Installing and Configuring Cisco Access Registrar, 4.2 November 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide ix Obtaining Documentation Cisco.
Contents CHAPTER 2 Installing Cisco Access Registrar 4.2 2-1 Installing the Cisco Access Registrar 4.2 License File 2-1 Installing Cisco Access Registrar 4.2 Software on Solaris 2-1 Deciding Where to Install 2-2 Installing Cisco Access Registrar Software from CD-ROM 2-2 Installing Downloaded Software 2-2 Common Solaris Installation Steps 2-3 Configuring SNMP 2-6 RPC Bind Services 2-6 Installing Cisco Access Registrar on LDoms 2-6 Installing Cisco Access Registrar 4.
Contents Installing Cisco Access Registrar Software from CD-ROM Common Linux Installation Steps 3-15 Backup Copy of Original Configuration 3-17 Removing Old VSA Names 3-18 VSA Update Script 3-18 Configuring SNMP 3-19 Configuring SNMP 3-19 Restarting Replication CHAPTER 4 3-14 3-19 Configuring Cisco Access Registrar 4.
Contents Enabling SNMP in the Cisco Access Registrar Server Stopping the Master Agent 4-14 Modifying the snmpd.
Contents Configuring Services 5-14 Creating the Services 5-14 Configuring the Script 5-15 Choosing the Scripting Point 5-15 Configuring Session Management 5-16 Configuring a Resource Manager 5-16 Creating a Resource Manager 5-16 Configuring a Session Manager 5-17 Creating a Session Manager 5-17 Enabling Session Management 5-18 Configuring Session Management 5-18 INDEX Installing and Configuring Cisco Access Registrar, 4.
Contents Installing and Configuring Cisco Access Registrar, 4.
About This Guide The Installing and Configuring Cisco Access Registrar, 4.2, provides information about installing, configuring, and customizing CAR 4.2. This guide is intended to be used by experienced network administrators with working knowledge of the Solaris UNIX operating system. This guide contains the following chapters: • Chapter 1, “Overview,” provides an overview of the installation process and dialog, information about downloading Cisco Access Registrar 4.
About This Guide You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.
About This Guide In an emergency, you can also reach PSIRT by telephone: Tip • 1 877 228-7302 • 1 408 525-6532 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x. Never use a revoked or an expired encryption key.
About This Guide output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call. Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.
About This Guide Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners.
About This Guide • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html Installing and Configuring Cisco Access Registrar, 4.
CH A P T E R 1 Overview This chapter provides an overview of the software installation process. You can install the CAR 4.2 software on a machine for the first time, or you can upgrade the existing Cisco AR software on a workstation to CAR 4.2. You might receive the Cisco AR software in a packaged CD-ROM or you can download the software from the Cisco.com web site. “Downloading Cisco Access Registrar Software” section on page 1-3 provides detailed information about downloading the CAR 4.2 software.
Chapter 1 Overview Installation Dialog Overview Installation Location The next question in the installation dialog asks, “Where do you want to install?” The default location to install the software is /opt/CSCOar. You can choose to specify another location by entering it at this point. That directory would then be the base install directory, sometimes referred to as $INSTALL or $BASEDIR. License File Location The installation dialog asks for the location of the license file.
Chapter 1 Overview Downloading Cisco Access Registrar Software Example Configuration The installation dialog asks if you want to install the example configuration. You can use the example configuration to learn about Cisco AR and to refer to the examples that appear later in this document. You can delete the example configuration at any time by running the command: /opt/CSCOar/bin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.
Chapter 1 Overview Cisco Access Registrar 4.2 Licensing • CSCOar-4.2.1-sol10-k9.tar.gz for Solaris 10 • CSCOar-4.2.1-lnx26-install-K9.sh for RedHat Enterprise Linux (RHEL) 4.0 Complete the following steps to download the software. Step 1 Create a temporary directory, such as /tmp, to hold the downloaded software package. Step 2 Enter the URL to the Cisco.com web site for Cisco AR software: http://www.cisco.com/cgi-bin/tablebuild.
