Cisco Access Registrar User Manual

Installing and Configuring Cisco Access Registrar, 4.2

November 2008

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-17221-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Cisco

Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx Cisco

Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Installing and Configuring Cisco Access Registrar, 4.2

Store are service marks; and Access Registrar, Aironet, AsyncOS,

IMPLIED, INCLUDING, WITHOUT

Certified Internetwork Expert logo, Cisco IOS,

logo, LightStream, Linksys, MediaTone,

logo are registered trademarks of

About This Guide ix

Obtaining Documentation ix

Cisco.com ix

Documentation Feedback x

Cisco Product Security Overview x

Reporting Security Problems in Cisco Products x

Obtaining Technical Assistance xi

Cisco Technical Support & Documentation Website xi Submitting a Service Request xii Definitions of Service Request Severity xii

Obtaining Additional Publications and Information xiii

CONTENTS

CHAPTER

1 Overview 1-1

Installation Dialog Overview 1-1

Installation Type 1-1 Installation Location 1-2 License File Location 1-2 Java 2 Runtime Environment 1-2 Open Database Connectivity 1-2 Example Configuration 1-3 Base Directory 1-3 setuid and setgid Permissions 1-3 Continue with Installation 1-3

Downloading Cisco Access Registrar Software 1-3

Cisco Access Registrar 4.2 Licensing 1-4

License Slabs 1-5 Getting Cisco Access Registrar 4.2 License 1-5 Installing Cisco Access Registrar 4.2 Licenses 1-6 Adding Additional Cisco Access Registrar 4.2 Licenses 1-6 Sample License File 1-6 Displaying License Information 1-7

aregcmd Command-Line Option 1-7 Launching aregcmd 1-7

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

iii

Contents

CHAPTER

2 Installing Cisco Access Registrar 4.2 2-1

Installing the Cisco Access Registrar 4.2 License File 2-1

Installing Cisco Access Registrar 4.2 Software on Solaris 2-1

Deciding Where to Install 2-2 Installing Cisco Access Registrar Software from CD-ROM 2-2 Installing Downloaded Software 2-2 Common Solaris Installation Steps 2-3

Configuring SNMP 2-6 RPC Bind Services 2-6

Installing Cisco Access Registrar on LDoms 2-6

Installing Cisco Access Registrar 4.2 Software on Linux 2-6

Deciding Where to Install 2-7 Installing Cisco Access Registrar Software from CD-ROM 2-7 Common Linux Installation Steps 2-7

Configuring SNMP 2-9

3 Upgrading Cisco Access Registrar Software 3-1

Solaris Software Upgrade Overview 3-1

Linux Software Upgrade Overview 3-2

Software Upgrade Tasks 3-3

Disabling Replication 3-3 Using pkgrm to Remove Cisco Access Registrar Solaris Software 3-4

Removing the AICar1 Package 3-4 Removing the CSCOar Package 3-5

Using uninstall-ar to Remove Linux Software 3-6

Installing the Cisco Access Registrar License File 3-7

Upgrading Cisco Access Registrar Solaris Software 3-7

Deciding Where to Install 3-7 Installing Cisco Access Registrar Software from CD-ROM 3-8 Installing Downloaded Software 3-8 Common Solaris Installation Steps 3-8

Configuring SNMP 3-11 Back-up Copy of Original Configuration 3-11 Removing Old VSA Names 3-12 VSA Update Script 3-12

Upgrading Cisco Access Registrar Linux Software 3-13

Using uninstall-ar to Remove Linux Software 3-13 Deciding Where to Install 3-14

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Installing Cisco Access Registrar Software from CD-ROM 3-14 Common Linux Installation Steps 3-15

Backup Copy of Original Configuration 3-17 Removing Old VSA Names 3-18 VSA Update Script 3-18 Configuring SNMP 3-19

Configuring SNMP 3-19

Restarting Replication 3-19

Contents

CHAPTER

4 Configuring Cisco Access Registrar 4.2 4-1

Using aregcmd 4-1

General Command Syntax 4-1 aregcmd Commands 4-2

Configuring a Basic Site 4-2

Running aregcmd 4-2

Changing the Administrator’s Password 4-3 Creating Additional Administrators 4-4

Configuring the RADIUS Server 4-4

Checking the System-Level Defaults 4-5

Checking the Server’s Health 4-5 Selecting Ports to Use 4-5 Displaying the UserLists 4-6

