Configuring Cisco Access Registrar

Cisco Access Registrar is very flexible. You can choose to configure it in many different ways. In addition, you can write scripts that can be invoked at different points during the processing of incoming requests and/or outgoing responses.

Before you can take advantage of this flexibility, it helps to configure a simple site. This chapter describes that process. It specifically describes a site that has the following characteristics:

Uses a single user list for all of its users
Writes all of its accounting information to a file
Does not use session management to allocate or track dynamic resources.

Using aregcmd

To configure Cisco Access Registrar, use the aregcmd commands, which are command-line based configuration tools. These commands allow you to set any Cisco Access Registrar configuration option, as well as, start and stop the Cisco Access Registrar RADIUS server and check its statistics.

General Command Syntax

Cisco Access Registrar stores its configuration information in a hierarchy. Using the aregcmd command cd (change directory), you can move through this information in the same manner as you would through a hierarchical file system. Or you can supply full pathnames to these commands to affect another part of the hierarchy, and thus avoid explicitly using the cd command to change to that part of the tree.

The aregcmd commands are case insensitive, which means that you can use upper or lowercase letters to designate elements. In addition, when you reference existing elements in the configuration, you only need to specify enough of the element's name to distinguish it from the other elements at that level. For example, instead of typing "cd Administrators," you can type "cd ad" if no other element at the current level begins with "ad."

The aregcmd commands are command-line order dependent; that is, the arguments are interpreted based on their position on the command line. To indicate an empty string as a place holder on the command line, use either two single quotes (") or two double quotes (""). In addition, if you use any arguments that contain spaces, make sure to quote the arguments.

Aregcmd Commands

The aregcmd commands can be grouped into the following categories:

Navigation commands---navigates within the Cisco Access Registrar hierarchy; commands include cd, ls , pwd, next, prev, filter, and find.
Object commands---adds or deletes objects; commands include add and delete.
Property commands---changes the value of properties; commands include set, unset, and insert.
Server commands---manages the server; commands include save, validate, start, stop, reload, status, stats, and trace.
Application commands---allows user access to the application; commands include login, logout, exit, quit, and help.
Session management commands---queries the server about sessions or release active sessions; commands include query-sessions and release-sessions.

This chapter uses only a few of the above commands to configure the Cisco Access Registrar RADIUS server. For more information about all the aregcmd commands, see the
Cisco Access Registrar User Guide.

Configuring a Basic Site

The simplest RADIUS server configuration is a site that uses a single user list for all its users, writes its accounting information to a file, and does not use session management to allocate dynamic resources.

To configure such a site, do the following:

1. Run the aregcmd command on your Cisco Access Registrar machine.

2. Configure the Cisco Access Registrar RADIUS server settings, such as the server name and the server defaults.

3. Add users by copying the sample users.

4. Configure the clients, that is, the NASs and proxies that communicate with Cisco Access Registrar.

5. Change profile attributes as needed.

6. Save your changes and reload your Cisco Access Registrar RADIUS server.

Running Aregcmd

To configure Cisco Access Registrar, do the following:

Step 1 Run the aregcmd command:

> /opt/AICar1/usrbin/aregcmd

Step 2 Type your cluster administrator name and password. The installation default is admin for the administrator and aicuser for the password.

Changing the Administrator's Password

Cisco Access Registrar is configured with the default administrator, admin whose password is aicuser. You should, at the very least, change the password.

Step 1 Use the cd command to change to the Administrators level. Cisco Access Registrar displays the contents of the Administrators object.

--> cd //localhost/Administrators

Step 2 Use the cd command to change to admin:

--> cd admin
[ //localhost/Administrators ]

Entries 1 to 1 from 1 total entries

Current filter: <all>

admin/

Step 3 Use the set command to change the administrator's password. Note, you enter the password on the command line in readable form, however, Cisco Access Registrar displays it as encrypted.

