valid options:
trace <server> <level>
|
CSCsd58031
|
Remote Server totalRequestsOutstanding counter shows a positive value with no activity.
Symptoms: The stats command shows a positive value for totalRequestsOutstanding counter with no server activity.
Condition: In a proxy to proxy scenario, a very large number of requests are sent to proxy machines.
Workaround: None.
|
CSCsd78789
|
Very low LDAP timeout causes erroneous LDAP abort messages.
Symptoms: An LDAP server is being marked down because Cisco AR reports it did not receive a response.
Conditions: The LDAP remote server has a timeout setting that is very low, probably between 1-5 seconds. In this case, it seems that the Cisco AR server is not able to process the LDAP responses before the timeout. This causes the remote server to be incorrectly marked as down. A sniffer trace of the LDAP messages will show a number of LDAP abort messages when the Cisco AR server marks the LDAP server down.
Workaround: Increase the timeout value until the Cisco AR server has enough time to process all responses.
|
CSCsd79525
|
Reload takes a long time with large IPA pools in Linux.
Symptoms: A server reload takes a long time to complete.
Conditions: Two or three 64K addresses are defined under an IPA pool Resource manager and there are some live sessions.
Workaround: None.
|
CSCsd88702
|
The RADIUS process dumps a core file when Parallel-AND or Parallel-OR is configured as the ResultRule in the service. Normally, when using Parallel-AND/OR Result Rule, the Cisco AR server will clone the packet before processing it. the Cisco AR server can only clone the packet when there are enough packets in the pool. The Cisco AR server fails when creating the nth clone packet and produces a core file.
Symptoms: RADIUS process dumps a core file when cloning packets.
Conditions: This might occur when Parallel-AND or Parallel-OR is configured as the ResultRule in the service.
Workaround: Change all instances of Parallel-AND or Parallel-OR services to AND or OR service respectively.
|
CSCse93819
|
Session resumption erroneously succeeds after a failed authentication.
Symptoms: Session resumption works erroneously and invalid users are also granted access.
Conditions: TLS Session caching is enabled. The client reuses the session ID from a previous failed authentication.
Workaround: Disable TLS session caching in the Cisco AR server by setting the property EnableSessionCache to FALSE under the appropriate EAP service.
|
CSCsd97424
|
AT_IDENTITY not handled properly.
Symptoms: AT_IDENTITY is not handled as described in RFC 4186, Section 4.2.7.
Conditions: This occurs when a pseudonym generated by a different RADIUS server is used, which is also not recognizable by the Cisco AR server.
Workaround: None.
|
CSCse07587
|
unset help does not indicate use with profiles, rules, or mappings.
Symptoms: The unset help for the Cisco AR command line interface does not indicate that unset might be used to unset values in profiles, rules, or mappings.
Conditions: This will occur if unset help is issued.
Workaround: Use the unset path/property to unset these values.
|
CSCse26176
|
User-Name environment variable set by rule not seen by LDAP service in PEAP/MSCHAPv2.
Symptoms: An LDAP server receives a lookup request for the original user name even though the User-Name environment variable is set to something different.
Conditions: During PEAP/EAP-MSCHAPv2 processing, the User-Name environment variable was set to override whatever is in the original request packet for the LDAP lookup.
Workaround: Add another script to the LDAP service's incoming scripting point that sets the environment variable again.
|
CSCse26194
|
PEAP/EAP-MSCHAPv2 password match fails with User-Name environment variable set.
Symptoms: PEAP/EAP-MSCHAPv2 says passwords do not match even when the correct password was entered.
Conditions: As part of request processing, a script takes the User-Name and changes it (removes a realm suffix) before user lookup.
Workaround: None.
|
CSCse31089
|
LDAP RemoteServer user password attribute dynamic.
Symptoms: LDAP RemoteServer userpassword attribute is not dynamic for CHAP Authentication. We would like to dynamically assign the userpassword attribute from a rex script or something similar.
Conditions: This occurs with users with CHAP authentication when their passwords are stored in clear text in a separate attribute than userpassword in LDAP.
Workaround: Separate RemoteServers for CHAP users.
|
CSCse34928
|
RADIUS reloads when releasing sessions.
Symptoms: The Cisco AR RADIUS process reloads.
Conditions: This occurs when the Cisco AR server is reloaded and sessions are released either by the release-session command or by an Accounting-Stop packet. The server should be run on Linux. There should be some orphan addresses created after reload.
Workaround: Clean up the backing s ore files and restart the Cisco AR server.
|
CSCse40398
|
Validation not performed on Action item fields while resurrecting.
Symptoms: The RADIUS process might allocate huge two GB or more of memory and dump core due to lack of system resources. The following error messages can be observed in the Cisco AR server log:
From name_radius_1_log:
05/31/2006 8:01:41 name/radius/1 Error System 0 Out Of Memory
05/31/2006 8:01:41 name/radius/1 Error Server 0 Packet Backing Store: Unable to resurrect
packets.
Conditions: This might occur when accounting is logged to Oracle through ODBC, buffering enabled, and the Oracle server is down.