Chapter 1 Overview Cisco Access Registrar 4.2 Licensing CAR can be deployed in a two-tier architecture—front-end and back-end server. The front-end server performs AAA functions and it needs the base license and the TPS license. The back-end server performs session management functions and it needs the secondary license. CAR can be deployed in an active/stand-by server combination (with Sun clustering solution).
Chapter 1 Overview Cisco Access Registrar 4.2 Licensing If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs: • www.cisco.com/go/license Use this site if you are a registered user of Cisco Connection Online. • www.cisco.com/go/license/public Use this site if you are not a registered user of Cisco Connection Online.
Chapter 1 Overview Cisco Access Registrar 4.2 Licensing Displaying License Information Cisco AR provides two ways of getting license information using aregcmd: • aregcmd command-line option • Launching aregcmd aregcmd Command-Line Option Cisco AR provides a new -l command-line option to aregcmd. The syntax is: aregcmd -l directory_name where directory_name is the directory where the Cisco AR license file is stored.
Chapter 1 Overview Cisco Access Registrar 4.2 Licensing Installing and Configuring Cisco Access Registrar, 4.
CH A P T E R 2 Installing Cisco Access Registrar 4.2 This chapter provides information about installing CAR 4.2 software. The software is available in CD-ROM form and can also be downloaded from the Cisco.com website. The installation instructions differ slightly depending on whether you install the software from the Cisco AR CD-ROM or from downloaded software. Note CAR 4.2 can be used with Solaris 9, Solaris 10, or the Red Hat Enterprise Linux 4.0 32-bit operating system using kernel 2.6.9-22.0.2.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Solaris This section includes the following subsections: Tips • Deciding Where to Install • Installing Cisco Access Registrar Software from CD-ROM • Installing Downloaded Software • Common Solaris Installation Steps • Installing Cisco Access Registrar on LDoms Before you begin to install the software, check your workstation’s /etc/group file and make sure that group staff exists.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Solaris Step 3 Use the following command line to uncompress the tarfile and extract the installation package files. zcat CSCOar-4.2.1-sol9-K9.tar.gz | tar xvf - Note Step 4 These instructions are for the Solaris 9 package. There is no difference in download or installation procedures for Solaris 9 or Solaris 10 other than the package name.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Solaris http://java.sun.com/ Where is the J2RE installed? [?,q] /nfs/insbu-cnstools/java The J2RE is required to use the Cisco AR GUI. If you already have a Java 2 platform installed, enter the directory where it is installed. Note Step 9 If you do not provide the J2RE path, or if the path is empty or unsupported, the installation process exits.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Solaris Do you want to install these as setuid/setgid files [y,n,?,q] Step 13 Enter Y to install the setuid/setgid files. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] Step 14 Enter Y to continue with the software installation.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Linux Configuring SNMP If you choose not to use the SNMP features of CAR, the installation process is completed. To use SNMP features, complete the configuration procedure described in Configuring SNMP, page 4-14. RPC Bind Services The Cisco AR server and the aregcmd CLI requires RPC services to be running before the server is started.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Linux Deciding Where to Install Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for CAR 4.2 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Linux Step 3 Enter the name of the script file to begin the installation: ./CSCOar-4.2.1-lnx26-install-k9.sh Name : CSCOar Relocations: /opt/CSCOar Version : 4.2.1 Vendor: Cisco Systems, Inc. Release : 1140764415 Build Date: Mon Nov 03 23:55:51 2008 Install date: (not installed) Build Host: spencer.cnslab.cisco.com Summary : Access Registrar, a carrier-class RADIUS server build_tag: [Linux-2.6.
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Linux Step 7 Note When prompted whether to install the example configuration now, enter Y or N to continue. You can delete the example configuration at any time by running the command /opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc. unpack the rpm file done Preparing...
Chapter 2 Installing Cisco Access Registrar 4.2 Installing Cisco Access Registrar 4.2 Software on Linux Installing and Configuring Cisco Access Registrar, 4.