Displaying the Default UserList 4-7

Adding Users to UserLists 4-7

Deleting Users 4-8 Displaying UserGroups 4-8 Configuring Clients 4-9

Adding a NAS 4-9 Configuring Profiles 4-10

Setting RADIUS Attributes 4-10

Adding Multiple Cisco AV Pairs 4-11 Validating and Using Your Changes 4-11

Saving and Reloading 4-11 Testing Your Configuration 4-12

Using radclient 4-12 Troubleshooting Your Configuration 4-13

Setting the Trace Level 4-13

OL-17221-02

Configuring Accounting 4-13

Configuring SNMP 4-14

Installing and Configuring Cisco Access Registrar, 4.2

Contents

Enabling SNMP in the Cisco Access Registrar Server 4-14 Stopping the Master Agent 4-14 Modifying the snmpd.conf File 4-14

Access Control 4-15 Trap Recipient 4-15 System Contact Information 4-16

Restarting the Master Agent 4-16

Configuring Dynamic DNS 4-16

Testing Dynamic DNS with radclient 4-18

CHAPTER

5 Customizing Your Configuration 5-1

Configuring Groups 5-1

Configuring Specific Groups 5-1

Creating and Setting Group Membership 5-2

Configuring a Default Group 5-3

Using a Script to Determine Service 5-3

Configuring Multiple UserLists 5-4

Configuring Separate UserLists 5-5

Creating Separate UserLists 5-5

Configuring Users 5-5

Populating UserLists 5-5

Configuring Services 5-6

Creating Separate Services 5-6

Creating the Script 5-6

Client Scripting 5-7

Configuring the Script 5-7

Client Scripting 5-7 Choosing the Scripting Point 5-7 Handling Multiple Scripts 5-8

Configuring a Remote Server for AA 5-8

Configuring the Remote Server 5-9

Creating a RemoteServer 5-9

Configuring Services 5-10

Creating Services 5-11

Configuring the RADIUS Server 5-11

Changing the Authentication and Authorization Defaults 5-12 Configuring Multiple Remote Servers 5-12 Configuring Two Remote Servers 5-13

Creating RemoteServers 5-13

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

NDEX

Contents

Configuring Services 5-14

Creating the Services 5-14

Configuring the Script 5-15

Choosing the Scripting Point 5-15

Configuring Session Management 5-16

Configuring a Resource Manager 5-16

Creating a Resource Manager 5-16

Configuring a Session Manager 5-17

Creating a Session Manager 5-17

Enabling Session Management 5-18

Configuring Session Management 5-18

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

vii

Contents

viii

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

About This Guide

The Installing and Configuring Cisco Access Registrar, 4.2, provides information about installing, configuring, and customizing CAR 4.2. This guide is intended to be used by experienced network administrators with working knowledge of the Solaris UNIX operating system.

This guide contains the following chapters:

• Chapter 1, “Overview,” provides an overview of the installation process and dialog, information

about downloading Cisco Access Registrar 4.1 software, and information about Cisco AR licensing.

• Chapter 2, “Installing Cisco Access Registrar 4.2,” provides information about installing the CAR

using CD-ROM or downloaded software.

• Chapter 3, “Upgrading Cisco Access Registrar Software,” provides information to help you upgrade

your Cisco

• Chapter 4, “Configuring Cisco Access Registrar 4.2,” describes how to configure a site. Cisco

Access Registrar 4.1 is very flexible. You can choose to configure it in many different ways. In addition, you can write scripts that can be invoked at different points during the processing of incoming requests and/or outgoing responses.

• Chapter 5, “Customizing Your Configuration,” provides an introduction to many of the Cisco

Access Registrar 4.1 objects and their properties.

This guide also includes an index.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

About This Guide

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is available at this

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

URL:

• For Emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• For Nonemergencies — psirt@cisco.com

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

About This Guide

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisc o . PSIRT can wo r k with information that has been encrypted with PGP versions

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this

URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.

2.x through 9.x.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command

URL:

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

About This Guide

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

xii

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

About This Guide

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this

URL:

http://www.ciscopress.com

• Pack et magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this

URL:

http://www.cisco.com/packet

URL:

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this

URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this

URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share

questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this

URL:

http://www.cisco.com/discuss/networking

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

xiii

About This Guide

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

xiv

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

CHAP T ER

Overview

This chapter provides an overview of the software installation process. You can install the CAR 4.2 software on a machine for the first time, or you can upgrade the existing Cisco AR software on a workstation to CAR 4.2.