Workaround: One should make sure the Oracle server is up and running if a large amount of Accounting packets are received. Additionally, you might consider disabling buffering accounting packets by setting BufferAccountingPackets = FALSE.
|
CSCec53453
|
Parse errors in replication messages.
Symptoms: The message "parse failed \<unknown user\>" appears in the log.
Conditions: This might happen when replication has been configured.
Workaround: Ignore these messages. The server should recover without intervention.
|
CSCsd49237
|
The RADIUS process restarted once during Solaris 9 stress tests.
Symptoms: The RADIUS process was restarted.
Conditions: This has only been observed on slower machines in a stress environment, when a response packet has an incorrect signature.
Workaround: None; the RADIUS server will be restarted automatically.
|
Anomalies Fixed in Cisco AR 4.1.1
Table 30 lists anomalies from previous releases of Cisco AR that were fixed in Cisco AR 4.1.1.
Table 30 Anomalies Fixed in Cisco AR 4.1.1
Bug
|
Description
|
CSCdw23443
|
Cisco AR server statistics do not count packets dropped by outage policies.
Symptoms: Some dropped packets are not being counted by Cisco AR stats. This is apparent when looking at the stats from aregcmd or SNMP.
Conditions: When packets are dropped by order of an outage policy.
Workaround: None.
|
CSCed03397
|
USR VSAs have incorrect format.
Symptoms: 3Com PDSN complains about the USR VSAs being returned to it from Cisco AR.
Conditions: Cisco AR is configured to use USR VSAs. Cisco AR uses the normal VSA format: type, length, vendor, vendor type, length, data instead of the USR format: type, length, vendor, vendor type, data.
Workaround: Use an extension point script to configure the USR VSAs.
|
CSCed12389
|
Attribute Text-Ascend-Data-Filter found in configurations upgraded to 3.5.0.3.
Symptoms: The attribute Text-Ascend-Data-Filter is present in configurations upgraded to Cisco AR 3.5 from previous versions.
Conditions: An upgrade to Cisco AR 3.5 from a previous version of Cisco AR is done.
Workaround: None.
|
CSCed82514
|
Remote server stats displayed for POD enabled clients.
Symptoms: The stats command displays remote server statistics for POD enabled clients.
Conditions: Clients with POD enabled exist in the configuration.
Workaround: None.
|
CSCed88582
|
Some trace messages need to be updated.
Symptoms: Some trace messages that are displayed during creation and sending of disconnect-requests are inaccurate.
Conditions: Disconnect requests are created and sent to clients.
Workaround: None.
|
CSCee88854
|
Unset 0 causes decrement of entry index in indexed lists.
Symptoms: Unset 0 causes the entry indices in indexed lists to be decremented by 1, and aregcmd segmentation faults on subsequent commands with valid indices.
Conditions: The unset command is used with index 0.
Workaround: Use the unset command with valid indices only.
|
CSCef07321
|
Query-sessions command with-Age with only units succeeds.
Symptoms: The query-sessions command succeeds when only units are specified with the with-Age option.
Conditions: The query-sessions command is invoked with only units specified with the with-Age option.
Workaround: None.
|
CSCef07329
|
No disconnect-NAK sent if proxied POD times out.
Symptoms: Cisco AR does not send a disconnect-NAK to the remote server if the disconnect-request forwarded to a client from the remote server times out.
Conditions: A disconnect-request forwarded to a client from a remote server times out.
Workaround: None.
|
CSCef34635
|
Problems with BADTIME log message.
Symptoms: A message appears in the log that a DNS update has been rejected due to BADTIME. This message states that the DNS and DHCP server times are identical.
Conditions: This might occur when updates are rejected due to time skews between the DNS and RADIUS systems. Note that the times are given in GMT format.
Workaround: Ignore the message which indicates that the times match. Use tracing to view the DNS Update message itself, which will indicate the time skew between the two machines.
|
CSCef54940
|
In Linux, Cisco AR starts in port 1812, but all port defaults show 1645.
Symptoms: aregcmd assumes default port values of 1645 and 1646.
Conditions: When services configuration specifies a RADIUS port value, RADIUS server takes it as default and listens there. But aregcmd will still show 1645 and 1646 as the default ports.
Workaround: None.
|
CSCef83845
|
CHAP request without CHAP-Challenge attribute not cached properly.
Symptoms: Trusted ID implicit authentication requests are failing when using CHAP.
Conditions: The identity was cached using a CHAP request that did not contain the CHAP-Challenge attribute. The implicit authentication request might or might not contain the CHAP-Challenge attribute.
Workaround: Always send the CHAP-Challenge attribute in the explicit authentication request or only use PAP.
|
CSCef90638
|
Cisco AR log files need to check log size at startup and roll if needed.
Symptoms: aregcmd log does not roll when it reaches the configured rolling size.
Conditions: The aregcmd log grows to a size that is larger than the LogFileSize property, but it does not roll.
Workaround: An aregcmd session must have 25 commands after reaching the roll size before the log will roll.
|
CSCef96916
|
When Algorithm is other than md5/md5sess, http-digest accept user.
Symptoms: User is accepted when an http-digest request is sent with Algorithm value other than MD5/MD5-sess.
Conditions: Sending an http-digest request with an unknown Algorithm value.