CH A P T E R 3 Upgrading Cisco Access Registrar Software CAR 4.2 supports software upgrades from your previously installed Cisco AR software while preserving your existing configuration database. Cisco AR supports an upgrade path for both the Solaris or Linux versions of Cisco AR software. Note Caution Configuration for Prepaid billing servers in Cisco AR 3.0 will no longer work in CAR 4.2. If you have been using a Prepaid billing server in Cisco AR 3.0 and are upgrading your software to CAR 4.
Chapter 3 Upgrading Cisco Access Registrar Software Linux Software Upgrade Overview Step 2 If you have modified the snmpd.conf file in the /cisco-ar/ucd-snmp/share/snmp directory, you must back up this file before doing the upgrade process. The pkgrm removes the snmpd.conf file, even if it has been modified. Step 3 Remove the old software using the pkgrm command. See Using pkgrm to Remove Cisco Access Registrar Solaris Software.
Chapter 3 Upgrading Cisco Access Registrar Software Software Upgrade Tasks Step 2 If you have modified the snmpd.conf file in the /cisco-ar/ucd-snmp/share/snmp directory, you must back up this file before doing the upgrade process. The pkgrm removes the snmpd.conf file, even if it has been modified. Note If you currently use the 3.5.2 Linux version, the uninstall-ar program removes /opt/CSCOar/data.
Chapter 3 Upgrading Cisco Access Registrar Software Software Upgrade Tasks [ //localhost/Radius/Replication ] RepType = None RepTransactionSyncInterval = 60000 RepTransactionArchiveLimit = 100 RepIPAddress = 0.0.0.0 RepPort = 1645 RepSecret = NotSet RepIsMaster = FALSE RepMasterIPAddress = 0.0.0.0 RepMasterPort = 1645 Rep Members/ Make sure that RepType is set to None. Step 3 If you made changes, issue the save command, then exit the aregcmd command interface.
Chapter 3 Upgrading Cisco Access Registrar Software Software Upgrade Tasks 2973: terminated 2971: terminated, wait status 0x000f 2965: terminated Access Registrar Server Agent shutdown complete. # removing /etc/rc.d files # done with preremove. ## Removing pathnames in class /opt/AICar1/ucd-snmp/share/snmp/snmpd.conf . . . /opt/AICar1/bin/screen /opt/AICar1/bin /opt/AICar1/README ## Removing pathnames in class ## Updating system information.
Chapter 3 Upgrading Cisco Access Registrar Software Software Upgrade Tasks Access Registrar Server Agent shutdown complete. # removing /etc/rc.d files # done with preremove. ## Removing pathnames in class /opt/CSCOar/ucd-snmp/share/snmp/snmpd.conf /opt/CSCOar/ucd-snmp/share/snmp/snmpconf-data/snmptrapd-data/traphandle . . . . . /opt/CSCOar/README /opt/CSCOar/.system/screen /opt/CSCOar/.system ## Removing pathnames in class ## Updating system information.
Chapter 3 Upgrading Cisco Access Registrar Software Installing the Cisco Access Registrar License File 4 processes left.3 processes left.......2 processes left.......k0 processes left.0 processes left Access Registrar Server Agent shutdown complete. Installing the Cisco Access Registrar License File CAR 4.2 uses a new licensing mechanism that enables you to activate all features in Cisco AR. During system initialization, the Cisco AR server sets up the licensing data model and activates all features.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Solaris Software Installing Cisco Access Registrar Software from CD-ROM The following steps describe how to begin the software installation process when installing software from the CAR 4.2 CD-ROM. If you are installing downloaded software, proceed to Installing Downloaded Software. Step 1 Place the CAR 4.2 software CD-ROM in the Cisco AR workstation CD-ROM drive.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Solaris Software (sparc) 4.2.1 Copyright (C) 1998-2008 by Cisco Systems, Inc. This program contains proprietary and confidential information. All rights reserved except as may be permitted by prior written consent. This package contains the Access Registrar Server and the Access Registrar Configuration Utility. You can choose to perform either a Full installation or just install the Configuration Utility.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Solaris Software Do you want to preserve the local database in /opt/CSCOar [y]: [y,n,?,q] y Step 6 Enter Y to preserve the local database. The upgrade procedure needs administrator access to your configuration so that it can upgrade it. Enter an AR administrator username and password: User: Step 7 Enter the administrator userID and password.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Solaris Software inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/webapps/tomcat-docs/RUNNING.txt inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/webapps/tomcat-docs/security-manager-howto.html inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/webapps/tomcat-docs/ssl-howto.html creating: /opt/CSCOar/jakarta-tomcat-4.0.6/work/ # setting up product configuration file /opt/CSCOar/conf/car.conf # linking /etc/init.d/arserver to /etc/rc.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Solaris Software ############################################################### # # A backup copy of your original configuration has been # saved to the file: # # /opt/CSCOar/temp/10062.origconfig-backup # # If you need to restore the original configuration, # enter the following command: # # mcdadmin -coi /opt/CSCOar/temp/10062.