- Overview
- Using the Graphical User Interface
- RADIUS Accounting
- Diameter
- Extensible Authentication Protocols
- Using Replication
- Using Identity Caching
- Using Prepaid Billing
- Using Cisco Prime Access Registrar Server Features
- Directing RADIUS Requests
- Using FastRules to Process Packet Flow
- Using LDAP
- Using Open Database Connectivity
- SIGTRAN-M3UA
- Using SNMP
- Backing Up the Database
- Oracle Software Requirements
- Configuring ODBC/OCI
- MySQL Support
Using Open Database Connectivity
Cisco Prime Access Registrar (Prime Access Registrar) supports Open Database Connectivity (ODBC) and Oracle Call Interface (OCI), open specifications that provide application developers a vendor-independent API with which to access data sources. For ODBC, Prime Access Registrar supports MySQL database connectivity and for OCI, it supports Oracle database connectivity. It provides RemoteServer objects and services to support ODBC or OCI. You can use Prime Access Registrar to authenticate and authorize access requests by querying user information through ODBC or OCI.
ODBC or OCI is an application program interface (API). Real data exchange between an application and data store is still carried out by SQL through ODBC or OCI. To achieve the most flexibility, you are required to define your own SQL using aregcmd. Prime Access Registrar will register the SQL statements and send them to the data store through ODBC or OCI when required. Because you can define your own SQL, Prime Access Registrar supports sites that have their own data stores.
ODBC is configured using .ini files, specifically odbc.ini and odbcinst.ini. However, you cannot create or modify these files directly. Prime Access Registrar creates the .ini files after you use aregcmd to configure the ODBC connection. The SQL is stored in the local database (MCD). During execution, the Prime Access Registrar server reads the local database, prepares the SQL statements, and sends the SQL to the data source.
Note
For OCI, the.ini files are not needed to connect to the database.
Note Prime Access Registrar uses its own ODBC driver manager and does not share existing ODBC drivers (if you already have ODBC installed). If you are already using ODBC, you will have to maintain two separate ODBC installations.
The ODBC or OCI memory requirement depends on your configuration. The more datasources you configure, the more memory is required. Packet processing time might increase if you configure a large number of SQL statements under SQLDefinition.
The Prime Access Registrar package includes some ODBC and OCIlib Drivers, and you should use the included driver whenever possible. If a data store’s ODBC driver is not included with Prime Access Registrar, you are required to install it. You configure the driver library using aregcmd to modify the associated ini file.
Oracle Software Requirements
The Prime Access Registrar ODBC feature requires that you have MySQL driver packages. The OCI feature requires that you have Oracle client software installed. Supported Oracle client versions are 10.2.0.1.0 - 12c. All Oracle client software library files are expected under $ORACLE_HOME/lib.
When you install Prime Access Registrar software, the installation process prompts you for ORACLE_HOME variable and sets it in the Prime Access Registrar start-up script, /etc/init.d/arserver. Two other environment variables (ODBCINI and ODBCSYSINI) are also set in the arserver script. To change any of these variables, modify the /etc/init.d/arserver script and restart the Prime Access Registrar server.
Note For OCI services, ensure that you have installed the Oracle client properly by using tnsping or sqlplus utilities. Oracle Instant Client libraries are not supported by OCI services.
Configuring ODBC/OCI
You use aregcmd to define your ODBC configuration and SQL statements. The Prime Access Registrar server automatically creates the ODBC.ini file for your driver manager and driver based on how you configure ODBC.
Configuring the ODBC and ODBC-Accounting Remote Servers
To use ODBC in Prime Access Registrar for AA:
Step 1 Configure an ODBC DataSource.
Step 2 Configure an ODBC RemoteServer object with protocol type as ‘odbc’.
Step 3 Configure an ODBC Service with service type as ‘odbc’.
Step 4 Set ODBC service as the DefaultAuthenticationService and DefaultAuthorizationService.
Step 5 Save your configuration.
To use ODBC in Prime Access Registrar for Accounting:
Step 1 Configure an ODBC DataSource.
Step 2 Configure an ODBC RemoteServer object with protocol type as ‘odbc-account’.
Step 3 Configure an ODBC Service with service type as ‘odbc-accounting’.
Step 4 Set ODBC service as the DefaultAccountingService.
Step 5 Save your configuration.
After you save and validate your configuration, it is saved in the MCD database. If you have configured an ODBC service, Prime Access Registrar will query the MCD database and create or modify the odbc.ini file before it builds a connection to the database. When you reload your configuration, Prime Access Registrar shuts down any existing ODBC connections, then queries the MCD database to create or modify the odbc.ini file and build a new connection for any configured ODBC Data Sources.
The following shows an example configuration for AA remote server:
The following shows an example configuration for AAA remote server:
You use aregcmd to define your OCI configuration and SQL statements.
