- Overview
- RADIUS Accounting Log
- Using WiMAX in Cisco Prime Access Registrar
- Replication Log
- Using On-Demand Address Pools
- Wireless Support
- Enforcement of Licensing Models
- Logging Syslog Messages
- Troubleshooting Cisco Prime Access Registrar
- Cisco Prime Access Registrar Tcl, REX, and Java Dictionaries
- Environment Dictionary
- RADIUS Attributes
- Support for REST API in Cisco Prime Access Registrar
- Supported Counters and Error Statistics
- Health Monitoring in Cisco Prime Access Registrar
Overview
The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Prime Access Registrar (Prime Access Registrar) as a proxy server.
Prime Access Registrar is a 3GPP-compliant, 64-bit carrier-class RADIUS (Remote Authentication Dial-In User Service)/Diameter server that enables multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database.
Prime Access Registrar handles the following tasks:
- Authentication—determines the identity of users and whether they can be allowed to access the network
- Authorization—determines the level of network services available to authenticated users after they are connected
- Accounting—keeps track of each user’s network activity
- Session and resource management—tracks user sessions and allocates dynamic resources
Using a RADIUS server allows you to better manage the access to your network, as it allows you to store all security information in a single, centralized database instead of distributing the information around the network in many different devices. You can make changes to that single database instead of making changes to every network access server in your network.
Prime Access Registrar also allows you to manage the complex interconnections of the new network elements in order to:
- adequately manage the traffic
- perform appropriate load balancing for desired load distribution
- allow binding of different protocol interfaces corresponding to a subscriber/network element
Service providers transform their 3G and 4G wireless networks with complex services, tiered charging, converged billing, and more by introducing increasing numbers and types of Diameter-based network elements. LTE and IMS networks are the most likely to implement these new network elements—including Policy and Charging Rules Functions (PCRF), Home Subscriber Servers (HSS), Mobility Management Entities (MME), Online Charging Systems (OCS), and others. As a result, as the traffic levels grow, these wireless networks are becoming more difficult to manage and scale without the Prime Access Registrar infrastructure.
Prime Access Registrar allows GUI-based, CLI-based, and REST API-based configurations. For more details, see the “Using the Graphical User Interface” chapter of the Cisco Prime Access Registrar 9.2 User Guide, the “Using the aregcmd Commands” chapter of the Cisco Prime Access Registrar 9.2 Administrator Guide, and ChapterD, “REST API Framework”
Prime Access Registrar Directory Structure
The installation process populates the /opt/ CSCOar directory with the subdirectories listed in Table 1-1 .
Program Flow
When a NAS sends a request packet to Prime Access Registrar with a name and password, Prime Access Registrar performs the following actions. Table 1-2 describes the flow without regard to scripting points.
Prime Access Registrar supports Diameter with Extensible Authentication Protocol (EAP) functionality to enable authentication between NAS and a backend NAS Diameter authentication server. For more information, see the “Diameter” chapter of the Cisco Prime Access Registrar 9.2 User Guide.
Prime Access Registrar also support 3GPP compliance by implementing a set of protocols. To understand more about the 3GPP AAA server support and the call flow, see the “Wireless Support” chapter of the Cisco Prime Access Registrar 9.2 Reference Guide.
Scripting Points
Prime Access Registrar lets you invoke scripts you can use to affect the Request, Response, or Environment dictionaries. This section contains the following topics:
Client Scripting
Though Prime Access Registrar allows external code (Tcl/C/C++/Java) to be used by means of a script, custom service, policy engine, and so forth, while processing request, response, or while working with the environment dictionaries, it shall not be responsible for the scripts used and will not be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of the script.
Prime Access Registrar also allows you to define internal scripts, by which you can add, modify, or delete attributes in the request, response, and environment dictionaries for RADIUS, Diameter, and TACACS+.
Client or NAS Scripting Points
Table 1-3 shows the location of the scripting points within the section that determines whether to accept the request from the client or NAS. Note, the scripting points are indicated with the asterisk (*) symbol.