Workaround: None.
|
CSCeg36153
|
Number of entries in radiusAccServerTable is less than actual.
Symptoms: With SNMP, number of radiusAccServerTable entries are less than actual.
Conditions: Enabling SNMP and querying for radiusAccServerTable entries of RADIUS-ACC-CLIENT-MIB.
Workaround: None.
|
CSCeh00154
|
GUI displays only top of aregcmd log.
Symptoms: The GUI displays only the first 169 lines in the server command log (aregcmd_log) after the log rolls over.
Conditions: When looking at the server command log from the GUI (Monitor > Logs > Server CLI ARegCmd Log), only the start of the log file is displayed. This problem occurs only on Mozilla-based browsers such as Netscape 7.x or Firefox (not officially supported). The Internet Explorer browser works fine. It also occurs only after the aregcmd_log file has rolled over. Other long logs (such as server log file and trace log) display correctly.
Workaround: Use Internet Explorer to display the full server command log or access and display the log file from a Unix or Linux shell.
|
CSCeh04514
|
When deleting something that was already deleted, back is odd.
Symptoms: When trying to edit data fields in the GUI at the same time as another user, the GUI might give an error message and clear all data fields.
Conditions: When two users are editing the same data in the GUI and a user attempts to edit an object that the other user has already deleted, the user will get an error message and a link to return to the original record. When the user follows the link, all data fields in the object are cleared.
Workaround: Do not simultaneously edit and delete the same object from two different windows.
|
CSCeh25708
|
No values in drop-down lists after error when adding user.
Symptoms: After an error when adding a user from the GUI, all values in the drop-down lists for Profiles and A*scripts are blank when the user record is redisplayed.
Conditions: When adding or editing a user from the GUI and one or more values is entered incorrectly. After clicking the submit button, an error message is displayed (this is correct) and the user can use a back link to redisplay the record. If this link is followed, most selections in the Script and Profiles drop-down lists are now blank.
Workaround: Do not use the back link to correct the errors. Instead, return to the list view and re-add or edit the user from there.
|
CSCeh40071
|
aregcmd log file does not roll in Linux machines.
Symptoms: Server command logfile (aregcmd_log) does not roll over at the size specified by the LogFileSize property.
Conditions: This happens frequently on Linux and occasionally on Solaris. Other log files (such as config_mcd) roll over properly and a new log file is created when the indicated file size is reached.
Workaround: It might help to change the LogFileSize property to a different value (such as slightly greater than the current log file size) to allow another attempt at rollover.
If the server command log grows too large, stop the server, manually remove (or back up) the log file and restart the server.
|
CSCeh41879
|
View-only administrator can release sessions.
Symptoms: View-only administrator can release sessions.
Conditions: User logs-in as a view-only administrator and releases sessions from the session list page of the web GUI.
Workaround: Discourage view-only administrators from releasing sessions.
|
CSCeh44351
|
Deleted view-only administrator becomes full-administrator.
Symptoms: A view-only administrator user logged into the GUI temporarily acquires full administrator privileges if the administrator user's record is deleted.
Conditions: A view-only administrator user is logged into the GUI and another, fully privileged administrator user deletes the view-only administrator's user record. For the duration of the current session, the view-only administrator is promoted to a fully privileged administrator (with read and write permissions). After the administrator logs out of the current session (or is automatically logged out after the idle timeout), the view-only administrator can no longer log in as the administrator user record no longer exists.
Workaround: Do not delete user records for view-only administrators while they are logged in.
|
CSCeh47798
|
Error message for duplicate LDAP-to-RadiusMapping could be better.
Symptoms: A error message about an unknown attribute appears.
Conditions: This might occur when two different RADIUS attributes are mapped to the same LDAP attribute.
Workaround: Map a single RADIUS attribute to LDAP attributes used for mappings.
|
CSCeh52778
|
Strange error message - csome random characters are capitalized in attribute names.
Symptoms: A strange error message appears after attributes are modified.
Conditions: This will occur if the same attribute is included twice with different capitalization.
Workaround: Enter each attribute only once.
|
CSCeh54919
|
Installation gives Unable to write random state error.
Symptoms: 'Unable to write random state' error message printed during Cisco AR installation.
Conditions: Customer installs Cisco AR 4.0.1.
Workaround: None. This error message does not affect proper operation of Cisco AR.
|
CSCeh54984
|
Validation needed when radius-query service is set to defaultAAA.
Symptoms: No validation messages are printed when a service of type radius-query is used as the default authentication, authorization or accounting service.
Conditions: This will occur when a service of type radius-query is used as the default authentication, authorization or accounting service.
Workaround: Do not do this. The radius-query service is invoked by setting the Query-Service environment variable.
|
CSCeh55025
|
Java Session APIs called outside of SessionManager restarts RADIUS.
Symptoms: The RADIUS process crashes and is restarted by the server agent.
Conditions: This can occur if a session specific call is made by a Java extension at an extension point other than the session manager extension points.
Workaround: Do not use session specific APIs in Java extensions that will not be called from session management extension points.
|
CSCeh55741
|
Two incorrect 3GPP attributes.
Symptoms: 3GPP attributes are entered incorrectly.
Conditions: The attributes created by the installation are incorrect.