Configuring an OCI and OCI-Accounting Remote Servers
To use OCI in Prime Access Registrar for AA:
Step 1 Configure the DataSource type as oracle_oci.
Step 2 Configure an OCI RemoteServer object protocol type as ‘oci’.
Step 3 Configure an OCI Service with type as ‘oci’.
Step 4 Set OCI service as the DefaultAuthenticationService and DefaultAuthorizationService.
Step 5 Save your configuration.
To use OCI in Prime Access Registrar for Accounting:
Step 1 Configure the DataSource type as oracle_oci.
Step 2 Configure an OCI RemoteServer object protocol type as ‘oci-accounting’.
Step 3 Configure an OCI Service with type as ‘oci-accounting’.
Step 4 Set OCI service as the DefaultAccountingService.
Step 5 Save your configuration.
After you save and validate your configuration, it is saved in the MCD database.
The following shows an example configuration for OCI AA remote server:
The following shows an example configuration for OCI AAA remote server:
This section contains the following topics:
- Configuring an ODBC/OCI Service
- Configuring an ODBC/OCI RemoteServer
- Configuring an ODBC DataSource
- Setting ODBC/OCI As Authentication and Authorization Service
- Setting ODBC/OCI As Accounting Service
- Saving Your Configuration
- Oracle Stored Procedures
Configuring an ODBC/OCI Service
You configure an ODBC or OCI service under /Radius/Services. When you define an ODBC or OCI service under /Radius/Services, you must set its type to ODBC or OCI and provide the following configuration options:
Note We will use ODBC or OCI as the ODBC or OCI service name in the following examples.
Example configuration for ODBC
Table 13-1 describes the ODBC or OCI service parameters.
Configuring an ODBC/OCI RemoteServer
Configuring an ODBC Remote Server
You must configure an ODBC RemoteServer object for each RemoteServer object you list under /Radius/Services/ODBC/RemoteServers. Use the aregcmd command add to add ODBC servers under /Radius/RemoteServers.
Configuring an OCI Remote Server
You must configure an OCI RemoteServer object for each RemoteServer object you list under /Radius/Services/OCI/RemoteServers. Use the aregcmd command add to add OCI servers under /Radius/RemoteServers.
Table 13-2 describes the ODBC or OCI service parameters. The fields that are displayed in the table changes based on the protocol type selected.
OCI Connection Timeout and Disconnection
Any single connection from Prime Access Registrar to Oracle server will be disconnected when one of the following is observed:
- Occurrence of native Oracle errors that are configured under AdditionalNativeOracleErrors.
- Continuous query timeouts (configured). This is configured using the OCITimeOutCount parameter.
This single connection disconnect will not impact the other active connections to that remote server. Hence, this will hold the state of the remote server in Prime Access Registrar as active.
Once a connection disconnects, it will attempt to reconnect after a reactivation time interval. You can configure this interval with the OCIConnectionReactivationInterval parameter.
Any Oracle server that Prime Access Registrar connects to will be marked as down during one of the following circumstances:
- Total number of disconnections reaches a threshold value. You can configure this threshold value using the OCIActiveConnectionThresholdCount parameter.
- Configured application times out—timeout in server/queue reaches the configured timeout (timeout count X number of connections).
- When the remote server starts or reactivates, no active connections are available even after waiting for the configured initial timeout.
In all the above cases, the Prime Access Registrar will attempt to re-establish the remote server connection after reactivation timer expires.
ODBC Data Source
ODBCDataSource is the name of the datasource to be used by the remote server. An ODBCDataSource name can be reused by multiple remote servers. You configure ODBCDataSources under /Radius/Advanced/ODBCDataSources. See Configuring an ODBC DataSource, for more information.
1. SQLNET.ORA timeout configuration
Tuning $ORACLE_HOME/network/admin/sqlnet.ora file on the Oracle Client
For proper function of the reactivate timer interval, one or more of the following parameters in sqlnet.ora file needs to be tuned:
– SQLNET.INBOUND_CONNECT_TIMEOUT
– SQLNET.OUTBOUND_CONNECT_TIMEOUT
Ensure that the ReactivateTimerInterval of ODBC/ODBC-Accounting remoteservers is greater than the timeout values configured in sqlnet.ora.
2. AdditionalNativeOracleErrors connection lost error configuration
Whenever OCI remote server oracle connection encounters configured ORA error, Prime Access Registrar will disconnect the remote server and reactivate it after the ReactivateTimerInterval
SQL Definitions
SQLDefinitions lists the UserPasswordAttribute and one or more SQL statements, listed numerically in the order to be run. The UserPasswordAttribute represents a column in the database that contains users’ password information. Individual SQLStatements are numbered SQL1 through SQL n under SQLStatements, as shown in the following example:
The following example is an SQL statement used for Authentication and Authorization:
For more information on stored procedures and stored functions, refer to Oracle Stored Procedures.
