Cisco Access Registrar 3.5 Concepts and Reference Guide July 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide ix Obtaining Documentation ix World Wide Web ix Ordering Documentation x Documentation Feedback x Obtaining Technical Assistance x Cisco.
Contents Script Processing Hierarchy 2-8 Cross Server Session and Resource Management 2-9 Overview 2-9 Session-Service Service Step and Radius-Session Service Configuring a Front Line Cisco Access Registrar 2-10 Configure Central AR 2-11 CHAPTER 3 Cisco Access Registrar Scripts 2-10 3-1 Using Cisco AR Scripts 3-1 ACMEOutgoingScript 3-1 AltigaIncomingScript 3-1 AltigaOutgoingScript 3-2 ANAAAOutgoing 3-2 AscendIncomingScript 3-2 AscendOutgoingScript 3-2 AuthorizePPP 3-2 AuthorizeService 3-2 Authorize
Contents ParseServiceAndAARealmHints 3-6 ParseServiceAndAASRealmHints 3-6 ParseServiceAndProxyHints 3-6 ParseServiceHints 3-7 ParseTranslationGroupsByCLID 3-7 ParseTranslationGroupsByDNIS 3-7 ParseTranslationGroupsByRealm 3-7 UseCLIDAsSessionKey 3-7 USRIncomingScript 3-7 USRIncomingScript-IgnoreAccountingSignature USROutgoingScript 3-8 CHAPTER 4 Understanding Replication Replication Overview 3-7 4-1 4-1 How Replication Works 4-2 Replication Data Flow 4-2 Master Server 4-2 Slave Server 4-3 Security 4
Contents Rep Members Subdirectory Rep Members/Slave1 4-8 Name 4-8 IPAddress 4-8 Port 4-8 CHAPTER 5 Understanding SNMP Overview 4-8 5-1 5-1 Supported MIBs 5-1 RADIUS-AUTH-CLIENT-MIB 5-1 RADIUS-AUTH-SERVER-MIB 5-2 RADIUS-ACC-CLIENT-MIB 5-2 RADIUS-ACC-SERVER-MIB 5-2 SNMP Traps 5-2 Supported Traps 5-3 carServerStart 5-3 carServerStop 5-3 carInputQueueFull 5-3 carInputQueueNotVeryFull 5-3 carOtherAuthServerNotResponding 5-4 carOtherAuthServerResponding 5-4 carOtherAccServerNotResponding 5-4 carOtherAccSe
Contents Accounting Start 6-7 Data Flow 6-7 Access-Request (Quota Depleted) 6-8 Accept-Accept (Quota Depleted) 6-8 Accounting Stop (Session End) 6-9 Accounting Response (Final Status) 6-9 Vendor-Specific Attributes 6-10 GLOSSARY Cisco Access Registrar 3.
Contents Cisco Access Registrar 3.
About This Guide This document provides information to help you understand RADIUS concepts and to help you develop a better understanding of the Cisco Access Registrar 3.0 server. This document contains the following chapters: • Chapter 1, “Overview,” overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar as a proxy server.
About This Guide Obtaining Technical Assistance Ordering Documentation Cisco documentation is available in the following ways: • Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.
About This Guide Obtaining Technical Assistance Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco. To access Cisco.com, go to the following website: http://www.cisco.
About This Guide Obtaining Technical Assistance Cisco Access Registrar 3.
C H A P T E R 1 Overview The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar as a proxy server. Cisco Access Registrar is a RADIUS (Remote Authentication Dial-In User Service) server that allows multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database.
Chapter 1 Overview RADIUS Protocol Figure 1-1 Packet Exchange Between User, NAS, and RADIUS Jane xyz Name=Jane Password=xyz request Radius response 22036 N A S Cisco Access Registrar can also reject the packet if it needs to deny network access to the user. Or, Cisco Access Registrar may issue a challenge that the NAS sends to the user, who then creates the proper response and returns it to the NAS, which forwards the challenge response to Cisco Access Registrar in a second request packet.