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software # to perform the update. The script is located in: # # /opt/CSCOar/temp/10062.manual-changes # # Review the script to make sure it does not conflict with # any of your VSA changes. Make sure you modify the script, # if necessary, before you attempt to run it. # # To run the update script, type: # # aregcmd -sf /opt/CSCOar/temp/10062.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software cd /opt/CSCOar/bin arserver stop Waiting for these processes to die (this may take some time): AR RADIUS server running (pid: 1403) AR Server Agent running (pid: 29310) AR MCD lock manager running (pid: 29320) AR MCD server running (pid: 29317) AR GUI running (pid: 29441) 5 processes left.2 processes left.0 processes left Access Registrar Server Agent shutdown complete.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software Step 5 Change the permissions of the CSCOar-4.2.1-lnx26-install-k9.sh file to make it executable. chmod 777 CSCOar-4.2.1-lnx26-install-k9.sh To continue the installation, proceed to Common Linux Installation Steps. Common Linux Installation Steps This section describes how to install the downloaded CAR 4.2 software for Linux and begin the software installation.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software Step 5 Enter the directory where you have stored the CAR 4.2 license file. Access Registrar provides a Web GUI. It requires J2RE version 1.4.* to be installed on the server. If you already have a compatible version of J2RE installed, please enter the directory where it is installed. If you do not, the compatible J2RE version can be downloaded from: http://java.sun.
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/webapps/tomcat-docs/security-manager-howto.html inflating: /opt/CSCOar/jakarta-tomcat-4.0.6/webapps/tomcat-docs/ssl-howto.html creating: /opt/CSCOar/jakarta-tomcat-4.0.6/work/ Preparing...
Chapter 3 Upgrading Cisco Access Registrar Software Upgrading Cisco Access Registrar Linux Software Removing Old VSA Names The upgrade process provides an analysis of the configuration database, addition of new database elements, and a search for obsolete VSA names. When this is complete, a message like the following is displayed: ############################################################## # # Sometimes VSAs get renamed from version to version of AR.
Chapter 3 Upgrading Cisco Access Registrar Software Configuring SNMP Step 11 Record the location of the upgrade messages for future reference. ############################################################## # # These upgrade messages are saved in: # # /opt/CSCOar/temp/10062.upgrade-log # ############################################################## Configuring SNMP If you choose not to use the SNMP features of CAR, the installation process is completed.
Chapter 3 Upgrading Cisco Access Registrar Software Restarting Replication Installing and Configuring Cisco Access Registrar, 4.
CH A P T E R 4 Configuring Cisco Access Registrar 4.2 This chapter describes how to configure a site. Cisco Access Registrar 4.1 is very flexible. You can choose to configure it in many different ways. In addition, you can write scripts that can be invoked at different points during the processing of incoming requests and/or outgoing responses. Before you can take advantage of this flexibility, it helps to configure a simple site. This chapter describes that process.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site You can use CAR’s command completion feature to see what commands are possible from your current directory location in the CAR server hierarchy by pressing the Tab key. You can also press the Tab key after entering a command to see which objects you might want to manage. The aregcmd commands are command-line order dependent; that is, the arguments are interpreted based on their position on the command line.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Step 1 Run the aregcmd command: aregcmd Step 2 When asked for “Cluster,” press Enter. Step 3 Enter your administrator name and password. When you install CAR software, the installation process creates a default administrator called admin with the password aicuser. Changing the Administrator’s Password The administrator ID admin and password aicuser are default settings for all releases of CAR software.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Creating Additional Administrators Use the add command to add additional administrators. Step 1 Use the cd command to change to the Administrators level: cd /Administrators Step 2 Use the add command and specify the name of the administrator, an optional description, and a password.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Checking the System-Level Defaults Because this site does not use incoming or outgoing scripts, you do not need to change the scripts’ properties (IncomingScript and OutgoingScript). Since the default authentication and authorization properties specify a single user list, you can leave these unchanged as well (DefaultAuthenticationService and DefaultAuthorizationService).