Table 13-3 describes the SQL Statement parameters.
SQL Syntax Restrictions
You must observe the following SQL syntax restrictions in SQL queries for Prime Access Registrar.
1. The SQL statement must be in the format of SELECT... FROM... WHERE..." (Statements might be in lowercase.)
Note 'WHERE' is compulsory in the SQL statement.
2. Stored procedures with return value must be in the " begin ? := <Stored_procedure_name> ( <IN/OUT Parameters>); end ;" format.
3. Stored procedures without return value can be in the " CALL <Stored_procedure_name> ( <IN/OUT Parameters>)" format.
4. Any arguments to Oracle functions like distinct, count must be given within braces, as shown in the following example:
select distinct(attribute),password from profiles where username=?
The resulted column from distinct(attribute) will be put into attribute which can be used for ODBC Mappings. The actual result set from Oracle for this column would be named distinct(attribute).
5. The column list in the SQL statement must be delimited with a comma (,) and any extra spaces between statements are ignored. Aliasing for column names in SQL is not allowed. SQLDefinition properties define the SQL you want to execute, as shown in the following example.
Specifying More Than One Search Key
You can specify more than one search key for a table in the SQL SELECT. To do so, add another search criteria to the SQL statement and add the environment variable name to the MarkerList. For example, the following query and MarkerList can be used to look up a username and CLID match.
In this case, the marker list would look like this:
To configure the multiple entries in the MarkerList list, surround the entire string in double quotes like the following:
To make this work, a variable called CLID must be in the environment dictionary. You can use a script to copy the appropriate value into the variable.
ODBCToRadiusMappings/OCIToRadiusMappings
You configure ODBCToRadiusMappings or OCIToRadiusMappings with a list of name/value pairs where name is the name of the data store attribute to retrieve from the user record and the value is the name of the RADIUS attribute to set to the value of the data store attribute retrieved.
For example, use the following aregcmd command to set a value for the variable Framed-IP-Address :
set FramedIPAddress Framed-IP-Address
When the ODBCToRadiusMappings or OCIToRadiusMappings has this entry, the RemoteServer retrieves the attribute from the data store user entry for the specified user, uses the value returned, and sets the response variable Framed-IP-Address to that value.
When an SQL select statement returns more than one row for a column mapped under ODBCToRadiusMappings or OCIToRadiusMappings, multiple Radius attributes are created.
For example, consider the following SQL select statement with ciscoavpair configured to Cisco-AVPair under ODBCToRadiusMappings. The table.column syntax requires an SQL alias for the mapping to work, as shown in the following example:
Mapping: t1abc = my_mapping
If two rows are returned for ciscoavpair column, two Cisco-AVPair attributes will be created.
ODBCToEnvironmentMappings/OCIToEnvironmentMappings
Under ODBCToEnvironmentMappings or OCIToEnvironmentMappings there is a list of name and value pairs in which the name is the name of the data store attribute to retrieve from the user record, and the value is the name of the Environment variable to set to the value of the ODBC or OCI attribute retrieved.
For example, when the ODBCToEnvironmentMappings has the entry: group =User-Group, the RemoteServer retrieves the attribute from the ODBC user entry for the specified user, uses the value returned, and sets the environment variable User-Group to that value. When an SQL select statement returns more than one row for a column mapped under ODBCToEnvironmentMappings, the value for all rows is concatenated and assigned to the environment variable.
ODBCToCheckItemMappings/OCIToCheckItemMappings
A list of ODBC or OCI attribute/value pairs which must be present in the RADIUS access request and must match, both name and value, for the check to pass.
For example, when the ODBCToCheckItemMappings or OCIToCheckItemMappings has the entry: group = User-Group, the Access Request must contain the attribute group, and it must be set to User-Group.
Configuring an ODBC DataSource
ODBCDataSource is the name of the datasource to be used by the remote server. You configure ODBCDataSources under /Radius/Advanced/ODBCDataSources. Multiple remote servers can use the same ODBCDataSource.
Under the ODBCDataSource object definition, for ODBC a list defines ODBC.ini filename/value pairs for a connection. The list includes a Type field and a Driver field, different for each Driver and Data Source, to indicate its Driver and Data Source. Prime Access Registrar currently supports only the Easysoft Open Source Oracle Driver.
For OCI services, ODBCDataSource type should be ‘oracle_oci’. The following is an example configuration of ODBCDataSource for OCI services.