Chapter 1 Overview RADIUS Protocol Step 8 Cisco Access Registrar formats the response based on the Response dictionary and sends it back to the client (NAS). Step 9 The NAS receives the response and communicates with the user, which may include sending the user an IP address to indicate the connection has been successfully established.
Chapter 1 Overview RADIUS Protocol RADIUS Packet Fields (continued) Table 1-1 Fields Description Authenticator Contains a value for a Request Authenticator or a Response Authenticator. The Request Authenticator is included in a client’s Access-Request. The value is unpredictable and unique, and is added to the client/server shared secret so the combination can be run through a one-way algorithm. The NAS then uses the result in conjunction with the shared secret to encrypt the user’s password.
Chapter 1 Overview Basic Authentication and Authorization Figure 1-2 Proxying to an LDAP Server for Authentication user=joe password=xyz NAS Access registrar request 2 Authorization accounting 1 5 Authentication response 3 4 LDAP 22035 6 Basic Authentication and Authorization This section provides basic information about how Cisco Access Registrar performs the basic RADIUS functions of authentication and authorization as defined in Internet RFC 2865.
Chapter 1 Overview Basic Authentication and Authorization – Performs resource management for each Resource Manager in the Session Manager. The Cisco AR server directs the request to the appropriate resource manager listed in /Radius/SessionManagers///. The resource manager then allocates or checks the resource according to the type listed in /Radius///. 4.
C H A P T E R 2 Understanding Cisco Access Registrar This chapter describes the Cisco Access Registrar object structure, and explains when Cisco Access Registrar references each of these objects during the processing of client requests. Cisco Access Registrar lets you manipulate configuration objects, which define the properties or behavior of the RADIUS server. Cisco Access Registrar also lets you invoke custom scripts to affect the behavior of the RADIUS server.
Chapter 2 Understanding Cisco Access Registrar Cisco Access Registrar Hierarchy UserLists and Groups Cisco Access Registrar lets you organize your user community through the configuration objects UserLists, users, and UserGroups. • Use UserLists to group users by organization, such as Company A and Company B. Each list contains the actual names of the users. • Use users to store information about particular users, such as name, password, group membership, base profile, and so on.
Chapter 2 Understanding Cisco Access Registrar Cisco Access Registrar Hierarchy For example, to use Services for authentication: • When you want the authentication to be performed by the Cisco Access Registrar RADIUS server, you can specify the local service. In this, case you must specify a specific UserList.
Chapter 2 Understanding Cisco Access Registrar Cisco AR Directory Structure concurrently, you might create two Session Managers and three Resource Managers. One dynamic IP Resource Manager that is referenced by both Session Managers, and two concurrent session Resource Managers, one for each Session Manager. In addition, Cisco Access Registrar lets you pose queries about sessions.
Chapter 2 Understanding Cisco Access Registrar Program Flow Table 2-2 From Access-Request to Access-Accept Cisco AR Server Action Explanation Receives an Access-Request The Cisco Access Registrar server receives an Access-Request packet from a NAS Determines whether to accept the request The Cisco Access Registrar server checks to see if the client’s IP address is listed in /Radius/Clients// Invokes the policy SelectPolicy if it exists The Cisco ARPolicy Engine provides an interf
Chapter 2 Understanding Cisco Access Registrar Program Flow Table 2-3 Client or NAS Scripting Points (continued) Action Explanation /Radius/Advanced/RequireNASsBehindProxyBeInClie ntList set to TRUE. The NAS’s Identifier listed in /Radius/Clients/, or its NAS-IP-Address listed in /Radius/Clients//IPAddress. If the client’s IP address listed in /Radius/Clients//IPAddress is different: *Executes the vendor’s The vendor listed in /Radius/Clients/Name/Vendor, and is incoming script.