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site To configure Cisco AR to use ports other than the default ports, complete the following steps: Step 1 Change directory to /Radius/Advanced/Ports. cd /Radius/Advanced/Ports [ //localhost/Radius/Advanced/Ports ] Step 2 Use the add command (twice) to add ports in pairs. (The ls is entered to show the results of the add command.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Cisco AR, by default, specifies a Service called local-users that has the type local and uses the Default UserList (Figure 4-1).
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Description = Password = Enabled = TRUE Group~ = Telnet-users BaseProfile~ = AuthenticationScript~ = AuthorizationScript~ = UserDefined1 = AllowNullPassword = FALSE Attributes/ CheckItems/ Step 3 Use the set command to provide a password for user jane.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site • PPP-users—uses the BaseProfile default-PPP-users to specify the attributes of PPP service to provide the user. The BaseProfile default-PPP-users contains the attributes that are added to the response dictionary as part of the authorization. For more information about Profiles, see the “Configuring Profiles” section on page 4-10.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site set IncomingScript ParseServiceHints EnableDynamicAuthorization TRUE EnableNotifications TRUE The script, ParseServiceHints, checks the username for %PPP or %SLIP. It uses these tags to modify the request so it appears to the RADIUS server that the NAS requested that service.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site When you need to set an attribute to a value that includes a space, you must double-quote the value, as in the following: set Framed-Routing "192.168.1.0/24 192.168.1.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring a Basic Site Step 2 Use the reload command to reload your server. reload Testing Your Configuration Now that you have configured some users and a NAS, you are ready to test your configuration. There are two ways you can test your site: 1. You can act as a user and dial in to your NAS, and check that you can successfully log in. 2. You can run the radclient command, and specify one of the default users when making a request.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Accounting p001 send p002 Step 6 Enter the response identifier to display the contents of the Access-Accept packet: p002 Packet: code = Access-Accept, id = 1,\ length = 38, attributes = Login-IP-Host = 196.168.1.94 Login-Service = Telnet Login-TCP-Port = 541 Troubleshooting Your Configuration If you are unable to receive an Access-Accept packet from the Cisco AR server, you can use the aregcmd command trace to troubleshoot your problem.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring SNMP After you save and reload the CAR server configuration, the CAR server writes accounting messages to the accounting.log file in the /opt/CSCOar/logs directory. The CAR server stores information in the accounting.log file until a rollover event occurs. A rollover event is caused by the accounting.log file exceeding a pre-set size, a period of time transpiring, or on a scheduled date. When the rollover event occurs, the data in accounting.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring SNMP /opt/CSCOar/bin/arserver stop Modifying the snmpd.conf File The path to the snmpd.conf file is /cisco-ar/ucd-snmp/share/snmp. Use vi (or another text editor) to edit the snmpd.conf file. There are three parts of this file to modify: • Access Control • Trap Recipient • System Contact Information Access Control Access control defines who can query the system.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Dynamic DNS Trap Recipient The following example shows the default configuration that sets up trap recipients for SNMP versions v1 and v2c. Note Most sites use a single NMS, not two as shown below.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Dynamic DNS You enable dynamic DNS updates by creating and configuring new Resource Managers and new RemoteServers, both of type dynamic-dns. The dynamic-dns Resource Managers specify which zones to use for the forward and reverse zones and which Remote Servers to use for those zones. The dynamic-dns Remote Servers specify how to access the DNS Servers. Before you configure Cisco AR you need to gather information about your DNS environment.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Dynamic DNS set IPAddress 10.10.10.1 (ip address of primary dns server for zone) set ForwardZoneTSIGKey foo.com set ReverseZoneTSIGKey foo.com If the reverse zone will be updated and if the primary server for the reverse zone is different than the primary server for the forward zone, you will need to add another Remote Server. Follow the previous two steps to do so. Note that the IP Address and the TSIG Key will be different.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Dynamic DNS Step 1 Launch aregcmd and log in to the Cisco AR server. cd /opt/CSCOar/bin aregcmd Step 2 Use the trace command to set the trace to level 4. trace 4 Step 3 Launch radclient. cd /opt/CSCOar/bin radclient Step 4 Create an Accounting-Start packet. acct_request Start username Example: set p [ acct_request Start bob ] Step 5 Add a Framed-IP-Address attribute to the Accounting-Start packet.