You might receive the Cisco AR software in a packaged CD-ROM or you can download the software from the Cisco.com web site. provides detailed information about downloading the CAR 4.2 software.

Before you install the CAR 4.2 software, you must copy a license file to the workstation where you will install the software. You will receive the license file as an e-mail attachment.

“Cisco Access Registrar 4.2 Licensing” section on page 1-4 provides detailed information about the new

licensing mechanism in Cisco AR.

Note Before you begin the software installation, ensure that your server has up to date OS software including

all relevant or recommended patches.

“Downloading Cisco Access Registrar Software” section on page 1-3

Installation Dialog Overview

You use the pkgadd command to install CAR 4.2 software on Solaris 9 and Solaris 10 workstations. The Linux version of CAR 4.2 uses the RedHat Package Manager (RPM) and installs as a script. When you begin the software installation, the install process uses a dialog to determine how to install the software.

Note CAR 4.2 can be used with Solaris 9, Solaris 10, or Red Hat Enterprise Linux 4.0 32-bit operating system

using kernel 2.6.9-22.0.2.EL or later, and Glibc version: glibc-2.3.4-2.13 or later.

Installation Type

The first question for you to consider is the type of installation to perform. Your choices are full or configuration only. The default and most common installation type is a full install.

The Full installation installs all parts of the CAR 4.2 software including the server components, the example configuration, and the configuration utility, aregcmd.

The Config only installation only installs the example configuration and the configuration utility, aregcmd. You can use one instance of aregcmd to maintain other servers running the server software.

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

1-1

Installation Dialog Overview

Installation Location

The next question in the installation dialog asks, “Where do you want to install?” The default location to install the software is /opt/CSCOar. You can choose to specify another location by entering it at this point. That directory would then be the base install directory, sometimes referred to as $INSTALL or $BASEDIR.

License File Location

The installation dialog asks for the location of the license file.

Access Registrar requires FLEXlm license file to operate. A list of space delimited license files or directories can be supplied as input; license files must have the extension ".lic".

Where are the FLEXlm license files located? [] [?,q]

Cisco AR uses a licensing mechanism that requires a file to be copied from a directory on the Cisco AR workstation. Earlier versions of Cisco AR used a license key. You should copy the license file to the Cisco AR workstation before you begin the software installation. You can copy the license file to /tmp or another directory you might prefer. The installation process will copy the license file from the location you provide to /opt/CSCOar/license.

See “Cisco Access Registrar 4.2 Licensing” section on page 1-4 for more detailed information about the Cisco AR license file requirements.

Chapter 1 Overview

Java 2 Runtime Environment

The installation dialog asks for the location of the Java 2 Runtime Environment (J2RE). Cisco AR provides a web-based GUI that requires J2RE version 1.4.X to be installed on the Cisco AR server.

Where is the J2RE installed?

If you already have a Java 2 platform installed, enter the directory where it is installed. If you need the J2RE, you can download it from:

http://java.sun.com

Open Database Connectivity

The installation dialog asks for the location of the Oracle installation directory, required for Open Database Connectivity (ODBC) configuration. The installation process uses this information to set the ORACLE_HOME variable in the /opt/CSCOar/bin/arserver script.

If you are not using ODBC, press Enter to skip this step.

Note Oracle 8i client and 8g server are no longer supported in CAR 4.2. However, Oracle 9i and 10g client

and Oracle 9i, 10g, and 11g servers are supported in AR4.2.

1-2

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Chapter 1 Overview

Example Configuration

The installation dialog asks if you want to install the example configuration. You can use the example configuration to learn about Cisco AR and to refer to the examples that appear later in this document.

You can delete the example configuration at any time by running the command:

/opt/CSCOar/bin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc

Base Directory

The installation process asks “where do you want to install [/opt/CSCOar]?”

If the base directory does not exist, the installation process asks if you want to create the selected base directory.

The selected base directory </opt/CSCOar> must exist before installation is attempted.

Do you want this directory created now [y,n,?,q]

Downloading Cisco Access Registrar Software

The base directory must be created before you can install the software. If you do not agree to create the base directory at this point, the installation process terminates and no changes are made to the system. The default base directory is /opt/CSCOar.

setuid and setgid Permissions

The installation process asks before installing the following files with setuid and setgid permissions:

• /opt/CSCOar/.system/screen <setuid root>

• /opt/CSCOar/bin/aregcmd <setgid staff>

• /opt/CSCOar/bin/radclient <setgid staff>

If you do not agree to install these files, the installation will continue, but you will only be able to run aregcmd as user root. Cisco recommends that you answer Ye s to this question.