Chapter 2 Understanding Cisco Access Registrar Program Flow Action Explanation Determines whether to The Service name defined in perform authorization. /Radius/DefaultAuthorizationService, if different than the Authentication Service. *Executes the Service’s incoming script. A script referred to in /Radius/Services//IncomingScript. Performs authorization. Checks that the Service type is defined in /Radius/Services//. *Executes the Service’s outgoing script.
Chapter 2 Understanding Cisco Access Registrar Program Flow • The secondary server will not know about the current active sessions that are maintained on the primary server. Any resources managed by the secondary server must be distinct from those managed by the primary server, otherwise it will be possible to have two sessions with the same resources (for example, two sessions with the same IP address).
Chapter 2 Understanding Cisco Access Registrar Cross Server Session and Resource Management Overall Flow Sequence Authentication/Authorization Scripts 10) User Authorization. 11) Session Management. Table 2-8 Cisco Access Registrar Processing Hierarchy for Outgoing Scripts Overall Flow Sequence Outgoing Scripts 12) Service 13) Specific NAS. 14) Vendor of the specific NAS. 15) Immediate client. 16) Vendor of the immediate client.
Chapter 2 Understanding Cisco Access Registrar Cross Server Session and Resource Management When the front line Cisco AR server receives the access-request, it does the regular AA processing. If the packet is not rejected and a Central Resource Cisco AR server is also configured, the front line Cisco AR server will proxy the packet1 to the configured Central Resource Cisco AR.
Chapter 2 Understanding Cisco Access Registrar Cross Server Session and Resource Management IncomingScript = OutgoingScript = OutagePolicy = RejectAll OutageScript = MultipleServersPolicy = Failover RemoteServers/ 1. central-server [ //localhost/Radius/RemoteServers ] central-server/ Name = central-server Description = Protocol = RADIUS IPAddress = 209.165.200.
Chapter 2 Understanding Cisco Access Registrar Cross Server Session and Resource Management Cisco Access Registrar 3.
C H A P T E R 3 Cisco Access Registrar Scripts This chapter describes the scripts provided with Cisco Access Registrar. Using Cisco AR Scripts The Cisco Access Registrar scripts are stored in /localhost/Radius/Scripts. Most of the scripts are written in the RADIUS Extension language (REX). Some scripts are provided in both REX and Tcl. The scripts written in Tcl all begin with the letter t followed by their functional name.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts AltigaOutgoingScript AltigaOutgoingScript maps Altiga attributes from Cisco Access Registrar’s global attribute space to the appropriate Altiga-proprietary attributes. ANAAAOutgoing ANAAAOutgoing can be referenced from either the client or vendor outgoing scripting point to be used in HRPD/EV-DO networks where Cisco Access Registrar is the Access Network (AN) AAA server.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts AuthorizeTelnet AuthorizeTelnet is referenced from either the user record for users who’s sessions are always telnet or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-Telnet-users" into the response dictionary. CabletronIncoming CabletronIncoming maps Cabletron-proprietary attributes to Cisco Access Registrar’s global attribute space.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts ExecDNISRule ExecDNISRule is referenced from the policy engine to determine the authentication and authorization service and policy based on the DNIS set in the policy engine. ExecFilterRule ExecFilterRule is referenced from the policy engine to determine whether a user packet should be rejected or not based on whether a special character like "*", "/", "\" or "?" shows up in the packet.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts LDAPOutage LDAPOutage is referenced from LDAP Services as OutageScript. LDAPOutage logs when the LDAP binding is lost. MapSourceIPAddress MapSourceIPAddress is referenced from the Cisco Access Registrar server's IncomingScript scripting point. MapSourceIPAddress checks to see if the request contains either a NAS-Identifier or a NAS-IP-Address. If not, this script sets the NAS-IP-Address from the request's source IP address.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts ParseProxyHints ParseProxyHints is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which AAA services should be used for this request. If @radius is found, a set of AAA services is selected which will proxy the request to a remote radius server. If @tacacs is found, the AuthenticationService is selected that will proxy the request to a tacacs server for authentication.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts ParseServiceHints ParseServiceHints is referenced from the NAS IncomingScript scripting point. Check to see if we are given a hint of the service type or the realm. If so, set the appropriate attributes in the request or radius dictionary to record the hint and rewrite the user name to remove the hint. The Tcl version of this script is named tParseServiceHints.