Chapter 4 Configuring Cisco Access Registrar 4.2 Configuring Dynamic DNS Installing and Configuring Cisco Access Registrar, 4.
CH A P T E R 5 Customizing Your Configuration After you have configured and tested a basic site, you can begin to make changes to better address your own sites’s needs.
Chapter 5 Customizing Your Configuration Configuring Groups Table 5-1 Configuring UserGroups Object Action UserGroups Add a new UserGroup UserLists Set group membership Creating and Setting Group Membership Step 1 Run the aregcmd command: aregcmd Step 2 Use the cd command to change to the UserGroups object. cd /Radius/UserGroups Step 3 Use the add command to create a user group, specifying the name and optional description, BaseProfile, AuthenticationScript, or AuthorizationScript.
Chapter 5 Customizing Your Configuration Configuring Groups Configuring a Default Group If you allow users to request different Services based on how they specify their username, you can use a script to determine the type of Service to provide. For example, the user joe can request either PPP or Telnet Service by either logging in as joe%PPP or joe%Telnet. This works because there are two scripts: ParseServiceHints and AuthorizeService.
Chapter 5 Customizing Your Configuration Configuring Multiple UserLists Step 6 Use the set command to set the user’s group membership to the name of that group. The following example sets beth’s group membership to the Default group. set Group Default Step 7 Use the save command to save your changes: save Step 8 Use the reload command to reload the server: reload Note To be able to save your changes and reload the server after following this example, you must have an actual script.
Chapter 5 Customizing Your Configuration Configuring Multiple UserLists Table 5-3 Configuring Separate UserLists Object Action UserLists Add new UserLists. Users Add users. Services Add new Services. Set service type (local). Radius Set Incoming Script. Scripts Add a new Script. Configuring Separate UserLists Divide your site along organizational or company lines, and create a UserList for each unit. Creating Separate UserLists Step 1 Run the aregcmd command.
Chapter 5 Customizing Your Configuration Configuring Multiple UserLists add beth telemarketing 123 TRUE PPP-users Step 3 Repeat for the other users you want to add. You can use the script, add-100-users, which is located in the /opt/CSCOar/examples/cli directory to automatically add 100 users. Configuring Services You must create a corresponding Service for each UserList. For example, when you create four UserLists, one for each section of the country, you must create four Services.
