Cisco Access Registrar 4.2 [Cisco Access Registrar]

Product Overview

Cisco^® Access Registrar is the flagship Cisco RADIUS authentication, authorization, and accounting (AAA) server for the service provider market. It supports service provider deployment of access services by centralizing AAA information and simplifying provisioning and management. Cisco Access Registrar is a standards-based RADIUS and proxy RADIUS server designed for high performance, extensibility, and integration with external data stores and systems. Cisco Access Registrar has been widely deployed over the years by a number of service providers that are looking for a high performing and extensible AAA server for their mobile wireless, public WLAN, broadband, dial, and Voice over Internet Protocol (VoIP) services. Cisco Access Registrar 4.2 introduces a number of enhancements that can benefit current and potential customers of Cisco Access Registrar.

Highlights and Benefits

Highlights

• Dynamic service authorization: Cisco Access Registrar 4.2 adds support for a new service that is selected by the existing mechanisms (such as the policy engine, scripts) and that has an option to set the variables (as appropriate to the phase the packet is in) to reauthenticate, reauthorize, or reaccount using another service. The idea here is to chain the services using this environment variable.

• Session scalability: In Cisco Access Registrar 4.2 the number of sessions captured in a server is increased fourfold from its value of 1 million (that is, 4 million sessions per server with session caching).

• Lightweight Directory Access Protocol (LDAP) version 3 client library and bind-based authentication: In Cisco Access Registrar 4.2 the existing LDAP client library is enhanced to support LDAPv3 with no extended features. LDAP remote server is enhanced to support bind-based authentication in addition to the existing password-fetch-based authentication.

• Update Oracle client library and server: In Cisco Access Registrar 4.2 the existing Oracle client library and server are enhanced to support the Oracle 10g and 11g client library and Oracle 10g and11g server. Changes in the Oracle driver/driver manager support the latest client and server

• Certificate management with Certificate Revocation List (CRL): Cisco Access Registrar 4.2 has the provision to support CRL fetching and enforcement. The protocols supported for fetching CRLs are LDAP and HTTP.

• Shared secret hiding: Cisco Access Registrar 4.2 adds a new property named HideSharedSecretAndPrivateKeys; when set to true, PrivateKeyPassword attribute in EAP based services and SharedSecret attribute under Remoteservers, Clients object will be masked and displayed as <encrypted>.

• Support of T series Sun servers: Cisco Access Registrar 4.2 adds support for Sun T series servers. Benchmark testing with complex scripting and performance testing was done with the Sun T 5220 server.

• Server virtualization support: Cisco Access Registrar 4.2 adds support for Sun virtualization technology Logical Domains (LDoms); this virtualization technology has been tested in a Solaris 10 environment. A Cisco Access Registrar 4.2 instance with session management in a Solaris server can go up to 900 Transactions Per Second by using Sun virtualization technology (LDoms) on the same Solaris server; Cisco Access Registrar 4.2 with session management gives a significant performance increase of around 2700 TPS per server (6 LDoms, each LDom with 450 TPS)

• WiMAX support: Cisco Access Registrar 4.2 adds support for WiMAX access technology following Network Working Group (NWG) version 1.1.0 of the stage III document (WiMAX Forum). The EAP method is used to facilitate WiMAX authentication by caching the IP attributes and mobility keys that are generated during network access authentication.

Benefits

• Cisco Access Registrar supports multiple access technologies (dial, wholesale dial, broadband, mobile wireless, wireless LAN and public wireless LAN, Service Selection Gateway (SSG), VoIP, cable, WiMAX) with a single AAA platform.

• Gives service providers an off-the-shelf, standards-based RADIUS server that offers the flexibility and extensibility previously available only by maintaining internally built versions of public-domain RADIUS software.

• Allows service providers to focus their businesses on specific areas of service delivery by supporting additional wholesale, outsourcing, and roaming service scenarios using proxy RADIUS.

• Reduces operational costs and speeds service rollout by supporting integration with provisioning, billing, and other service-management components using directory or relational database management system (RDBMS) support and scriptable configuration interfaces.

• Efficiently manages resource use by supporting centralized IP address assignment and session-limit enforcement across access devices spanning multiple geographic regions and across multiple Cisco Access Registrar servers.

• Allows service providers to extend competitive advantages by rapidly deploying the latest wireless technologies.