Table 13-4 describes the OCILib Open Source Oracle Driver options for OCI.
|
|
|
|---|---|
Required; Oracle Client configuration database name (no default value) |
|
Setting ODBC/OCI As Authentication and Authorization Service
Use aregcmd to configure the ODBC Service as the default authentication and authorization service under //localhost /Radius as in the following:
set DefaultAuthenticationService odbc-service
set DefaultAuthorizationService odbc-service
Use aregcmd to configure the OCI Service as the default authentication and authorization service under //localhost /Radius as in the following:
set DefaultAuthenticationService oci-service
set DefaultAuthorizationService oci-service
Note When you use an ODBC or OCI service, configure the BackingStoreDiscThreshold property under /Radius/Advanced to ensure that the data generated by log files do not exceed the size limit configured.
Setting ODBC/OCI As Accounting Service
Use aregcmd to configure the ODBC Service as the default accounting service under //localhost /Radius as in the following:
set DefaultAccountingService odbc-service
Use aregcmd to configure the OCI Service as the default authentication and authorization service under //localhost /Radius as in the following:
Saving Your Configuration
When you use aregcmd to save your configuration, Prime Access Registrar attempts to validate the configuration, checks for all required parameters, and ensures there is no logic error. If the validation is successful, the configuration is saved to the MCD database. When you reload, Prime Access Registrar shuts down any current ODBC/OCI connections and builds new connections for the configured ODBC Data Sources.
Oracle Stored Procedures
A stored procedure is a database procedure similar to other programming language procedures, which is contained within the database itself. A SQL Server stored procedure that contains one or more IN parameters are used to pass data into the stored procedure.Similarly, one or more OUT parameters in the stored procedure are used to return data back to the calling application. Prime Access Registrar supports Oracle stored procedures/functions with IN and OUT parameters only over the OCI interface.
For Authentication and Authorization, Prime Access Registrar supports both Stored Procedures and Stored Functions with the In/Out parameters and return value. In the configuration for the AA remote server, the UserPasswordAttribute value must be in the marker list for procedures.
For Accounting, Prime Access Registrar supports both Stored Procedures and Stored Functions with only the In parameters, and does not support return value and Out parameters.
The following are the examples for stored functions and procedures calling inside Prime Access Registrar:
Note Prime Access Registrar does not support, return value with the "call" format for the stored procedures.
The following shows an example configuration for OCI AA remote server:
The following shows an example configuration for OCI AAA remote server:
Note Prime Access Registrar supports Oracle stored procedures for OCI AA and OCI AAA remote servers.
MySQL Support
Prime Access Registrar provides support for MySQL to query user records from a MySQL database and enables you to write accounting records into MySQL when using Oracle accounting. Prime Access Registrar has been tested with MySQL 5.0.90 and MyODBC 3.51.27 (reentrant).
This section contains the following topics:
MySQL Driver
You can download the MySQL driver from the MySQL website at http://mysql.com. You can go directly to the driver download page using the following URL:
http://dev.mysql.com/downloads/connector/odbc/3.51.html
Save the downloaded file to a temporary location such as /tmp. Use commands to unzip and install the driver.
For better performance with mysql, add the following code to the odbcinst.ini file under the /cisco-ar/odbc/etc directory:
Configuring a MySQL Datasource
You require the following to configure a MYSQL Datasource:
Configuring a MYSQL datasource
To configure the Prime Access Registrar server to query records form a MySQL database:
Step 1 Log into the Prime Access Registrar server and launch aregcmd.
Log in as a user with administrative rights such as user admin.
Step 2 Change directory to the /Radius/Advanced/ODBCDataSources and add a new ODBCDataSource.
cd /Radius/Advanced/ODBCDataSources
Step 3 Set the new ODBCDatasource type to myodbc.
The following is the default configuration for an ODBCDataSource object of type myodbc:
Step 4 Set the Driver property to the path of the MyODBC library. Use a command like the following:
set driver /scratch/myodbc/libmyodbc3_r.so
Step 5 Set the UserID property to a valid username for the MyODBC database and provide a valid password for this user.
Step 6 Provide a DataBase name and the name of the Prime Access Registrar RemoteServer object to associate with the ODBCDataSource.
Step 7 Change directory to /Radius/RemoteServers and add a RemoteServer object to associate with the new ODBCDatasource.
Step 8 Change directory to the new RemoteServer and set its protocol to odbc.
Step 9 Set the ODBCDataSource property to the name of the ODBCDataSource to associate with this RemoteServer object.
Step 10 Change directory to /Radius/Services and add an ODBC service as described in Configuring an ODBC/OCI Service.
Step 11 Change directory to /Radius and set the DefaultAuthenticationService and DefaultAuthorizationService properties to the ODBC service added in the previous step.
Example Configuration
The following shows an example configuration for a MySQL ODBC data source. See Configuring an ODBC DataSource for more information.
The following shows an example configuration for a RemoteServer. See Configuring an ODBC/OCI RemoteServer for more information.
The following shows an example configuration for an ODBC service. See Configuring an ODBC/OCI Service for more information.
The following shows an example configuration where the DefaultAuthenticationService and DefaultAuthorizationService properties have been set to the ODBC service.
Feedback