Chapter 3 Cisco Access Registrar Scripts Using Cisco AR Scripts USROutgoingScript USROutgoingScript maps USR attributes from Cisco Access Registrar’s global attribute space to the appropriate USR-proprietary attributes. Cisco Access Registrar 3.
C H A P T E R 4 Understanding Replication This chapter describes Cisco Access Registrar's configuration replication features, functions, limitations and operation. Replication Overview Cisco Access Registrar replication feature can maintain identical configurations on multiple machines simultaneously. When replication is properly configured, changes an administrator makes on the primary or master machine are propagated by Cisco Access Registrar to a secondary or slave machine.
Chapter 4 Understanding Replication How Replication Works When there is a configuration change, the master server propagates the change set to all member servers over the network. All member servers have to update their configuration after receiving the change set notifications from master server. Propagating the change set to a member serve involves multiple packet transfer from the master server to the member because the master serve has to convey all the configuration changes to the member.
Chapter 4 Understanding Replication How Replication Works Slave Server Step 1 When the slave server receives the transaction, its contents are verified. Step 2 Once verified, the changes are applied to the slave server's database Step 3 The changes are then applied (hot-configured) in the slave server's in-memory configuration. Step 4 The transaction is written to the slave server's replication archive.
Chapter 4 Understanding Replication How Replication Works Transaction Data Verification When the master prepares a transaction for replication to a slave, the master calculates a 2's complement Cyclic Redundancy Check (CRC) for each element (individual configuration change) in the transaction and for the entire transaction and includes these CRC values in the transmitted transaction.
Chapter 4 Understanding Replication Replication Configuration Settings Full Resynchronization Full Resynchronization means that the slave has missed more transactions than are stored in the master's replication archive and cannot be resynchronized automatically. There is no automatic full-resynchronization mechanism in Access Registrar's configuration replication feature. To perform a full resynchronization, refer to the Cisco Access Registrar User’s Guide.
Chapter 4 Understanding Replication Replication Configuration Settings RepType RepType indicates the type of replication. The choices available are SMDBR and NONE. When RepType is set to NONE, replication is disabled. To enable replication, set RepType to SMDBR for Single Master DataBase Replication. RepType must be set to SMDBR on both the master and slave servers.
Chapter 4 Understanding Replication Replication Configuration Settings If the slave should go down or otherwise be taken off line, the value of RepTransactionArchiveLimit and the frequency of aregcmd saves will determine how long the slave may be off-line before a full-resynchronization will be required. There are two reasons why a slave server should have an archive: 1. The slave must save the last received transaction for resynchronization purposes (at a minimum). 2.
Chapter 4 Understanding Replication Replication Configuration Settings Rep Members Subdirectory The Rep Members\ subdirectory contains the list of slaves to which the master will replicate transactions. Rep Members/Slave1 Each slave is added much like a client is added. Each slave must have a configuration in the Rep Members directory to be considered part of the replication network by the master.
C H A P T E R 5 Understanding SNMP This chapter provides information about Cisco Access Registrar support for SNMP. Overview Cisco Access Registrar 3.0 provides SNMP MIB and trap support for users of network management systems. The supported MIBs enable the network management station to collect state and statistic information from an Cisco AR server. The traps enable Cisco AR to notify interested network management stations of failure or impending failure conditions.
Chapter 5 Understanding SNMP SNMP Traps RADIUS-AUTH-SERVER-MIB The RADIUS-AUTH-SERVER-MIB describes the server side of the RADIUS authentication protocol. The information contained in this MIB describes managed objects used for managing a RADIUS authentication server. RADIUS-ACC-CLIENT-MIB The RADIUS-ACC-CLIENT-MIB describes the client side of the RADIUS accounting protocol. The information contained in this MIB is useful when an Cisco AR server is used for accounting.