The following example changes the password to 345. You are asked to retype it for confirmation.

--> set Password 345

Optionally, use the set command to change the description of the admin administrator.

--> set Description local

Step 4 Use the ls command to display the changed admin.

--> ls

Creating Additional Administrators

Use the add command to add additional administrators.

Step 1 Use the cd command to change to the Administrators level:

--> cd /Administrators

Step 2 Use the add command and specify the name of the administrator, an optional description, and a password.

The following example adds the administrator jane, description testadmin, and password 123:

--> add jane testadmin 123

Step 3 Use the ls command to display the properties of the new administrator:

--> ls

Configuring the RADIUS Server

The top level of the Cisco Access Registrar's RADIUS server is the Radius object itself. It specifies the name of the server and other parameters. In configuring this site, you only need to change a few of these properties.

[ //localhost/Radius ]
    Name = Radius
    Description =
    Version = 1.3
    IncomingScript =
    OutgoingScript =
    DefaultAuthenticationService = local-users
    DefaultAuthorizationService = local-users
    DefaultAccountingService = local-file
    DefaultSessionManager = session-mgr-1
    UserLists/
    UserGroups/
    Clients/
    Vendors/
    Scripts/
    Services/
    SessionManagers/
    ResourceManagers/
    Profiles/
    RemoteServers/
    Advanced/

Checking the System-Level Defaults

Because this site does not use incoming or outgoing scripts, you do not need to change the scripts' properties (IncomingScript and OutgoingScript).

Since the default authentication and authorization properties specify a single user list, you can leave these unchanged as well (DefaultAuthenticationService and DefaultAuthorizationService). And because you have decided to use a file for accounting information, you can leave this property unchanged (DefaultAccountingService).

Session management, however, is on by default (DefaultSessionManager). As you do not want to use session management, you must disable it. Use the set command, type DefaultSessionManager, then specify an empty string by typing a set of double quotes:

: set DefaultSessionManager ""

Note When you do not want Cisco Access Registrar to monitor resources for user sessions, you should disable session management, because using it affects your RADIUS server's performance.

For more information about Session Management, see the "Configuring a Session Manager" section.

You have now configured some of the properties for the RADIUS server. The next step is to add users.

Checking the Server's Health

The following things decrement the server's health:

the rejection of an Access-Request
configuration errors
running out of memory
errors reading from the network
dropping packets that cannot be read (because the server ran out of memory)
errors writing to the network.

Note, Cisco Access Registrar logs all of these conditions. Sending a successful response to any packet increments the server's health.

To check the server's health, use the status command in aregcmd.

Displaying the UserLists

The first subobject in the radius hierarchy that you can configure is the Userlists. The UserLists object contains all of the individual UserLists, which in turn contain the specific users.

When Cisco Access Registrar receives an Access-Request, it directs it to an authentication and/or authorization Service. If the Service has its type set to local, the Service looks up the user's entry in the specific UserList, and authenticates and/or authorizes the user.

Cisco Access Registrar, by default, specifies a Service called local-users that has the type local and uses the Default UserList (Figure 2-1).

Figure 2-1: Choosing Appropriate Services

Displaying the Default UserList

Step 1 Use the cd command to change to UserLists/Default:

--> cd /Radius/Userlists/Default

Step 2 Use the ls -R command to display the properties of the three users:

--> ls -R

Cisco Access Registrar displays the three sample users:

bob who is configured as a PPP user
jane who is configured as a Telnet user
joe who is configured as either a PPP or Telnet user depending on how he logs in.

Configuring Users

Using the sample users as models, configure a few users for your site.

Step 1 Use the cd command to change to the Default UserList:

--> cd /Radius/Userlists/Default

Step 2 Use the add command to add a user. You must supply the name, an optional description, a password, whether the user is enabled (that is, is allowed access), and an optional group. The following example adds the user beth with the description Marketing, the password 123, Enabled set to TRUE, and specifying the PPP-users group:

--> add beth Marketing 123 TRUE PPP-users

Step 3 Repeat for the other users you want to add.