Workaround: Change the name of 3GPP-OG-Address to 3GPP-CG-Address (in the 3GPP Vendor dictionary). Change the type of CDMA-DCCH-Frame-Format to ENUM, and add the appropriate enumerations. CDMA-DCCH-Frame-Format is in the 3GPP2 directory.
|
CSCeh56666
|
Missing XML tag in XML request document should be processed.
Symptoms: An XML query request of an ICE session cache manager is rejected by the server with the error message:
Rejecting XML Request: packet failed to parse
Conditions: A session cache resource manager is configured with QueryMappings to allow XML queries, of user names and IP addresses, for example. When the server is queried for one of those values using an XML request that is missing the XML tag, such as <?xml version="1.0"?>, the server will reject the query request due to the missing XML version tag.
Workaround: Make sure XML requests always include a proper version tag.
|
CSCeh56736
|
Confusing log message 8692 of 8192 packets in use.
Symptoms: A message similar to the following appears in the log file (note that the number of used buffer is larger than the number of buffers configured in the buffer pool):
<timestamp> name/radius/1 Error Server 0 Radius has used 8692 of its 8192 request buffers:
the server is dropping 1 request; 1 packets dropped total.
Conditions: The server is running under heavy load. On source code review, it was determined that this is merely a book-keeping error in the code that generates packet usage statistics and there is no problem with the actual packet handling or buffer management code.
Workaround: None (none necessary). Ignore the strange arithmetic.
|
CSCeh56788
|
Null packet pointer was passed to update stats function.
Symptoms: Under some high load conditions, the server crashes. The core file points to a crash in RemoteRadiusServer::updateStats().
Conditions: The server has run out of RADIUS packet buffers at the same time that a request to a remote server has timed out. The first condition normally generates a log message like the following:
Error Server 0 Radius has used 8192 of its 8192 request buffers:
the server is dropping 1 request; 1 packets dropped total.
Workaround: Reduce the load on the server or increase the size of the RADIUS packet buffer pool (setting /Radius/Advanced/MaximumNumberOfRadiusPackets).
|
CSCeh57246
|
Solaris machines report server agent not running.
Symptoms: The AAA Server Status display indicates Access Registrar Server Agent not running.
Conditions: This occurs on Solaris 9.
Workaround: Ignore this condition. The AAA daemon manager display is correct.
|
CSCeh58732
|
Re-login does not create a new session.
Symptoms: User logs in to the GUI but appears to be logged in as the previous administrator.
Conditions: User logs in to the GUI as a view-only administrator, then returns to the login page and logs in as a read-write administrator without first logging out. The user remains logged in as the view-only administrator.
Workaround: The user must explicitly log out with the logout button before logging in as another administrator.
|
CSCeh60482
|
Display correct error message for query-sessions /r all send-pod.
Symptoms: aregcmd commands give Filter Type Error when send-coa and send-pod is used incorrectly.
Conditions: If send-coa is used with release-sessions and send-pod is used with query-session command then server displays Filter Type Error.
Workaround: None.
|
CSCeh61488
|
Request-Type not set in remote server OutgoingScript.
Symptoms: Request-Type environment variable is always empty.
Conditions: A script on a remote server's OutgoingScript is attempting to read the Request-Type environment variable.
Workaround: If possible, try to use the server's IncomingScript.
|
CSCeh61842
|
Server reload might hang if CS Remote Agent not responding.
Symptoms: The AAA server hangs while reloading. The last entry in the log file reads:
<timestamp> Log: Agent API: Attempting to connect to agent manager at <IP
Conditions: This might occur if a remote server for Windows Domain Authentication (WDA) is configured and the Cisco Secure Remote Agent (CSRA) is running on the remote server, but the remote server is not working properly (due to misconfiguration). Also, CSRA might be unable to complete the protocol for establishing the protected tunnel for WDA. If the local AAA server is reloaded while in this state (waiting for the establishment of the tunnel), the server process might hang and have to be restarted.
Note that if the AAA server is configured with an invalid WDA remote server address or the address of a remote server that is not running CSRA (including localhost), the attempt to connect to CSRA will properly timeout and server operation will not be affected (the failure to connect CSRA will be logged).
Workaround: Make sure the remote Windows server, including CSRA, is properly configured and responding to requests from the AAA server. Ensure the link to the remote server is stable and does not suffer from excessive packet delays or drops.
If the local server is stuck after a reload, kill the server process using kill -9 and restart the server. Reconfigure the server to use another remote server for WDA or disable it by pointing at a server not running CSRA (including localhost).
|
CSCeh67247
|
Need to set 3GPP2 CDMA-Remote-Access-Table-Index must be UNIT32.
Symptoms: Cisco AR software upgrade is unsuccessful for attribute CDMA-Remote-Address-Table-Index.
Conditions: When an installation of Cisco AR (3.5.x or older) is upgraded, any settings for the CDMA-Remote-Address-Table-Index attribute are lost. This is due to a difference in the data type definition for this attribute in Cisco AR 4.0 (from UNIT32 to STRING) that breaks the database upgrade script. The datatype will be corrected (back UNIT32) to in the next maintenance release of Cisco AR.