Product Architecture

Cisco Access Registrar is built on a multithreaded architecture to take advantage of multiprocessor systems and provide the highest AAA performance. At the core of Cisco Access Registrar (Figure 1) is a policy engine that determines processing based on the contents of the RADIUS request packet. The policy engine makes the following types of decisions:

• Whether authentication against an LDAP directory, Active Directory, or Oracle database is required

• Whether a request should be forwarded to an external RADIUS server

• What type of accounting is required

• Whether session limits apply

• Whether an IP address pool has been assigned

While the basic operation of the server is determined by configuration, multiple extension points within the server provide optional callouts to custom code. Extension points can be used for several purposes, including influencing the processing of a request or modifying incoming or outgoing packets to meet specialized requirements.

Cisco Access Registrar provides a rich set of processing methods, including local, LDAP, Open Database Connectivity (ODBC), Active Directory, proxy, and prepaid, but Cisco Access Registrar also permits custom service code to be inserted into its architecture to allow service providers to support special request processing and systems integration.

Figure 1. Cisco Access Registrar Architecture

Features

Authentication and Authorization

• High-speed internal embedded user database

• Easy, logical grouping of users

• Easy return attributes and check-item configuration

• Ability to enable and disable user access

• Ability to store user information in an external data store

• LDAP directory or Oracle or MySQL database support:

– Store return and check-items attributes

– Data store schema independent

– Ability to add custom logic based on information in user's record

• Authentication to a Windows database

• Advanced RADIUS proxy support for service provider environments

– Includes proxy attributes filtering

• EAP support

– Message Digest Algorithm 5 (MD5), LEAP, PEAP (with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2, Generic Token Card (GTC), SIM, TLS, FAST, TTLS

– EAP proxy

– CRL support

• HTTP digest authentication for Session Initiation Protocol (SIP) and web servers

• IETF RADIUS tunnel support (RFC 2867, RFC 2868)

• Automatic and customizable reply-message generation

• Chaining of authentication and authorization service through the environment attributes

• LDAP remote server's bind-based authentication

Accounting

• Local file

– Store accounting records in a single file or multiple files

– Automatic file rollover based on file age, size, or specific time

• Proxy

– Option to ignore acknowledgements and continue processing

• Database

– Write accounting records directly to an Oracle or MySQL database

– Schema independent

– Buffering option for higher throughput and fault tolerance

• Chaining of accounting service through the environment attributes

Proxy, Database, and LDAP Configuration

• Define a list of remote systems to be used in failover or round-robin modes

• Accept All, Reject All, and Drop Packet outage policies available when no remote systems are available

• Define the individual characteristics of each remote system; for example, ports, timeouts, retries, or reactivate timers

• Sophisticated algorithms to detect status of remote systems

Request Processing Decisions

• Process requests using different methods; for example, use LDAP for some access requests, the internal database for others

• Process requests using a combination of these methods; for example, store an accounting request to a local file and proxy it to a number of remote RADIUS servers, in series or in parallel

• Split authentication and authorization by selecting one method for authentication and another for authorization (One-Time Password [OTP] server and Oracle database, for example)

• Decide which method to use based on attributes in the request or on Cisco Access Registrar's environment variables, such as source or destination IP address or User Datagram Protocol (UDP) port

• Decide which service needs to be chained based on attributes on the Cisco Access Registrar's environment variables, such as the reauthentication service, reauthorization service, and reaccounting service

• Easy method selection based on DNS domain, username prefix, dialed number, calling number, or network access server (NAS), using the Cisco Access Registrar policy engine

Session/Identity Tracking and Caching

• Built-in feature to track user sessions and allocate resources

• Enforcement of session limits per user and per group

• Allocation of addresses from IP pools

• Allocation of home agents and on-demand address pools

• Real-time query of the session table using the command-line interface (CLI), XML over UDP, or RADIUS

• Add custom information to the session table

• Configure which attributes to store in the session table

• Manual release of sessions and resources

• Query and release sessions based on session age, username, NAS, and other criteria

• Release sessions and generate Packet of Disconnect (PoD)

• Automatic session release when accounting stop is lost (inactivity timeout)

• Automatic session release when accounting on/off is detected (system accounting)

• In an environment with multiple Cisco Access Registrars, designate one Cisco Access Registrar to manage all sessions to avoid bypass of session limits and to allocate IP addresses and other resources centrally

• Session information is not lost even if Cisco Access Registrar or the system is restarted

• Session tracking for accounting-only servers

• Configurable session key based on any attributes present in the incoming request

• Send Change of Authorization (CoA) request

• Count the number of user sessions

• Cached attributes are queryable through the query session.