Authentication and/or Authorization Scripting Points
Table 1-4 shows the location of the scripting points within the section that determines whether to perform authentication and/or authorization.
Script Processing Hierarchy
For request packets, the script processing order is from the most general to the most specific. For response packets, the processing order is from the most specific to the most general.
Table 1-5 , Table 1-6 , and Table 1-7 show the overall processing order and flow:
(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.
Note The client and the NAS can be the same entity, except when the immediate client is acting as a proxy for the actual NAS.
|
|
---|---|
|
|
---|---|
|
|
---|---|
Service and Ports Used in Prime Access Registrar
Secure Shell Service
SSH Daemon(SSHD) is the daemon program which is used for ssh(1). It provides secure shell encrypted communications between two hosts over network.
In case of Prime Access Registrar, SSH is used to connect to Prime Access Registrar server and configure Prime Access Registrar using CLI.
Ports
The following table lists the port numbers that are used for various services in Prime Access Registrar for AAA.
|
|
|
|
|
|
|
---|---|---|---|---|---|---|
You can change the default or define new RADIUS port numbers under /Radius/Advanced/Ports in the CLI and Configuration > Advanced > Ports in the GUI. |
||||||
You can change the default or define new RADIUS port numbers under /Radius/Advanced/Ports in the CLI and Configuration > Advanced > Ports in the GUI. |
||||||
RADIUS Dynamic authorization which is used with (CoA/PoD) packet types. |
||||||
You can change the default or define new RADIUS port numbers under /Radius/Advanced/Ports in the CLI and Configuration > Advanced > Ports in the GUI. |
||||||
You can change the default or define new RADIUS port numbers under /Radius/Advanced/Ports in the CLI and Configuration > Advanced > Ports in the GUI. |
TACACS+ based on AAA service (Authentication, Authorization, and Accounting). |
|||||
You can enable or disable this service in Radius/Advanced/Diameter/IsDiameterEnabled. |
DIAMETER AA Service (Authentication, and Authorization) by tcp protocol. |
|||||
You can enable or disable this service in Radius/Advanced/Diameter/IsDiameterEnabled 1. |
DIAMETER AA Service (Authentication, and Authorization) by SCTP protocol. |
|||||
This service can be accessed from local host by Prime Access Registrar radius and server agent process. |
||||||
AR Server Agent is used to log all the activities of Prime Access Registrar processes. |
This service can be accessed from local host by Prime Access Registrar radius and server agent process. |
|||||
Prime Access Registrar GUI processes use these ports by default. |
This service is accessible from any end user desktop browser using http protocol. |
You can change the default port numbers in editing the server.xml file. |
||||
This service is accessible from any end user desktop browser using https protocol. |
You can change the default port numbers in editing the server.xml file. |
|||||
You can change the default port numbers in editing the server.xml file.. |
||||||
You can change the default port numbers in editing the server.xml file. |
||||||
This service is accessible from any network management host. |
Refer to net-snmp documentation for more information. |
|||||
This service is accessible to any SNMP trap client when you want to use net-snmp snmptrap daemon as a SNMP trap server. |
Refer to SNMP chapter of the Cisco Prime Access Registrar 9.2 User Guide for more information. |
|||||
Listen on these ports for internal configuration from stack manager events |
This service can be accessed from local host by Prime Access Registrar – Radius Process. |
|||||
This service can be accessed from local host by Prime Access Registrar – Radius Process. |
||||||
Configure stack and receive configuration from m3ua-cliclient |
This service can be accessed from local host by Prime Access Registrar – Radius Process and m3ua-cliclient Process. |
|||||
This service can be accessed from local host by Prime Access Registrar – Radius Process and m3ua-cliclient Process. |
Related Documentation
For a complete list of Cisco Prime Access Registrar documentation, see the Cisco Prime Access Registrar 9.2 Documentation Overview.
Note We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.