Workaround: Manually re-enter the CDMA-Remote-Address-Table-Index attribute and its value at the appropriate place in the Cisco AR configuration after an upgrade to Cisco AR 4.0 has been performed.
|
CSCeh79810
|
Cisco AR server rejects packets if DefaultAuthorizationService is not set.
Symptoms: Access-Requests are rejected if the DefaultAuthorizationService is not set and Authorization-Service environment variable is not set to a valid service name before the Authentication processing starts.
Conditions: DefaultAuthorizationService is not set and Authorization-Service environment variable is also not set to a valid service name before the Authentication phase.
Workaround: Set DefaultAuthorizationService to a service name other than the value set for DefaultAuthenticationService if Authentication and Authorization needs to be done by different services. Otherwise, set same service name for both DefaultAuthenticationService and DefaultAuthorizationService.
|
CSCeh92504
|
Tomcat logging is not working correctly.
Tomcat logging does not work correctly in Cisco AR 4.0.1. The web GUI and the APIs log to WebGUI.log but the tomcat logging is not working.
|
CSCei10781
|
Server reloaded when sending request with bad digest attribute.
Symptoms: RADIUS process reloaded itself.
Conditions: When sending an http-digest request with digest-attribute having shorter length field than the value, such as "02:01:73:f2:92:45:b0", here length is 01.
Workaround: None.
|
CSCei13326
|
With http-digest, algorithm MD5-Sess is rejected.
Symptoms: Cisco AR rejects the request.
Conditions: This occurs when setting the Digest-attribute algorithm to MD5-Sess and sending the http-digest request.
Workaround: None.
|
CSCei19141
|
Bad error message if no argument for query-sessions /r with-*.
Symptoms: The error message for the query-sessions command with an argument such as with-Name or with-Age indicates that the only supported option is all.
Conditions: This might occur if the with-Age or with-Name commands are not further modified with a name or an age.
Workaround: Supply arguments to query-sessions commands with arguments such as with-Age or with-Name.
|
CSCei22879
|
User friendly configuration for CDMA-DNS-Server-IP-Address attribute.
Symptoms: On Solaris 2.8 machine running Cisco AR 3.5.4 version software, The "CDMA-DNS-Server-IP-Address" attribute has to be set in hexadecimal format. Provision should be given to configure these attribute in user friendly way, Just like we do for TLV format attributes like CDMA-PrePaid-Accounting-Capability.
Conditions: None.
Workaround: Use raw packet format to set the attribute in a user's profile under /Radius/Profiles.
|
CSCei27403
|
PEAP/EAP-MSChapV2 authentication fails.
Symptoms: Windows XP Service Pack 2 clients are unable to authenticate using PEAP/MS-CHAPv2 authentication.
Conditions: Client laptops are running Windows XP Service Pack 2 and are configured to use 802.1/EAP authentication with the Microsoft PEAP supplicant that is included in Windows. Cisco AR server is configured for PEAP-V0 (also known as MS-PEAP) authentication with MS-CHAPv2 inner service.
Client authentication using MS-CHAPv2 is successful, but the client never completes the authentication session and starts a new authentication request every 30 seconds. (This is the default Windows authentication retry interval).
Workaround: Use a different EAP authentication method.
|
CSCei31964
|
Java directory and javadocs archive are missing after Linux software installation.
Symptoms: The directory /cisco-ar/java is missing on Cisco AR Linux installations.
Conditions: Customer is looking for the documentation of the Java extension API, which should be provided in /cisco-ar/java/javadoc.tar.gz.
Workaround: Install a Solaris version of the Cisco AR kit. Solaris versions include the /cisco-ar/java directory with the API documentation. The API is identical for Linux and Solaris versions of Cisco AR. If installing Cisco AR on Solaris is not an option, contact Cisco AR customer support at <cs-ar@cisco.com> to receive the javadocs file via e-mail.
|
CSCei33031
|
Cisco AR server occasionally reloads with RADIUS query service configuration.
Symptoms: Cisco AR server occasionally reloads itself under stress.
Conditions: This occurs when the RADIUS query service is in use.
Workaround: None.
|
CSCei40431
|
ODBC remote server does not disconnect properly.
Symptoms: Authentications to a ODBC remote server fail after the remote server experiences a temporary failure.
Conditions: Cisco AR server is configured to use an odbc connection for authentication. The remote database server fails and restarts (failures during the database server downtime are expected). After the database server has restarted, Cisco AR server still fails authentications because no new ODBC connections are established (the stale connections established to the ODBC server before the failure continue to be used).
Workaround: Connections to other remote servers (LDAP and RADIUS) are properly re-established after a remote server failure. One possible work-around is to use an LDAP RemoteServer instead of ODBC connection to the remote server. A Cisco AR server restart will also clear the stale ODBC connections.
|
CSCei70394
|
Cisco AR server retrieves empty data after ODBC remote server disconnect.
The status command reports that the health of the server is 7 out of 10.
During this status, the query to the odbc returns multiple rows with no data.
|
CSCej01509
|
Parallel grouping of a proxy service with file service cores.
Symptoms: Cisco AR server cores while processing an accounting packet.
