Guest

Cisco Prime Access Registrar

Cisco Prime Access Registrar 6.1 Release Notes

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

Cisco Prime Access Registrar 6.1
Release Notes

Contents

New and Enhanced Features in Cisco Prime Access Registrar 6.1

3GPP Compliance

Diameter Enhancements

Diameter with EAP Support

RADIUS <-> Diameter Translation

Diameter Query Support

Support for EAP-AKA-Prime (EAP-AKA') Protocol

FastRules and Internal Scripts

IPv6 Support

Quintets to Triplets Conversion

System Requirements

Co-Existence With Other Network Management Applications

Known Anomalies in Cisco Prime Access Registrar 6.1

Anomalies Fixed in Cisco Prime Access Registrar 6.1

Related Documentation

Obtaining Documentation and Submitting a Service Request


Cisco Prime Access Registrar 6.1
Release Notes

Cisco Prime Access Registrar (Prime Access Registrar) is a high performance, carrier class, 3GPP-compliant, RADIUS/Diameter solution that provides scalable, flexible, intelligent authentication, authorization, and accounting (AAA) services.

Prime Access Registrar comprises a RADIUS/Diameter server designed from the ground up for performance, scalability, and extensibility for deployment in complex service provider environments including integration with external data stores and systems. Session and resource management tools track user sessions and allocate dynamic resources to support new subscriber service introductions.

Note Prime Access Registrar can be used with Red Hat Enterprise Linux 5.3/5.4/5.5/6.0/6.1/6.2 32-bit /64-bit operating system (64-bit operating system can be used with the required 32-bit libraries installed) using kernel 2.6.18-128.el5 or later versions of 2.6, and Glibc version: glibc-2.5-34 or later.

Solaris support for Prime Access Registrar Version 6.1 will be provided in a future maintenance release.

Contents

This release note contains the following sections:

New and Enhanced Features in Cisco Prime Access Registrar 6.1

System Requirements

Co-Existence With Other Network Management Applications

Known Anomalies in Cisco Prime Access Registrar 6.1

Related Documentation

Related Documentation

Obtaining Documentation and Submitting a Service Request

New and Enhanced Features in Cisco Prime Access Registrar 6.1

Prime Access Registrar introduces the following features for Version 6.1:

3GPP Compliance

Diameter Enhancements

Support for EAP-AKA-Prime (EAP-AKA') Protocol

FastRules and Internal Scripts

IPv6 Support

Quintets to Triplets Conversion

3GPP Compliance

Prime Access Registrar supports 3GPP compliance by implementing the following:

SWa reference point between an untrusted non-3GPP IP access and a 3GPP AAA server/proxy.

STa reference point between a trusted non-3GPP access and a 3GPP AAA server/proxy.

SWm reference point between an Evolved Packet Data Gateway (ePDG) and a 3GPP AAA server/proxy.

SWd reference point between a 3GPP AAA server and a 3GPP AAA proxy.

SWx reference point between a Home Subscriber Server (HSS) and a 3GPP AAA server.

S6b reference point between a Packet Data Network (PDN) GW and a 3GPP AAA server/proxy.

Diameter Enhancements

This topic contains the following sections:

Diameter with EAP Support

RADIUS <-> Diameter Translation

Diameter Query Support

Diameter with EAP Support

Prime Access Registrar supports Diameter Extensible Authentication Protocol (EAP) application that carries EAP packets between a Network Access Server (NAS) working as an EAP Authenticator and a back-end authentication server. In the Diameter EAP application, authentication occurs between the EAP client and its home Diameter server. This end-to-end authentication reduces the possibility for fraudulent authentication, such as replay and man-in-the-middle attacks. End-to-end authentication also provides a possibility for mutual authentication, which is not possible with PAP and CHAP in a roaming PPP environment.

The GUI is updated with new fields/options to support this functionality.

RADIUS <-> Diameter Translation

Prime Access Registrar supports translation of incoming RADIUS request/response messages to Diameter request/response messages and vice versa.