Chapter 5 Understanding SNMP SNMP Traps Supported Traps The traps supported by Cisco Access Registrar enable Cisco AR to notify interested management stations of events, failure, or impending failure conditions. Traps are a network message of a specific format issued by an SNMP entity on behalf of a network management agent application. Traps are used to provide the management station with an asynchronous notification of an event.
Chapter 5 Understanding SNMP SNMP Traps carOtherAuthServerNotResponding carOtherAuthServerNotResponding indicates that an authentication server is not responding to a request sent from this server.
Chapter 5 Understanding SNMP SNMP Traps carOtherAccServerResponding carOtherAccServerResponding signifies that an accounting server that had previously sent a not responding message is now responding to requests from the Cisco AR server.
Chapter 5 Understanding SNMP SNMP Traps These files are optional and are only used to configure the extensible portions of the agent, the values of the community strings, and the optional trap destinations. By default, the first community string (“public” by default) is allowed read-only access and the second (“private” by default) is allowed write access, as well. The third to fifth community strings are also read-only.
Chapter 5 Understanding SNMP SNMP Traps Community String A community string is used to authenticate the trap message sender (SNMP agent) to the trap recipient (SNMP management station). A community string is required in the list of trap receivers. Cisco Access Registrar 3.
Chapter 5 Understanding SNMP SNMP Traps Cisco Access Registrar 3.
C H A P T E R 6 Prepaid Billing Solution This chapter describes the generic call flow between the three components required to support a prepaid billing solution using the RADIUS protocol: the AAA client, the Cisco Access Registrar 3.5 server, and a prepaid billing server. Overview When a subscriber uses a prepaid billing service, each call requires a set of data about the subscriber. However, the AAA network has no previous knowledge of the of the subscriber’s usage behavior.
Chapter 6 Prepaid Billing Solution Overview Table 6-1 Measurements and Component Actions Measurement Type Billing Server Action AAA Server Action AAA Client Action Duration Return duration quota Convert duration quota Compare running to VSAs and pass along duration quota with quota returned by Cisco AR 3.5 server Total volume Return volume quota Convert volume quota Compare running to VSAs and pass along volume quota with quota returned by Cisco AR 3.
Chapter 6 Prepaid Billing Solution Configuring Prepaid Billing Configuring Prepaid Billing Cisco AR 3.5 uses a prepaid service to support prepaid billing solutions.
Chapter 6 Prepaid Billing Solution Generic Call Flow Figure 6-1 Generic Call Flow Diagram AAA client 1c AAA server Access-Request CRB_AR_INIT_AUTHENTICATE Access-Accept 3c 2s Access-Request CRB_AR_INIT_AUTHORIZE aaa_ebs_init_authenticate() authenticate result 3s Access-Request+VSAs 5c 1s Billing server 4s 2b aaa_ebs_init_authorize() return quota array 4b Accounting-Start 6s Accounting-Resp Data Flow 7c Access-Request+VSAs 7s Access-Accept+VSAs 8s aaa_ebs_reauthorize() Updated
Chapter 6 Prepaid Billing Solution Generic Call Flow Note In the following attribute tables, entries beginning with APPL indicate application-specific attributes. Another application might use the field for different purpose or ignore the field. All the fields with APPL are specific to Mobile Wireless usage for illustration purpose. Access-Request (Authentication) Flow 1c shows the client sending the Access-Request to AAA server, part of a normal authentication request.
Chapter 6 Prepaid Billing Solution Generic Call Flow Access-Accept (Authentication) Flow 2b shows the billing server returning the authentication result. The billing server returns a failure if the prepaid subscriber has an inadequate balance. Flow 2s shows the Cisco AR 3.5 server sending the Access-Accept to the AAA client. This message flow contains at least one prepaid billing-specific VSA (listed in Table 6-3) and may contain other access technology-specific attributes.