Conditions: When a proxy service and a file service are grouped with ResultRule as Parallel-AND or Parallel-OR.
Workaround: None.
|
CSCin53226
|
On heavy load odbc.ini file becomes empty.
Symptoms: The log reports that the ODBC datasource cannot be found.
Conditions: This has only been observed with an extremely high number of ODBC data source connections and heavy load.
Workaround: Replace the contents of the /opt/CSCOar/odbc/etc/odbc.ini file.
|
CSCin57842
|
EAP services should not be allowed as subservices of group service.
Symptoms: A remote user is accepted without sending eap challenge.
Conditions: This occurred after setting the Response-Type to accept using rex or java script.
Workaround: None.
|
CSCin64207
|
Upgrade fails when setting ARIsCaseInSensitive to false.
Symptoms: Upgrade from 1.7R6 to 1.7R7 or later versions of Cisco AR fails with the following error message:
"307 Object not found/Path ambiguous"
Conditions: /Radius/Advanced/ARIsCaseInSensitive flag is set to False in Cisco AR.
Workaround: Before upgrading to 1.7R7 or later kit, set /Radius/Advanced/ARIsCaseInSensitive to True.
After completing the upgrade, change the /Radius/Advanced/ARIsCaseInSensitive setting back to False (if desire).
|
CSCsb43059
|
Interim accounting update does not reset session timeout.
Symptoms: Interim-Accounting records do not reset the session-timeout timers.
Conditions: Seen in version 4.0.1 of Cisco AR.
Workaround: None.
|
CSCsb46328
|
Cannot attempt Authentication and Authorization and to Query-Service in the same Access-Request packet.
Symptoms: In Cisco AR it is not currently possible to authenticate or authorize and the do a query on the same access-request.
Workaround: None.
|
CSCsb61608
|
Cisco AR does not show Remote-Server information in client outgoing script.
Symptoms: Environment variable Remote-Server empty in client and vendor outgoing script.
Conditions: Cisco AR used with TCL script extensions.
Workaround: None.
|
CSCsb90331
|
Unable to perform LEAP authentication using the Active Directory.
Symptoms: LEAP authentication against a Windows Active Directory (AD) user database appears to succeed in Cisco AR, but wireless (802.1x) clients fail to get associated with the access point (AP).
Conditions: LEAP Authentication is set to use Inner Method Windows Domain-Auth on WLSE-Express, users are authenticated using LEAP against an AD user database. Wireless (802.1x) clients are set to use LEAP authentication with encryption enabled.
Workaround: None (for LEAP authentication against AD). However, it is still possible to perform LEAP authentication against the local AAA server database. Also, successful authentication against an AD database will still be possible if clients can be reconfigured to use another authentication method with WDA such as PEAP-V0.
|
CSCsb92886
|
If Cisco AR software is not installed in /opt/CSCOar, the GUI process does not stop.
Symptoms: /etc/init.d/arserver stop command fails to stop Cisco AR GUI process.
Conditions: When Cisco AR software is installed in a directory other than /opt/CSCOar
Workaround:
Workaround for Solaris OS: Replace the following line in /etc/init.d/arserver script:
PROCLIST=`/usr/ucb/ps -agxww | awk '{print $1,$5,$6}' | sort -urk 2 | /bin/egrep
"java.library.path=/opt/CSCOar/lib|$INSTALLPATH/.[s]ystem/(radius|arservagt|armcdsvr|arlockmg
r)|$INSTALLPATH/ucd-snmp/sbin/[s]nmpd|[a]regcmd|[a]rwlsecmd"`
with
PROCLIST=`/usr/ucb/ps -agxww | awk '{print $1,$5,$6}' | sort -urk 2 | /bin/egrep
"java.library.path=$INSTALLPATH/lib|$INSTALLPATH/.[s]ystem/(radius|arservagt|armcdsvr|arlockm
gr)|$INSTALLPATH/ucd-snmp/sbin/[s]nmpd|[a]regcmd|[a]rwlsecmd"`
Workaround for Linux OS: Replace the following line in /etc/init.d/arserver script:
PROCLIST=`/bin/ps -eww -o pid,command | awk '{print $1,$2,$3}' | sort -b -k 2,2r -k 1,1n |
uniq -1 | /bin/egrep
"java.library.path=/opt/CSCOar/lib|$INSTALLPATH/.[s]ystem/(radius|arservagt|armcdsvr|arlockmg
r)|$INSTALLPATH/ucd-snmp/sbin/[s]nmpd|[a]regcmd|[a]rwlsecmd"`
with
PROCLIST=`/bin/ps -eww -o pid,command | awk '{print $1,$2,$3}' | sort -b -k 2,2r -k 1,1n |
uniq -1 | /bin/egrep
"java.library.path=$INSTALLPATH/lib|$INSTALLPATH/.[s]ystem/(radius|arservagt|armcdsvr|arlockm
gr)|$INSTALLPATH/ucd-snmp/sbin/[s]nmpd|[a]regcmd|[a]rwlsecmd"`
|
CSCsb93702
|
Cisco AR server trace file needs to wrap.
Symptoms: The Cisco AR trace file grows to consume all available disk space.
Conditions: Tracing is turned on for long periods of time, especially on high-traffic production systems.