The following services are created to set up the translation framework:

Radius-Diameter—For translation of incoming RADIUS request/response to a Diameter request/response

Note RADIUS to Diameter translation comes with an option to perform 3GPP reverse authorization. You can set the corresponding parameter to TRUE during the RADIUS to Diameter conversion. In this case, the request command mapping must not be defined because a new diameter request is created from the radius request by the 3GPP reverse authorization service.

Diameter-Radius—For translation of incoming Diameter request/response to an equivalent RADIUS request/response

The GUI is updated with new fields/options to support this functionality.

Diameter Query Support

A new service type is added to query cached data through Diameter Packets. It contains the list of session managers to be queried from and a list of (cached) attributes to be returned in the Access-Accept packet in response to a Diameter Query request.

Support for EAP-AKA-Prime (EAP-AKA') Protocol

EAP-AKA-Prime (EAP-AKA') is an EAP authentication method, with a small revision to the existing EAP-AKA method. EAP- AKA' has a new key derivation function, which binds the keys derived within the method to the name of the access network. This limits the effects of compromised access network nodes and keys.

EAP- AKA' is similar to EAP-AKA in all aspects except the following:

Key derivation involves an AT_KDF_INPUT attribute, which is mapped to the NetworkName attribute, and an AT_KDF attribute, which takes the key derivation function in the configuration, to ensure that the peer and the server know the name of the access network.

EAP-AKA' employs SHA-256 (Secure Hash Algorithm) instead of SHA-1 as used in EAP-AKA, to ensure more security.

The GUI is updated with new fields to support this functionality.

FastRules and Internal Scripts

FastRules provides a mechanism to easily choose the right authentication, authorization, accounting, and query service(s), drop, reject, or break flows, choose session manager or other rules required for processing a packet. You can use the GUI/CLI to configure FastRules.

FastRules has the following capabilities:

Provides maximum flexibility and ease in matching information in the incoming packets for choosing the appropriate service to apply

Provides an option to match values in AVPs based on value ranges, exact match, and simple string comparisons

Provides easy and efficient alternative to rule/policy engine and scripting points for most common use cases

Prime Access Registrar also allows you to define internal scripts, by which you can add, modify, or delete attributes in the request, response, and environment dictionaries for RADIUS, Diameter, and TACACS+. You can use the Prime Access Registrar GUI or CLI to configure the internal scripts.

The GUI is updated with new fields to support this functionality.

IPv6 Support

Prime Access Registrar supports IPv6 in the following manner:

By interacting with external database servers using IPv6, including LDAP, Oracle, and MySQL

By allowing HTTP and Simple Network Management Protocol (SNMP) to be queried over IPv6

Quintets to Triplets Conversion

Prime Access Registrar provides a configuration option in EAP-SIM service, which when enabled, allows conversion of quintets received from a Universal Mobile Telecommunications Service (UMTS) subscriber to triplets. This feature facilitates backward compatibility by allowing to perform EAP-SIM authentication from an EAP-AKA or EAP-AKA' source.

The GUI is updated with new fields to support this functionality.

System Requirements

This section describes the system requirements to install and use the Prime Access Registrar software.

Table 1 lists the system requirements for Prime Access Registrar 6.0.2.

Table 1 Minimum Hardware and Software Requirements for Prime Access Registrar Server 

Component
Linux Operating System

OS version

RHEL 5.3/5.4/5.5/6.0/6.1/6.2

Model

X86

CPU type

Intel Xeon CPU 2.3 GHz

CPU Number

4

CPU speed

2.3 GHz

Memory (RAM)

8 GB

Swap space

10 GB

Disk space

1*146 GB


Note Solaris support for Prime Access Registrar Version 6.1 will be implemented in a future release.