Continue with Installation

The final question asked by the installation process dialog is, “Do you want to continue with the installation of <CSCOar>?” Enter Y or yes to continue with the installation. No further user input is required.

Downloading Cisco Access Registrar Software

Cisco AR software is available for download from http://www.cisco.com at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release

The page at this URL lists all available versions of Cisco AR software available for download. The current versions are:

• CSCOar-4.2.1-sol9-k9.tar.gz for Solaris 9

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

1-3

Cisco Access Registrar 4.2 Licensing

• CSCOar-4.2.1-sol10-k9.tar.gz for Solaris 10

• CSCOar-4.2.1-lnx26-install-K9.sh for RedHat Enterprise Linux (RHEL) 4.0

Complete the following steps to download the software.

Step 1 Create a temporary directory, such as /tmp, to hold the downloaded software package.

Step 2 Enter the URL to the Cisco.com web site for Cisco AR software:

http://www.cisco.com/cgi-bin/tablebuild.pl/access-registrar-encrypted?sort=release

Step 3 Click on the link for Cisco AR software:

CSCOar-4.2.1-sol9-k9.tar.gz for the Solaris 9 version, or CSCOar-4.2.1-sol10-k9.tar.gz for the Solaris 10 version, or CSCOar-4.2.1-lnx26-install-K9.sh for the RedHat Enterprise Linux version.

The Software Center Download Rules page displays. You should read these rules carefully.

Chapter 1 Overview

Warning

Before downloading this software please ensure that each of the following licenses and agreements are in place with Cisco Systems or a Cisco Systems authorized reseller.

These rules require you to acknowledge the following:

• A software license

• A valid service agreement

By clicking Agree, you confirm that the download of this file by you is in accordance with the requirements listed and that you understand and agree that Cisco Systems reserves the right to charge you for, and you agree to pay for, any software downloads to which you are not entitled. All Cisco Systems Operating System and application software licenses and downloads are governed by Cisco Systems' applicable End User License Agreement/Software License Agreement. By clicking Agree you further agree to abide by the terms and conditions set forth in Cisco Systems' End User License agreement/Software License Agreement and your service agreement.

If you click Agree, the End User License Agreement / Software License Agreement displays.

Step 4 Read the End User License Agreement / Software License Agreement carefully, and if you accept the

terms, click Accept.

The software Download page appears. In few seconds, a File Download dialog box appears. If it does not appear, click the link provided in the page.

Step 5 Click Save and indicate where to save the file on your computer, such as /tmp, then click Save again.

Cisco Access Registrar 4.2 Licensing

CAR 4.2 uses a new licensing mechanism that enables you to activate all features in Cisco AR. During system initialization, the Cisco AR server sets up the licensing data model and activates all features.

In CAR 4.2, licensing is based on transactions per second(TPS). Every license will cover all features, but with restrictions enforced on the TPS. TPS is calculated based on the number of packets flowing into CAR irrespective of the feature.

Installing and Configuring Cisco Access Registrar, 4.2

1-4

OL-17221-02

Chapter 1 Overview

License Slabs

Cisco Access Registrar 4.2 Licensing

CAR can be deployed in a two-tier architecture—front-end and back-end server. The front-end server performs AAA functions and it needs the base license and the TPS license. The back-end server performs session management functions and it needs the secondary license.

CAR can be deployed in an active/stand-by server combination (with Sun clustering solution). Active server performs all the functionality and it needs the base license and the TPS license. Only if the active server goes down, sun cluster will trigger the stand-by server. The stand-by server needs secondary license.

The license slabs available in CAR 4.2 are listed in Tab l e 1.

Ta b l e 1 CAR 4.2 License Slabs

Product Description

AR-4.2-BASE-K9= CAR base license. Limited to 100 transactions per second.

AR-4.2-100TPS= CAR additional license per server. Limited to 100 transactions per

second.

AR-4.2-200TPS= CAR additional license per server. Limited to 200 transactions per

second.

AR-4.2-500TPS= CAR additional license per server. Limited to 500 transactions per

second.

AR-4.2-1000TPS= CAR additional license per server. Limited to 1,000 transactions per

second.