Workaround: Only turn tracing on for a short time and during periods of low system traffic. Always remember to turn tracing off again after the desired tracing output has been obtained.
|
CSCsb93715
|
Bad certificate configuration should not prevent Cisco AR server from starting.
Symptoms: Cisco AR server does not start up. Log file indicates a problem with certificate configuration that is detected during startup.
Conditions: An invalid certificate file was configured for any of the certificate-based EAP authentication methods (EAP-TLS, EAP-FAST, MS-PEAP, Cisco-PEAP). For example, a certificate file in a format that is not acceptable to Cisco AR was uploaded.
Workaround: Configure the Cisco AR server with a valid certificate file. See user documentation for acceptable certificate file formats.
|
CSCsc00789
|
Display error while setting more than 20 remoteservers to a service.
Symptoms: Additional remote servers appear when listing remote servers.
Conditions: More than 20 remote servers are configured for a service.
Workaround: Ignore the additional remote servers shown.
|
CSCsc00881
|
Listing error when setting more than 20 remote servers to a service.
Symptoms: Additional remote servers appear when listing remote servers.
Conditions: More than 20 remote servers are configured for a service.
Workaround: Ignore the additional remote servers shown.
|
CSCsc14370 (a continuation of CSCeh58518)
|
Symptoms: The RADIUS server ceases to respond.
Conditions: This might happen if many configuration operations are performed. The RADIUS server log will indicate that a reload is in process, but the reload never completes.
Workaround: Restart the Cisco AR server.
|
CSCsc22006
|
WLSE sends PEAP to IP phone 7920 LEAP client.
Symptoms: Cisco 7920 handsets fail to authenticate against WLSE-Express, but authentication works fine against other stand-alone AAA servers such as Cisco Secure ACS.
Conditions: The 7920 handset is configured to perform LEAP authentication. Authentication using other methods such as static passwords works correctly.
The root cause of this problem is the inability of the 7920 firmware to issue an EAP-NAK response when it encounters an unsupported EAP authentication method.
This is a limitation of the 7920 firmware that will be addressed in a future firmware release. DDTS CSCsc21972, 7920 fails leap auth with WLSE express integrated AAA, describes and tracks this issue.
Workaround: Configure the 7920 handset to use an authentication method other than LEAP or use Cisco Secure ACS as an external AAA server. Note that using any authentication method based on static information, such as preconfigured passwords is inherently less safe.
|
CSCsc26773
|
Windows Domain Authentication fails if user name includes domain prefix.
Symptoms: Authentication of clients against a Windows Active Directory user database fails. This applies to all EAP methods that allow selection of Windows Domain Authentication (WDA) as their inner service, such as to LEAP, EAP-FAST, Cisco-PEAP, or Ms-PEAP on WLSE-Express.
Conditions: The client is configured to supply a Windows domain name as part of the user name, i.e. the user identity submitted for authentication is of the form "DOMAIN\user". If the client only supplies the user name, without domain name prepended, WDA succeeds.
Workaround: For Cisco-branded WLAN adapters, the Cisco client utility allows configuration of LEAP and EAP-FAST to not provide the domain name as part of the login. This workaround might not be supported by the GUI for non-Cisco WLAN adapters. For example, it is known that the GUI supplied for certain CCX-compliant hardware, such as the Intel OEM UI bundled with certain Dell Centrino laptops (Intel PROset WLAN), does not support this option.
|
CSCsc27479
|
ODBC: order of multi-valued attributes to be preserved.
Symptoms: The Cisco AR server will not send multi-valued attributes in the same order as it received.
Conditions: When 'odbc' type service is in use for AA and when some of the attributes are multi-valued.
Workaround: Cisco AR server is inserting the same type of attributes in the order of: [first attribute as it received from ODBC query, and rest of all attributes in the reverse order].
For example, if Oracle returns Cisco-AVPair values as 'value0, value1, value2, value3', the Cisco AR server sends them as follows:
Cisco-AVPair = value0
Cisco-AVPair = value3
Cisco-AVPair = value2
Cisco-AVPair = value1
Workaround: Write an outgoing script to properly order these attributes.
|
CSCsc61396
|
Missing CA Certificate Upload field in EAP-TLS Settings page.
Symptoms: There is no provision in EAP-TLS Settings GUI for uploading CA Certificate.
Conditions: The other pages like Cisco-PEAP Settings, MS-PEAP Settings contains the page for uploading CA Certificate. But EAP-TLS Settings page does not contain the provision for uploading CA Certificate from the GUI.
Workaround: Copy directly the CA Certificate file to /opt/CSCOar/certs/eap-tls directory in the server.
|
CSCsc61801
|
Prepaid Billing Return Quota type should be configurable.
Symptoms: Prepaid return quota type always set to CRB_RQT_QUOTA_USED_SINCE_LAST_AUTHORIZATION.
Conditions: When the unused quota is returned in the case of Prepaid CRB.
Workaround: None.
|
CSCsc71609
|
Parallel and duplicates attributes.
Symptoms: RADIUS responses contain duplicate attributes value pairs when processing with a group service using parallel-AND.
