Cisco Cisco Access Registrar 5.0 Information Guide
Q&A
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 11
Q.
Is Cisco Access Registrar able to reject an authentication request on the basis of RADIUS attributes
other than the user credentials?
A.
Cisco Access Registrar supports the concept of check items. Check items are a list of RADIUS attribute value
pairs that are associated with user groups or individual user profiles. On successful completion of legacy
authentication, Access Registrar verifies the attributes in the check item list with those in the requests, and the
values should match for successful response.
Cisco Access Registrar architecture incorporates the highest level of extensibility and supports custom Tcl,
C/C++, or Java scripts that can be deployed at numerous API points that Access Registrar exposes. This can be
used to develop and deploy custom logic for user authentication or authorization.
Q.
What are Cisco Access Registrar extensions?
A.
Cisco Access Registrar provides a number of extension points where customers or system integrators may
extend the logic of the product through C/C++ shared libraries, Java, or Tcl scripts. These extension points allow
access to incoming and outgoing RADIUS/Diameter packets for complete processing control. Extension points
also support the integration of completely proprietary AAA services with a RADIUS/Diameter front end.
Q.
What is the use of Cisco Access Registrar’s Class attribute?
A.
Cisco Access Registrar supports the Class attribute.
When the DetectOutOfOrderAccountingPacket property is enabled (set to TRUE), a new Class attribute is
included in all outgoing accept packets. The value for this Class attribute will contain the session magic number.
The client will echo this value in the accounting packets, and this will be used for comparison.
The session magic number is a unique number created for all sessions when the session is created or reused
and the DetectOutOfOrderAccountingPacket property is set to TRUE. The DetectOutOfOrderAccountingPacket
property is used to detect out-of-order accounting stop packets in roaming scenarios by comparing the session
magic number value in the session with the session magic number value contained in the accounting packet.
The value of 0xffffffff is considered by the Cisco Access Registrar server to be a wild card magic number. If any
accounting stop packet contains the value of 0xffffffff, it will pass the session magic validation even if the
session’s magic number is something else.
The format of the class attribute is as follows:
<4-byte Magic Prefix><4-byte server IP address><4-byte Magic value>
Q.
What session management features does Cisco Access Registrar have?
A.
Cisco Access Registrar is able to track user sessions. By tracking these sessions, Cisco Access Registrar can
enforce session limits on a per user or group basis. It can also manage shared resources, including IP
addresses, home-agent assignment, and on-demand address pools (for Multiprotocol Label Switching [MPLS]
VPNs).
Cisco Access Registrar maintains an in-memory table of active user sessions. It can be configured to store
RADIUS attributes in the session table. Cisco Access Registrar allows applications on the network to query this
session table using either RADIUS or Extensible Markup Language (XML) queries from the 4.1 release.
Apart from writing the user session in an in-memory table, Cisco Access Registrar 5.0 supports writing the
session information to an external Oracle server, which will eventually break the session limit of 4 million in
memory in Access Registrar 4.2.
Cisco Access Registrar can query sessions by their age and then release them and generate a PoD if
necessary.