AR-4.2-2000TPS= CAR additional license per server. Limited to 2,000 transactions per

second.

AR-4.2-3000TPS= CAR additional license per server. Limited to 3,000 transactions per

second.

AR-4.2-5000TPS= CAR additional license per server. Limited to 5,000 transactions per

second.

AR-4.2-SECONDARY= CAR secondary license. Required for each secondary server—back-end

or stand-by.

AR-4.2-UP-3.X-K9= CAR upgrade license for R3.x Customers, with or without SAS

contract. Limited to 1000 transactions per second.

AR-4.2-UP-4.X-K9= CAR upgrade license for R4.0 and R4.1 Customers, without SAS

contract. Limited to 1000 transactions per second.

Getting Cisco Access Registrar 4.2 License

When you order the CAR 4.2 product, a text license file will be sent to you in e-mail. If you are evaluating the software, Cisco will provide you with an evaluation license.

If you decide to upgrade your Cisco AR software, a new text license file will be sent to you in e-mail.

Note While upgrading, the licenses of previous versions cannot be used with CAR 4.2. Backward

compatability support in terms of license will not be available in this version.

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

1-5

Cisco Access Registrar 4.2 Licensing

If you receive a Software License Claim Certificate, you can get your Cisco AR license file at one of the two following URLs:

• www.cisco.com/go/license

Use this site if you are a registered user of Cisco Connection Online.

• www.cisco.com/go/license/public

Use this site if you are not a registered user of Cisco Connection Online.

Within one hour of registration at either of the above web sites, you will receive your license key file and installation instructions in e-mail.

Installing Cisco Access Registrar 4.2 Licenses

You must have a license in a directory on the Cisco AR machine before you attempt to install Cisco AR software. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.

You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory, or $INSTALL/license if you are not using the default installation location.

The license file might have the name ciscoar.lic, but it can be any filename with the suffix .lic. To install the Cisco AR license file, you can copy and paste the text into a file, or you can simply save the file you receive in e-mail to an accessible directory.

Chapter 1 Overview

Adding Additional Cisco Access Registrar 4.2 Licenses

If you add additional licenses, you can open the file in /opt/CSCOar/license and add additional lines to the license file, or you can create an additional license file to hold the new lines. If you add a new file, remember to give it a .lic suffix. You must restart the Cisco AR server for the new license to take effect. To restart the Cisco AR server, enter the following on the server command line:

/opt/CSCOar/bin/arserver restart

Sample License File

The following is an example of a CAR 4.2 license file.

INCREMENT AR-BASE-100TPS cisco 4.2 30-nov-2008 uncounted HOSTID=ANY \ NOTICE="<LicFileID>2008090307</LicFileID><LicLineID>0</LicLineID> \ <PAK>dummyPak</PAK>" SIGN=ABCDEF123456 INCREMENT AR-ADD-TPS cisco 4.2 30-nov-2008 uncounted \ VENDOR_STRING=<count>100</count> HOSTID=ANY \ NOTICE="<LicFileID>2008090307</LicFileID><LicLineID>1</LicLineID> \ <PAK>dummyPak</PAK>" SIGN=ABCDEF123456

1-6

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Chapter 1 Overview

Displaying License Information

Cisco AR provides two ways of getting license information using aregcmd:

• aregcmd command-line option

• Launching aregcmd

aregcmd Command-Line Option

Cisco AR provides a new -l command-line option to aregcmd. The syntax is:

aregcmd -l directory_name

where directory_name is the directory where the Cisco AR license file is stored. The following is an example of the aregcmd -l command:

aregcmd -l /opt/CSCOar/license Licensed Application: Cisco Access Registrar (Standard Version)

Following are the licensed components:

Cisco Access Registrar 4.2 Licensing

Launching aregcmd

The Cisco AR server displays license information when you launch aregcmd, as shown in the following:

[ //localhost ]

Server 'Radius' is Running, its health is 10 out of 10

NAME VERSION EXPIRY_INFO COUNT ==== ======= =========== ===== AR-Base-100TPS 4.2 30-Nov-2008 100 AR-ADD-TPS 4.2 30-Nov-2008 100

aregcmd

LicenseInfo = AR-Base-100TPS 4.2 (expires on 30-Nov-2008) AR-ADD-TPS 4.2 (expires on 30-Nov-2008) Radius/ Administrators/

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

1-7

Cisco Access Registrar 4.2 Licensing

Chapter 1 Overview

1-8

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

CHAP T ER

Installing Cisco Access Registrar 4.2

This chapter provides information about installing CAR 4.2 software. The software is available in CD-ROM form and can also be downloaded from the Cisco.com website. The installation instructions differ slightly depending on whether you install the software from the Cisco AR CD-ROM or from downloaded software.