Chapter 5 Customizing Your Configuration Configuring Multiple UserLists In this situation, when beth@North.QuickExample.com makes an Access-Request, the script will strip off the word North and use it to set the value of the environment variable Authentication-Service and/or Authorization-Service. Note, the script overrides any existing default authentication and/or authorization specifications.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Step 3 Use the cd command to change to Scripts. cd /Radius/Scripts Step 4 Use the add command to add the new script, specifying the name, description, language, filename and an optional entry point. If you do not specify an entry point, Cisco AR uses the script’s name. The following example specifies the name ParseUserName, the language Rex (which is RADIUS Extension), the filename LibParseUserName.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Note Although these services differ in the way they handle authentication and authorization, the procedure for configuring a remote server is the same independent of its type. For more information about the differences between these servers, see the Cisco Access Registrar User Guide. Table 5-4 provides an overview of the process. The following sections describe the process in more detail.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Step 5 Use the set command to specify the protocol ldap: set protocol ldap Step 6 Use the set command to specify the required LDAP properties. At the very least you must specify: • IPAddress—the IP address of the LDAP server (for example, 196.168.1.5). • Port—the port the LDAP server is listening on (for example, 389). • HostName—the hostname of the machine specified in the IP address field (for example, ldap1.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Creating Services Step 1 Run the aregcmd command: aregcmd Step 2 Use the cd command to change to the Services level: cd /Radius/Services Step 3 Use the add command to add the appropriate LDAP service.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA To have Cisco AR perform authentication and authorization against information from the LDAP server, you must change the DefaultAuthenticationService and DefaultAuthorizationService at the Radius level.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Figure 5-2 Using a Script to Choose a Remote Server Scripts Services NorthUsers-radius North North2 SouthUsers-radius South Choose service 18999 Request Remote Servers Table 5-5 provides an overview of the process. The following sections describe the process in more detail. Repeat for each RemoteServer you want to configure.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Step 4 Use the cd command to change to the North RemoteServers level: cd /Radius/RemoteServers/North Step 5 Use the set command to specify the protocol radius: set protocol radius Step 6 Use the set command to specify the SharedSecret 789: set SharedSecret 789 Step 7 Repeat these steps for the other remote servers.
Chapter 5 Customizing Your Configuration Configuring a Remote Server for AA Step 7 Create another Service (SouthUsers-radius) for the South remote server. Configuring the Script When you have multiple RemoteServers, you need a script that determines the authentication and/or authorization Service, which in turn specifies the RemoteServer to check when a user makes an Access-Request.
Chapter 5 Customizing Your Configuration Configuring Session Management Configuring Session Management You can use session management to track user sessions, and/or allocate dynamic resources to users for the lifetime of their sessions. You can define one or more Session Managers, and have each one manage the sessions for a particular group or company. Configuring a Resource Manager Session Managers use Resource Managers, which in turn manage a pool of resources of a particular type.
Chapter 5 Customizing Your Configuration Configuring Session Management Step 1 Run the aregcmd command: aregcmd Step 2 Use the cd command to change to the ResourceManagers level: cd /Radius/ResourceManagers Step 3 Use the add command to add a new ResourceManager.
Chapter 5 Customizing Your Configuration Configuring Session Management Step 5 Use the set command to specify the ResourceManagers you want tracked per user session. Specify a number and the name of the ResourceManager. Note, you can list the ResourceManager objects in any order. set 1 rm-100 Enabling Session Management Cisco AR, by default, comes configured with the sample SessionManagement session-mgr-1. You can modify it or change it to the new SessionManager you have created.
INDEX AR-4.2-500TPS Symbols AR-4.2-BASE %PPP 5-3 %Telnet 1-5 AR-4.2-SECONDARY 5-3 /localhost 1-5 4-3 /opt/AICar1/usrbin 4-3 AR-4.2-UP-3.X-K9 1-5 AR-4.2-UP-4.
Index Configuring clients Files 4-9 Configuring UserGroups 5-1 count-sessions command 4-2 snmpd.
Index L P Launching aregcmd Password 1-7 LDAP changing properties 4-3 Permissions 5-10 server configuration setuid/setgid 5-10 service 5-11 Ports License file 2-1 PPP users location 1-2 prev command 4-6, 5-6 Profile local service local-users 4-5 4-7 4-2 configuring 4-7 login command logout command 4-10 setting base profile 4-2 Login conventions ls command 1-3 Property commands 5-3 pwd command 4-2 5-2 4-2 4-2 4-2 Q M query-sessions command Master agent quit comm
Index license file S 2-1 System contact information Sample users 4-7 save command Saving System defaults 4-2, 4-11, 5-2, 5-4, 5-8, 5-12, 5-15, 5-18 4-5 System-level defaults 4-5 4-11 Saving changes 5-2 Scripting Point 5-7 T Scripts Telnet users 4-7 choosing location 5-7 trace command handling multiple 5-8 transactions per second send command 4-12 Server commands Server health 4-2, 4-13 Trap recipents 4-2 TSIG keys 1-4 4-15 4-17 4-5 Server virtualization 2-6 U Service