Step 4 Use the ls command to check your additions:

--> ls

Note When using the aregcmd command, you can use the add command and specify all of the properties, or you can use the add command to create the object, and then use the set command and property name to set the property. For an example of using the set command, see the "Adding a NAS" section.

Deleting Users

To delete the sample users, or if you want to remove a user you have added, use the delete command.

From the appropriate UserList, use the delete command, and specify the name of the user you want to delete. For example, to delete user beth from the Default UserList, type:

: --> cd /Radius/UserLists/Default
--> delete beth

Displaying UserGroups

The UserGroups object contains the specific UserGroups. Specific UserGroups allow you to maintain common authentication and authorization attributes in one location, and then have users reference them. By having a central location for attributes, you can make modifications in one place instead of having to make individual changes throughout your user community.

Cisco Access Registrar has three default UserGroups:

Default---uses the script AuthorizeService to determine the type of service to provide the user.

PPP-users---uses the BaseProfile default-PPP-users to specify the attributes of PPP service to provide the user. The BaseProfile default-PPP-users contains the attributes that are added to the response dictionary as part of the authorization. For more information about Profiles, see the "Configuring Profiles" section.
Telnet-users---uses the BaseProfile default-Telnet-users to specify the attributes of Telnet service to provide the user. The BaseProfile default-Telnet-users contains the attributes that are added to the response dictionary as part of the authorization.

For this basic site, you do not need to change these UserGroups. You can, however, use the add or delete commands to add or delete groups.

Configuring Clients

The Clients object contains all NASs and proxies that communicate directly with Cisco Access Registrar. Each client must have an entry in the Clients list, because each NAS and proxy share a secret with the RADIUS server, which is used to encrypt passwords and to sign responses.

Note If you are just testing Cisco Access Registrar with the radclient command, the only client you need is localhost. The localhost client is available in the sample configuration. For more information about using the radclient command, see the "Using Radclient" section.

Adding a NAS

You must configure your specific NAS(s) from both ends of the connection (that is, you must configure Cisco Access Registrar for your NAS, and you must configure your NAS for Cisco Access Registrar).

Step 1 Use the cd command to change to the Clients level:

--> cd /Radius/Clients

Step 2 Use the add command to add the NAS: QuickExampleNAS:

--> add QuickExampleNAS

Step 3 Use the cd command to change directory to the QuickExampleNAS directory:

--> cd /Radius/Clients/QuickExampleNAS

Step 4 Use the set command to specify the description WestOffice, the IP address 196.168.1.92, the shared secret of xyz, the Type as NAS, and the Vendor as USR. Because you want to choose the service based on the user requests, set the IncomingScript as ParseServiceHints (see user joe in the "Configuring a Default Group" section).

--> set Description WestOffice
--> set IPAddress 196.168.1.92
--> set SharedSecret xyz
--> set Type NAS
--> set Vendor USR
--> set IncomingScript ParseServiceHints

The script, ParseServiceHints, checks the username for %PPP or %SLIP. It uses these tags to modify the request so it appears to the RADIUS server that the NAS requested that service.

Note When you are using a different NAS than the one in the example, or when you are adding NAS proprietary attributes, see the Cisco Access Registrar User Guide for more information about configuring Client and Vendor objects.

Configure your NAS, using your vendor's documentation. Make sure both your NAS and the Client specification have the same shared secret.

Configuring Profiles

The Profiles object allows you to set specific RFC-defined attributes that Cisco Access Registrar returns in the Access-Accept response. You can use profiles to group attributes that belong together, such as attributes that are appropriate for a particular class of PPP or Telnet user. You can reference profiles by name from either the UserGroup or the user properties. The sample users, mentioned earlier in this chapter, reference the following Cisco Access Registrar profiles:

default-PPP-users---specifies the appropriate attributes for PPP service
default-SLIP-users---specifies the appropriate attributes for SLIP service
default-Telnet-users---specifies the appropriate attributes for Telnet service.