Note CAR 4.2 can be used with Solaris 9, Solaris 10, or the Red Hat Enterprise Linux 4.0 32-bit operating

system using kernel 2.6.9-22.0.2.EL or later, and Glibc version: glibc-2.3.4-2.13 or later.

This chapter contains the following sections:

• Installing the Cisco Access Registrar 4.2 License File, page 2-1

• Installing Cisco Access Registrar 4.2 Software on Solaris, page 2-1

• Installing Cisco Access Registrar 4.2 Software on Linux, page 2-6

Installing the Cisco Access Registrar 4.2 License File

You must have a license file in a directory on the Cisco AR machine before you attempt to install Cisco AR software. After purchasing Cisco AR, you will receive a license file in an e-mail attachment. Save or copy this license file to a directory on the Cisco AR workstation. If you have not installed the Cisco AR license file before beginning the software installation, the installation process will fail.

You can store the Cisco AR license file in any directory on the Cisco AR machine. During the installation process, you will be asked the location of the license file, and the installation process will copy the license file to the /opt/CSCOar/license directory or to the base installation directory you specify when you install the software if you are not using the default installation location.

Installing Cisco Access Registrar 4.2 Software on Solaris

This section describes the software installation process when installing Cisco AR software on a Solaris workstation for the first time.

OL-17221-02

Installing and Configuring Cisco Access Registrar, 4.2

2-1

Installing Cisco Access Registrar 4.2 Software on Solaris

This section includes the following subsections:

• Deciding Where to Install

• Installing Cisco Access Registrar Software from CD-ROM

• Installing Downloaded Software

• Common Solaris Installation Steps

• Installing Cisco Access Registrar on LDoms

Tips Before you begin to install the software, check your workstation’s /etc/group file and make sure that

group staff exists. The software installation will fail if group staff does not exist before you begin.

Deciding Where to Install

Before you begin the software installation, you should decide where you want to install the new software. The default installation directory for CAR 4.2 software is /opt/CSCOar. You can use the default installation directory, or you can choose to install the Cisco AR software in a different directory.

Chapter 2 Installing Cisco Access Registrar 4.2

Installing Cisco Access Registrar Software from CD-ROM

The following steps describe how to begin the software installation process when installing software from the CAR 4.2 CD-ROM. If you are installing downloaded software, proceed to

Downloaded Software.

Step 1 Place the Cisco AR software CD-ROM in the Cisco AR workstation CD-ROM drive.

Step 2 Log in to the Cisco AR workstation as a root user, and enter one of the following command lines:

For Solaris 9:

pkgadd -d /cdrom/cdrom0/kit/solaris-2.9 CSCOar

For Solaris 10:

pkgadd -d /cdrom/cdrom0/kit/solaris-2.10 CSCOar

Step 3 Proceed to Common Solaris Installation Steps.

Installing Downloaded Software

This section describes how to uncompress and extract downloaded Cisco AR software and begin the software installation.

Installing

2-2

Step 1 Log in to the Cisco AR workstation as a root user.

Step 2 Change directory to the location where you have stored the uncompressed tarfile.

cd /tmp

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Chapter 2 Installing Cisco Access Registrar 4.2

Step 3 Use the following command line to uncompress the tarfile and extract the installation package files.

zcat CSCOar-4.2.1-sol9-K9.tar.gz | tar xvf -

Note These instructions are for the Solaris 9 package. There is no difference in download or installation

procedures for Solaris 9 or Solaris 10 other than the package name.

Step 4 Enter the following command to begin the installation:

pkgadd -d /tmp CSCOar

where /tmp is the temporary directory where you stored and uncompressed the installation files.

Step 5 Proceed to Common Solaris Installation Steps.

Common Solaris Installation Steps

Installing Cisco Access Registrar 4.2 Software on Solaris

This section describes the installation process immediately after you have issued the pkgadd command installing from CD-ROM or from downloaded software.

Processing package instance <CSCOar> from </tmp>

Cisco Access Registrar 4.2.1 [SunOS-5.9, official] (sparc) 4.2.1 Copyright (C) 1998-2008 by Cisco Systems, Inc. This program contains proprietary and confidential information. All rights reserved except as may be permitted by prior written consent.