Chapter 6 Prepaid Billing Solution Generic Call Flow In Flow 4s, the Cisco AR 3.5 server converts the quota array received into VSAs and sends an Access-Accept with the assembled VSAs to the AAA client. Table 6-5 lists the prepaid-specific VSAs that might be included in the Access-Accept response message sent to the AAA client. For more detailed information about the VSAs, refer to Vendor-Specific Attributes, page 6-10.
Chapter 6 Prepaid Billing Solution Generic Call Flow Access-Request (Quota Depleted) Flow 7c shows the client sending an Access-Request to the Cisco AR 3.5 server because at least one quota has been depleted. The Access-Request includes different measurements of how much of the quotas were used in VSA format. This enables the billing server to account for the usage and manage the subscriber’s balance before assigning a new quota. Table 6-7 lists the attributes returned to the Cisco AR 3.
Chapter 6 Prepaid Billing Solution Generic Call Flow Table 6-8 Attributes Sent to AAA Client in Access-Accept (Reauthorization) (continued) (continued) Attribute Number Attribute Name 26, 9 CRB_DOWNLINK_VOLUME 26, 9 CRB_TOTAL_PACKETS 26, 9 CRB_UPLINK_PACKETS 26, 9 CRB_DOWNLINK_PACKETS Accounting Stop (Session End) In Flow 9c, the client sends an Accounting-Stop to the Cisco AR 3.5 server to end the session.
Chapter 6 Prepaid Billing Solution Generic Call Flow Table 6-9 Attributes Sent in Accounting-Stop Message (continued) Attribute Number Attribute Name Description 26, 9 CRB_DURATION 26, 9 CRB_TOTAL_VOLUME Refer to Vendor-Specific Attributes, page Conditional 6-10 26, 9 CRB_UPLINK_VOLUME 26, 9 CRB_DOWNLINK_VOLUME 26, 9 CRB_TOTAL_PACKETS 26, 9 CRB_UPLINK_PACKETS 26, 9 CRB_DOWNLINK_PACKETS 26, 9 CRB_SESSION_ID Notes Specifies the RADIUS attribute carrying the session ID information Op
Chapter 6 Prepaid Billing Solution Generic Call Flow Table 6-10 Vendor-Specific Attributes for the Cisco Prepaid Billing Solution VSA Name Type Source (Call Flow) CRB_USER_TYPE Int8 4s crb-entity-type Description Type of user: 1. Prepaid user 2. Post-paid with no credit limit 3. Post-paid with credit limit 4.
Chapter 6 Prepaid Billing Solution Generic Call Flow Table 6-10 Vendor-Specific Attributes for the Cisco Prepaid Billing Solution VSA Name Type Source (Call Flow) CRB_TERMINATE_CAUSE Int8 4se Identifies why a subscriber failed authentication: 1. Exceeded the balance 2. Exceeded the overdraft 3. Bad credit 4. Services suspended 5. Invalid User String n/a Reserved for future use crb-terminate-cause CRB_PRIVATE Description crb-private Cisco Access Registrar 3.
GLOSSARY A Access point A device that bridges the wireless link on one side to the wired network on the other. Analog Channel A circuit-switched communication path intended to carry 3.1 KHz audio in each direction. ARP Address Resolution Protocol is the TCP/IP protocol that translates an Internet address into the hardware address of a network interface card. ATM Asynchronous Transfer Mode is a virtual circuit, fast packet technology.
Glossary C CSU/DSU Channel Service Unit/Data Service Unit isolates your network from your exchange carrier’s network. It also receives the timing, low-level framing information, and data passed from the termination point. CSU/DSUs are specific to the general circuit type. Customer A user of an ISP or an enterprise. The provider offers the customer MPLS VPN service. The enterprise provides the customer remote user access to various sites.
