Cisco Cisco Prime Access Registrar 6.1
3
Cisco Prime Access Registrar 6.1 Release Notes
OL-29758-01
New and Enhanced Features in Cisco Prime Access Registrar 6.1
RADIUS <-> Diameter Translation
Prime Access Registrar supports translation of incoming RADIUS request/response messages to
Diameter request/response messages and vice versa.
Diameter request/response messages and vice versa.
The following services are created to set up the translation framework:
•
Radius-Diameter—For translation of incoming RADIUS request/response to a Diameter
request/response
request/response
Note
RADIUS to Diameter translation comes with an option to perform 3GPP reverse authorization.
You can set the corresponding parameter to TRUE during the RADIUS to Diameter conversion.
In this case, the request command mapping must not be defined because a new diameter request
is created from the radius request by the 3GPP reverse authorization service.
You can set the corresponding parameter to TRUE during the RADIUS to Diameter conversion.
In this case, the request command mapping must not be defined because a new diameter request
is created from the radius request by the 3GPP reverse authorization service.
•
Diameter-Radius—For translation of incoming Diameter request/response to an equivalent
RADIUS request/response
RADIUS request/response
The GUI is updated with new fields/options to support this functionality.
Diameter Query Support
A new service type is added to query cached data through Diameter Packets. It contains the list of session
managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet
in response to a Diameter Query request.
managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet
in response to a Diameter Query request.
Support for EAP-AKA-Prime (EAP-AKA’) Protocol
EAP-AKA-Prime (EAP-AKA') is an EAP authentication method, with a small revision to the existing
EAP-AKA method. EAP- AKA' has a new key derivation function, which binds the keys derived within
the method to the name of the access network. This limits the effects of compromised access network
nodes and keys.
EAP-AKA method. EAP- AKA' has a new key derivation function, which binds the keys derived within
the method to the name of the access network. This limits the effects of compromised access network
nodes and keys.
EAP- AKA' is similar to EAP-AKA in all aspects except the following:
•
Key derivation involves an AT_KDF_INPUT attribute, which is mapped to the NetworkName
attribute, and an AT_KDF attribute, which takes the key derivation function in the configuration, to
ensure that the peer and the server know the name of the access network.
attribute, and an AT_KDF attribute, which takes the key derivation function in the configuration, to
ensure that the peer and the server know the name of the access network.
•
EAP-AKA' employs SHA-256 (Secure Hash Algorithm) instead of SHA-1 as used in EAP-AKA, to
ensure more security.
ensure more security.
The GUI is updated with new fields to support this functionality.
FastRules and Internal Scripts
FastRules provides a mechanism to easily choose the right authentication, authorization, accounting, and
query service(s), drop, reject, or break flows, choose session manager or other rules required for
processing a packet. You can use the GUI/CLI to configure FastRules.
query service(s), drop, reject, or break flows, choose session manager or other rules required for
processing a packet. You can use the GUI/CLI to configure FastRules.
FastRules has the following capabilities:
•
Provides maximum flexibility and ease in matching information in the incoming packets for
choosing the appropriate service to apply
choosing the appropriate service to apply