This package contains the Access Registrar Server and the Access Registrar Configuration Utility. You can choose to perform either a Full installation or just install the Configuration Utility.

What type of installation: Full, Config only [Full] [?,q]

Step 6 For a full install, press Enter.

Where do you want to install <CSCOar>? [/opt/CSCOar] [?,q]

Step 7 Press Enter to accept the default location of /opt/CSCOar, or enter a different directory to be used as

the base installation directory.

Access Registrar requires FLEXlm license file to operate. A list of space delimited license files or directories can be supplied as input; license files must have the extension ".lic".

OL-17221-02

Where are the FLEXlm license files located? [] [?,q]

Step 8 Enter the directory where you have stored the CAR 4.2 license file.

Access Registrar provides a Web GUI. It requires J2RE version

1.4.* to be installed on the server.

If you already have a compatible version J2RE installed, please enter the directory where it is installed. If you do not, the compatible J2RE version can be downloaded from:

Installing and Configuring Cisco Access Registrar, 4.2

2-3

Installing Cisco Access Registrar 4.2 Software on Solaris

http://java.sun.com/

Where is the J2RE installed? [?,q] /nfs/insbu-cnstools/java

The J2RE is required to use the Cisco AR GUI. If you already have a Java 2 platform installed, enter the directory where it is installed.

Note If you do not provide the J2RE path, or if the path is empty or unsupported, the installation process exits.

Step 9 Enter the directory or mount point where the J2RE is installed.

If you are not using ORACLE, press Enter/Return to skip this step. ORACLE installation directory is required for ODBC configuration. ORACLE_HOME variable will be set in /etc/init.d/arserver script

Where is ORACLE installed? [] [?,q]

Step 10 If you plan to use Oracle accounting, enter the location where you have installed Oracle; otherwise

press Enter.

If you want to learn about Access Registrar by following the examples in the Installation and Configuration Guide, you need to populate the database with the example configuration.

Chapter 2 Installing Cisco Access Registrar 4.2

Do you want to install the example configuration now [n] [y,n,?,q]

Step 11 When prompted whether to install the example configuration now, enter Y or N to continue.

You can add the example configuration at any time by running the command:

/opt/CSCOar/bin/aregcmd -f /opt/CSCOar/examples/cli/add-example-configuration.rc

Note You can delete the example configuration at any time by running the command

/opt/CSCOar/usrbin/aregcmd -f /opt/CSCOar/examples/cli/delete-example-configuration.rc.

## Executing checkinstall script.

The selected base directory </opt/CSCOar> must exist before installation is attempted.

Do you want this directory created now [y,n,?,q] y

Step 12 Enter Y to enable the installation process to create the /opt/CSCOar directory.

Using </opt/CSCOar> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying package dependencies. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs.

2-4

The following files are being installed with setuid and/or setgid permissions: /opt/CSCOar/.system/screen <setuid root> /opt/CSCOar/bin/aregcmd <setgid staff> /opt/CSCOar/bin/radclient <setgid staff>

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Chapter 2 Installing Cisco Access Registrar 4.2

Do you want to install these as setuid/setgid files [y,n,?,q]

Step 13 Enter Y to install the setuid/setgid files.

This package contains scripts which will be executed with super-user permission during the process of installing this package.

Do you want to continue with the installation of <CSCOar> [y,n,?]

Step 14 Enter Y to continue with the software installation.

No further interaction is required; the installation process should complete successfully and the arservagt is automatically started.

Installing Cisco Access Registrar 4.2.1 [SunOS-5.9, official] as <CSCOar>

## Installing part 1 of 1. /opt/CSCOar/.system/add-example-config /opt/CSCOar/.system/run-ar-scripts /opt/CSCOar/.system/screen /opt/CSCOar/README /opt/CSCOar/bin/arbug /opt/CSCOar/bin/nasmonitor /opt/CSCOar/bin/share-access /opt/CSCOar/bin/xtail /opt/CSCOar/java/javadoc.tar.gz /opt/CSCOar/lib/getopts.tcl . . . # setting up product configuration file /opt/CSCOar/conf/car.conf # linking /etc/init.d/arserver to /etc/rc.d files # setting ORACLE_HOME and JAVA_HOME variables in arserver # removing old session information # flushing old replication archive # creating initial configuration database Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Fri Nov 07 13:54:54 2008 Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Fri Nov 07 13:54:54 2008