Glossary F FT Field Technician is someone who installs your cable modem in your house. Frame Relay Frame Relay is a cost-effective, lightweight, many-to-many, medium-speed, virtual network, link-layer technology. I ISDN Integrated Services Digital Network enables synchronous PPP access. ISP Internet Service Provider is a company that provides Internet connectivity. H HDLC High-level Data Link Control is both a point-to-point and multiparty link-layer technology.
Glossary M MIB Management Information Base—Database of network management information used and maintained by a network management protocol such as SNMP. The value of a MIB object can be changed or retrieved using SNMP commands. MIB objects are organized in a tree structure that includes public and private branches.
Glossary P packet A block of data in a standard format for transmission. PAP Password Authentication Protocol is a simple PPP authentication mechanism in which a cleartext username and password are transmitted to prove identity. Payload The contents of a request packet. PDU Protocol Data Unit—An SNMP compliant request, response, or trap message. PE Router Provider Edge router—a router located at the edge of the provider’s MPLS core network.
Glossary R RADIUS Dictionary The RADIUS dictionary passes information between a script and the RADIUS server, or between scripts running on a single packet. RADIUS Proxy In order to provide for the routing of RADIUS authentication and accounting requests, a RADIUS proxy may be employed. To the NAS, the RADIUS proxy appears to act as a RADIUS server, whereas to the RADIUS server the proxy appears to act as a RADIUS client.
Glossary S Service A means of specifying the method to use to perform a function. A service can be specified for the following functions: authentication, authorization, accounting, and authentication-authorization. For example, a service can specify that authentication be performed using the local database, or a service can specify that accounting be supported by logging information to a file. Services Three default services are referenced by the server configuration and when processing scripts.
Glossary T TACACS Terminal Access Controller Access Control System, a an authentication server that validates user IDs and passwords, thus controlling entry into systems. Telnet A service that lets you log in to a system over a network just as though you were logging in from a remote character terminal attached to the system. It is commonly used to provide an Internet service that is exactly the same as the one you would get if you dialed into the system directly with a modem.
Glossary V VPN Virtual Private Network is a way for companies to use the Internet to securely transport private data. VRF Virtual routing and forwarding. A per VPM routing table on the PE router. Each VPN instantiated on that PE router has its own VRF. X X.25 A reliable public data network technology consisting of private virtual circuits, virtual calling, and per-packet charging. X.500 Defines the Directory Access Protocol (DAP) for clients to use when contacting directory servers.
Glossary Cisco Access Registrar 3.
INDEX A AAA Servers multiple 2-9 Access Registrar definition 1-1 objects 2-1 Access-Accept 2-7 Access-Challenge 1-2 Accounting attributes 1-4 database 1-1 definition 1-1 AltigaOutgoingScript 3-2 ANAAAOutgoing 3-2 AscendIncomingScript 3-2 AscendOutgoingScript 3-2 Attribute Dictionary 1-4 Authentication 1-5 Authentication-Service 2-6 Authorization 1-5 definition 1-1 Authorization-Service 2-6 C CabletronOutgoing 3-3 Callback-Number 1-4 CiscoIncoming 3-3 CiscoOutgoing 3-3 CiscoWithODAPIncomingScript 3-3 Client
Index RadiusServer object 2-1 RepIPMaster 4-7 Replication ix, 4-1 archive 4-3 automatic resynchronization 4-4 configuration settings 4-5 data flow 4-2 data integrity 4-3 hot configuration 4-5 hot-standby 4-1 impact on request processing 4-5 RepIPAddress 4-7 RepTransactionArchiveLimit 4-2, 4-6 RepTransactionSyncInterval 4-2, 4-6 security 4-3 slave server 4-2 slaves 4-8 transaction order 4-4 transaction verification 4-4 RepMasterIPAddress 4-7 RepMasterPort 4-7 RepPort 4-7 RepSecret 4-7 RepType 4-6 Request Di
Index definition 1-2 SLIP 1-4 SNMP ix, 5-1 configuration files 5-5, 5-6 traps 5-2 SNMP Configuration community string 5-7 snmp.conf file 5-6 snmpd.
Index Cisco Access Registrar 3.