Conditions: When a group service uses parallel-AND for processing and there are same attribute value pairs being returned from the different services, these attribute value pairs are duplicated in the response rather than replaced.
Workaround: A script can be used to remove the duplicate attribute value pairs, or use regular-AND instead of parallel-AND, however this will negatively affect performance.
|
CSCsc80694
|
Cisco AR not sending keepalives when oracle accounting service configured.
Symptoms: Customer facing some problem writing accounting records into the database when the connection is broken by a firewall.
Conditions: When the connection is broken by firewall, there is no activity on the connections broken by firewall (no packets leave the server) after "End-of-file on communication channel" displayed.
Workaround: Keep the connection alive by sending dummy packets.
|
CSCsc87812
|
Attribute 18 in Access-Reject from remote RADIUS is not processed correctly.
Symptoms: Attribute 18 (Reply-Message) coming back in access-rejects from a remote RADIUS server is not used in the own response.
Conditions: Remote RADIUS server is part of a service used as authorization service only or remote RADIUS server is rejecting the request.
Workaround: None.
|
CSCsc87849
|
Scripting points not working for services under eap-negotiate service.
Symptoms: Scripting points within EAP services not executed properly.
Conditions: EAP service is part of an EAP-negotiate type of service.
Workaround: Apply scripts to EAP-negotiate service rather than the EAP-method specific service.
|
CSCsc91869
|
Oracle9i client with over 100 ODBC connections leads to odbc.ini file truncation.
Symptoms: ODBC type of remote server cannot establish connections with Oracle server and odbc.ini file will be of zero bytes size.
Conditions: When Oracle 9i client is in use and DataSourceConnections is more than 100.
Workaround: Use Oracle 8i client if possible.
|
CSCsc99196
|
POD with proxy ignores Proxy-State attribute.
Symptoms: When the Packet of Disconnect feature is used with a proxy, the indicator of the machine on which the session originated might be ignored. In some cases this might lead to disconnect request messages being sent to the wrong location.
Conditions: This might occur when the Packet of Disconnect feature is used in a proxied environment.
Workaround: Do not use the Packet of Disconnect feature in a proxied environment.
|
CSCsd02925
|
GUI process requires su nobody to work, Cisco AR software installation should check this.
Symptoms: Cisco AR server agent fails to start GUI process.
Conditions: When su nobody is disabled on the machine.
Workaround: Enable su nobody by modifying the /etc/passwd file and restart the Cisco AR server.
|
CSCsd28643
|
Cisco AR does not check for the GUI process.
Symptoms: Cluster might not restart the server, when GUI process goes down.
Conditions: When Cisco AR GUI process goes down.
Workaround: None.
|
CSCef86758
|
Save and reload generates crash with myodbc.
Symptoms: The Cisco AR server restarted by itself, when save and reload issued consecutively after adding a MYODBC remoteserver.
Conditions: Adding a MYODBC remote server and doing a save and reload immediately afterward.
Workaround: None.
|
CSCef86899
|
In Linux, Java vendor OutgoingScript occasionally causes crash.
Symptoms: Server cores on Linux when a Java extension script is executed at the Vendor outgoing script point.
Conditions: This problem does not occur on Solaris, and only occurs on Linux when the java_extension points script is run immediately after the java_methods script. Also, scripts set at all scripting points other than the Vendor outgoing scripting point work fine.
Workaround: If possible, use another extension script point or another scripting language.
|
CSCef97167
|
Changing MySQL server name does not reflect with Cisco AR server reload.
Symptoms: For some requests, Cisco AR uses the MySQL server previously configured.
Conditions: Modifying the MySQL server name in ODBCDataSources and doing a reload.
Workaround: restart the server.
|
CSCed82478
|
Minor memory leak with ODBC failure connect attempts with myodbc.
Symptoms: RADIUS process memory size increases.
Conditions: When invalid myodbc datasource is configured in remote ODBC server and ReactivateTimeInterval is configured to very low value.
Workaround: None.
|
CSCef20109
|
Session management performance degradation.
Symptoms: Performance peaks at about 500 requests per second.
Conditions: Session management is in use.
Workaround: None.
|
CSCeh85197
|
Session cache out of sync.
Symptoms: Session store goes out of sync and some sessions cannot be deleted using release-session command. These sessions do show up when a query-session is run.
Conditions: Create about 40,000 session caches on an Cisco AR server. Start sending many logon and logoff requests with pagent or RSIM for one hour so that the Cisco AR server cache are constantly been updated.
Workaround: None.
|
CSCsc60298
|
A release-sessions command parallel with a query-sessions command fails to remove a few sessions.
Symptoms: When releasing huge number of sessions from GUI and in parallel doing query-sessions from CLI fails to remove few sessions in Cisco AR.
Conditions: When releasing huge number of sessions from GUI and in parallel doing query-sessions from CLI.
Workaround: Do not use CLI to query the sessions when a very large number of sessions are released from the GUI.
|
CSCsd11549
|
armcdsvr crashes in Linux stress tests.
Symptoms: armcdsvr process restarted by itself.
Conditions: When the Cisco AR server machine is slower and multiple aregcmd instances were run on the same machine, occasionally armcdsvr process can be restarted by itself.
Workaround: None.
|
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.