Installing Cisco Access Registrar 4.2 Software on Solaris

OL-17221-02

# installing example configuration We will now generate an RSA key-pair and self-signed certificate that may be used for test purposes Generating a 1536 bit RSA private key

.....++++

...............++++

writing new private key to '/cisco-ar/certs/tomcat/server-key.pem'

----Server self-signed certificate now resides in /cisco-ar/certs/tomcat/server-cert.pem Server private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem

Remember to install additional CA certificates for client verification Tomcat private RSA key now resides in /cisco-ar/certs/tomcat/server-key.pem Starting Access Registrar Server Agent... completed. The Radius server is now running. # done with postinstall.

Installation of <CSCOar> was successful

hostname root /tmp##

Installing and Configuring Cisco Access Registrar, 4.2

2-5

Installing Cisco Access Registrar 4.2 Software on Linux

Configuring SNMP

If you choose not to use the SNMP features of CAR, the installation process is completed. To use SNMP features, complete the configuration procedure described in

RPC Bind Services

The Cisco AR server and the aregcmd CLI requires RPC services to be running before the server is started. If the RPC services are stopped, you must restart RPC services, then restart the Cisco AR server. Use the following commands to restart RPC services:

/opt/CSCOar/bin/arserver stop

/etc/init.d/rpc start

/opt/CSCOar/bin/arserver start

If RPC services are not running, the following message is displayed when you attempt to start aregcmd:

Chapter 2 Installing Cisco Access Registrar 4.2

Configuring SNMP, page 4-14.

Installing Cisco Access Registrar on LDoms

Server virtualization is partitioning of network servers into several independent execution environments. Server virtualization allows a data center to be viewed and managed as a set of compute resources rather than a room of individual systems.

Server virtualization feature in CAR will enable maximum resource utilization with dynamic resource allocation between LDoms.

Note To know about configuration of CAR on LDoms, see White Paper under CAR Collateral in

http://wwwin-nmbu.cisco.com/fieldportal/products/car/summary.cfm?Prod=car&tsession.

Installing Cisco Access Registrar 4.2 Software on Linux

This section describes the software installation process when installing Cisco AR software on a Linux workstation for the first time. This section includes the following subsections:

• Deciding Where to Install

• Installing Cisco Access Registrar Software from CD-ROM

• Common Linux Installation Steps

2-6

Tips Before you begin to install the software, check your workstation’s /etc/group file and make sure that

group staff exists. The software installation will fail if group staff does not exist before you begin.

Installing and Configuring Cisco Access Registrar, 4.2

OL-17221-02

Chapter 2 Installing Cisco Access Registrar 4.2

Installing Cisco Access Registrar 4.2 Software on Linux

Deciding Where to Install

Installing Cisco Access Registrar Software from CD-ROM

The following steps describe how to begin the software installation process when installing software from the CAR 4.2 CD-ROM. If you are installing downloaded software, proceed to

Downloaded Software.

Step 1 Place the CAR 4.2 software CD-ROM in the Cisco AR workstation CD-ROM drive.

Step 2 Log in to the Cisco AR workstation as a root user and find a temporary directory, such as /tmp, to store

the Linux installation file.

Installing

Note The temporary directory requires at least 70 MB of free space.

Step 3 Change directory to the CD-ROM.

cd /cdrom/cdrom0/kit/linux-2.4

Step 4 Copy the CSCOar-4.2.1-lnx26-install-K9.sh file to the temporary directory.

cp CSCOar-4.2.1-lnx26-install-K9.sh /tmp

Step 5 Change the permissions of the CSCOar-4.1.4-lnx24-install-k9.sh file to make it executable.

chmod 777 CSCOar-4.2.1-lnx26-install-K9.sh

To continue the installation, proceed to Common Linux Installation Steps.

Common Linux Installation Steps

This section describes how to install the downloaded Cisco AR software for Linux and begin the software installation.

Note The Cisco AR Linux installation automatically installs aregcmd and radclient as setgid programs in

group adm.

OL-17221-02

Step 1 Log in to the Cisco AR workstation as a root user.

Step 2 Change directory to the location where you have stored the CSCOar-4.1.4-lnx26-install-K9.sh file.

cd /tmp

Installing and Configuring Cisco Access Registrar, 4.2

2-7

+ 65 hidden pages