System Tuning and System Configuration

• Configure Cisco Access Registrar to listen on multiple UDP ports

• Specify which network interfaces to use

• Set the number of simultaneous requests to be processed

• Enable access accept logging

• Regular and advanced duplicate detection features

• Extensible attribute dictionary

– Populated with latest attribute definitions, including third-party, vendor-specific attributes

– Easy addition of new attributes

– Variable-length vendor type in vendor-specific attributes

• Specify log file rollover rules

Troubleshooting and Monitoring

• Multilevel debugging output

• Real-time query of processing counters

• Reset processing counters without restarting Cisco Access Registrar

• Query status of all Cisco Access Registrar processes and utilities

• Log files for each Cisco Access Registrar process

• Audit log of all configuration changes

• Direct logs to a syslog server

• RADIUS Simple Network Management Protocol (SNMP) RFC 2618-21 support

• SNMP traps generated for critical events

• Utility to generate RADIUS requests

Configuration

• Powerful command-line configuration utility with interactive/noninteractive full and view-only modes

• Noninteractive modes allow for configuration automation and operations support system (OSS) integration

• Dynamic configuration feature allows configuration changes to take effect without a server restart

• Command and value recall, inline editing, autocommand completion, and a context-sensitive list of options

• Web-based interface for basic tasks and monitoring

• Specify multiple RADIUS clients with a single definition

Resilience

• Automatic configuration replication to other Cisco Access Registrar servers (server redundancy)

• Specify lists of alternate remote systems for each processing method (remote-system redundancy)

• Specify multiple methods to process a request (processing-method redundancy)

• Automatic server restart

Customization

• Add custom logic to the request processing flow using Tool Command Language (TCL), C or C++, or Java

– Access request and response packets

– Modify processing decisions in real time

– Multiple callout points to target specific requests

• Create custom processing methods

Solutions

• Cisco PDSN for CDMA2000 mobile wireless

– Home agent allocation for balanced home agent access

– Null password support

– Multiple accounting start/stop detection for roaming users

– CDMA2000 vendor-specific attribute support

– Prepaid billing

– Quality of service (QoS) and remote address accounting attributes support

– PoD during packet data serving node (PDSN) handoff

– Mobile Node-Home Agent (MN-HA) shared key distribution for mobile IP

– Domain Name System (DNS) update for IP reachability

– Change of Authorization (CoA)

• Public wireless LAN solution for service providers

• Cisco IOS^® Software On-Demand Address Pool Manager

• Dynamic, variable-size address pool assignment for Multiprotocol Label Switching (MPLS) VPNs

• Broadband aggregation

• Trusted-ID authorization for transparent autologon

• Other solutions

– Cisco Gateway GPRS Support Node (GGSN) for GPRS mobile wireless

– Cisco Any Service, Any Port (ASAP) solutions

System Requirements

Tables 1 and 2 list system requirements for Cisco Access Registrar 4.2.

Table 1. Minimum Server System Requirements: Large Service Provider Network

Demo Server Requirements
Operating system	Solaris 9 and 10	Linux RHEL 4.0
Model	SPARC Enterprise T5220	X86
CPU type	UltraSPARC-T2 ( SPARC V9)	Intel Xeon CPU 3.40 GHz
CPU number	8 cores (8 threads each)	4
CPU speed	1165 MHz	3.40 GHz
Memory (RAM)	32 GB	10 GB
Swap space	8 GB	4 GB
Disk space	2 x 72 GB	1 x 146 GB

Table 2. Minimum Server System Requirements: Small Service Provider Network

Demo Server Requirements
Operating system	Solaris 9 and 10	Linux RHEL 4.0
Model	SunFire V215, V245	X86
CPU type	Sparc IIIi	Intel Xeon CPU 3.40 GHz
CPU number	1	4
CPU speed	1 GHz	3.40 GHz
Memory (RAM)	10 GB	5 GB
Swap space	4 GB	4 GB
Disk space	10 GB	10 GB

Note: Service providers with subscriber bases of more than 300,000 falls under the larger service provider network.

Download the Software

To download Cisco Access Registrar Software, visit the Cisco Software Center.

Service and Support

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare the network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.

For More Information

For more information about Cisco Access Registrar, visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps411/index.html, contact your local account representative, or send email to cns-ar-mkt@cisco.com or ar-tme@cisco.com.

Hierarchical Navigation

Cisco Access Registrar

Cisco Access Registrar 4.2

Downloads