Changing Radius Attributes

When the attributes are not appropriate for your site, or when you would like to add additional attributes, do the following:

Step 1 Use the cd command to change to the appropriate profile and attribute. The following example changes to the Default-Telnet-users/attribute level:

--> cd /Radius/Profiles/Default-Telnet-users/att

Step 2 Use the set command to add the name=value attribute. The following example adds the attribute Service-Type=Framed:

--> set Service-Type Framed

Validating and Using Your Changes

After you have finished configuring your RADIUS server, you must save your changes. Saving your changes causes Cisco Access Registrar to validate your changes and, if there were no errors, commit them to the configuration database.

Using the save command, however, does not automatically update your server. To update your server you must use the reload command. The reload command stops your server if it is running, and then restarts the server, which causes Cisco Access Registrar to reread the configuration database.

You must save and reload your server in order for Cisco Access Registrar to be able to use your configuration changes.

Saving and Reloading

From anywhere in the radius object hierarchy, type the save and reload commands.

Step 1 Use the save command to save your changes:

--> save

Step 2 Use the reload command to reload your server.

--> reload

Testing Your Configuration

Now that you have configured some users and a NAS, you are ready to test your configuration. There are two ways you can test your site:

1. You can act as a user and dial in to your NAS, and check that you can successfully log in.

2. You can run the radclient command, and specify one of the default users when making a request.

Using Radclient

You can use the radclient command simple to create and send a packet. The following example creates an Access-Request packet for user john with password john, and the packet identifier p001. It displays the packet before sending it. It uses the send command to send the packet, which displays the response packet object identifier, p002. Then, the example shows how to display the contents of the response packet.

Step 1 Run the radclient command. It prompts you for the cluster name. Enter the cluster name.

> /opt/AICar1/usrbin/radclient

Step 2 The radclient command prompts you for the administrator's username and password (as defined in Cisco Access Registrar's configuration). Use admin for the admin name, and aicuser for the password.

Access Registrar RADIUS Test Client Version 1.3
Copyright (C) 1995-1998 by American Internet Corporation, and 1999 by Cisco Systems, Inc. All rights reserved.
Logging in to localhost... done.

Step 3 Create a simple Access-Request packet for User-Name john and User-Password john. At the prompt, type:

--> simple john john
p001

The radclient command displays the ID of the packet p001.

Step 4 Type the packet identifier:

--> p001
Packet: code = Access-Request, id = 0, length = 0, attributes = User-Name = john User-Password = john NAS-Identifier = localhost NAS-Port = 0

Step 5 Send the request to the default host (localhost), type:

--> p001 send
p002

Step 6 Type the response identifier to display the contents of the Access-Accept packet:

--> p002
Packet: code = Access-Accept, id = 1,\ length = 38, attributes = Login-IP-Host = 196.168.1.94 Login-Service = Telnet Login-TCP-Port = 541

Troubleshooting Your Configuration

If you are unable to receive an Access-Accept packet from the Cisco Access Registrar server, you can use the aregcmd command trace to troubleshoot your problem.

The trace command allows you to set the trace level on your server, which governs how much information the server logs about the contents of each packet. You can set the trace levels from zero to four. The system default is zero, which means that no information is logged.

Setting the Trace Level

Step 1 Run the aregcmd command.

> /opt/AICar1/usrbin/aregcmd

Step 2 Use the trace command to set the trace level to 1-4.

--> trace 2

Step 3 Try dialing in again.

Step 4 Use the UNIX tail command to view the end of the name_radius_1_trace log.

host% tail -f /opt/AICar1/logs/name_radius_1_trace

Step 5 Read through the log to see where the request failed.

Table of Contents

Configuring Cisco Access Registrar