Co-Existence With Other Network Management Applications

To achieve optimal performance, Prime Access Registrar should be the only application running on a given server. In certain cases, when you choose to run collaborative applications such as a SNMP agent, you must configure Prime Access Registrar to avoid UDP port conflicts. The most common conflicts occur when other applications also use ports 2785 and 2786. For more information on SNMP configuration, see the Configuring SNMP section, in the Cisco Prime Access Registrar 6.1 Installation and Configuration Guide.

Known Anomalies in Cisco Prime Access Registrar 6.1

Table 2 lists the known anomalies in Prime Access Registrar 6.1.

Table 2 Known Anomalies in Prime Access Registrar 6.1  

Bug
Description

CSCtx56259

With OCI buffering, during restarts, rarely few packets can be missing.

CSCtz22609

odbc-acc failover is not working when backup server buffer is disabled.

CSCue05688

Prime Access Registrar intermittently crashes in stress test.

CSCue75064

Send Authentication Info message should handle the user error.

CSCuh11513

Prime Access Registrar crashes if ORACLE path is invalid or without ORACLE path.

CSCuh93941

Replication takes more time to stop If SNMP is enabled while restarting Prime Access Registrar.


Anomalies Fixed in Cisco Prime Access Registrar 6.1

Table 3 lists the anomalies fixed in Prime Access Registrar 6.1.

Table 3 Anomalies Fixed in Prime Access Registrar 6.1  

Bug
Description

CSCua78429

Radius Process restart (crash) when Prime Access Registrar encounters ORA native error

CSCue73279

Service Indicator value is not reflecting in sigtran M3UA remote server

CSCug23495

Replication issues in Prime Access Registrar 6.0.1

CSCug68733

In GUI while trying to access replication it prompts for reload

CSCug88686

Exception error when cancelling clients after validation error is thrown

CSCug96772

MRD flow need to support for map version 3 in m3ua remoteserver

CSCuh11892

User List is not getting deleted in GUI

CSCuh22088

Exception is thrown while adding the m3ua configuration in GUI

CSCuh35900

In m3ua service map version field needs to be added in GUI

CSCuh54201

Default value of local subsystem number is 6 instead of 149

CSCuh54507

Error message is not proper for sigtran-m3ua remote server in GUI

CSCuh55633

m3ua logging needs rollover mechanism

CSCuh57180

AuthApplication in diameter is false by default instead of True in GUI

CSCuh57716

Validation error should be thrown for replication in CLI

CSCuh63964

Validation missing for "type" field of rules

CSCuh96009

The Prime Access Registrar is not allow to replication configuration in slave machine

CSCui03817

Validation error is thrown twice for oci-accounting remoteserver in CLI

CSCui21241

ExtendedBackingStore should wait for the background threads to complete

CSCuj49498

Prime Access Registrar crashes when disable the buffering in oci-accounting

CSCuj54040

OCI should support same attributes occurrence in multiple time markerlist

CSCuj93962

RemoteSession server cannot be saved when UseCacheIndex is set to true/false

CSCuj97213

Error exception thrown when any of the fields in Advanced->logs is deleted

CSCul15395

Base license should not allow to enable the Tacacs+ in Prime Access Registrar

CSCul29176

Segmentation fault in service with 6.0 base & dir license in Prime Access Registrar 6.1

CSCul35520

save button should be present to update session manager configuration

CSCul56011

"Oci-accounting" caused the GUI not to populate in ODBC-Accounting

CSCul58044

Can't configure OCI Oracle and ODBC MySQL RemoteServers at the same time

CSCul73611

sigtran-m3ua sourceGT digit(CgPA) length need to support up to 15 digits

CSCul93651

Need to include DefaultRadiusSharedSecret field in GUI

CSCul93939

Eap-fast is not working with normal behavior dropping the packet

CSCto13647

In GUI ,view log > zero bytes data goes to download state


Related Documentation

For a complete list of Prime Access Registrar 6.1 documentation, see the Cisco Prime Access Registrar 6.1 Documentation Overview.

Note We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2013 Cisco Systems, Inc. All rights reserved.