RADIUS Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
RADIUS Server Reorder on Failure
Downloads: This chapterpdf (PDF - 139.0KB) The complete bookPDF (PDF - 867.0KB) | Feedback

RADIUS Server Reorder on Failure

RADIUS Server Reorder on Failure

Last Updated: September 30, 2012

The RADIUS Server Reorder on Failure feature provides for failover to another server in the server group during periods of high load or when server failure occurs. Subsequent to the failure, all RADIUS traffic is directed to the new server. Traffic is switched from the new server to another server in the server group only if the new server also fails. Traffic is not automatically switched back to the first server.

By spreading the RADIUS transactions across multiple servers, authentication and accounting requests are serviced more quickly.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for RADIUS Server Reorder on Failure

  • Before you can configure your RADIUS server to perform reorder on failure, you must enable authentication, authorization, and accounting (AAA) by using the aaa new-modelcommand.
  • You must also have RADIUS configured, for functions such as authentication, accounting, or static route download.

Restrictions for RADIUS Server Reorder on Failure

  • An additional 4 bytes of memory is required per server group. However, because most server configurations have only a small number of server groups configured, the additional 4 bytes should have a minimal impact on performance.
  • Some RADIUS features within the Cisco IOS software set may not be capable of using this feature. If a RADIUS feature cannot use the RADIUS Server Reorder on Failure feature, your server behaves as though the reorder feature is not configured.

Information About RADIUS Server Reorder on Failure

RADIUS Server Failure

If the RADIUS Server Reorder on Failure feature is not configured and server failure occurs:

  1. A new RADIUS transaction has to be performed.
  2. A RADIUS packet for the transaction is sent to the first server in the group that is not marked dead (as per the configured deadtime) and is retransmitted for the configured number of retransmissions.
  3. If all of those retransmits time out (as per the configured timeout), the router transmits the packet to the next nondead server in the list for the configured number of retransmissions.
  4. Step 3 is repeated until the specified maximum number of transmissions per transaction have been made. If the end of the list is reached before the maximum number of transmissions has been reached, the router goes back to the beginning of the list and continue from there.

If at any time during this process, a server meets the dead-server detection criteria (not configurable; it varies depending on the version of Cisco IOS software being used), the server is marked as dead for the configured deadtime.

How the RADIUS Server Reorder on Failure Feature Works

If you have configured the RADIUS Server Reorder on Failure feature, the decision about which RADIUS server to use as the initial server is as follows:

  • The network access server (NAS) maintains the status of "flagged" server, which is the first server to which a transmission is sent.
  • After the transmission is sent to the flagged server, the transmission is sent to the flagged server again for the configured number of retransmissions.
  • The NAS then sequentially sends the transmission through the list of nondead servers in the server group, starting with the one listed after the flagged server, until the configured transaction maximum tries is reached or until a response is received.
  • At boot time, the flagged server is the first server in the server group list as was established using the radius-server host command.
  • If the flagged server is marked as dead (even if the dead time is zero), the first nondead server listed after the flagged server becomes the flagged server.
  • If the flagged server is the last server in the list, and it is marked as dead, the flagged server becomes the first server in the list that is not marked as dead.
  • If all servers are marked as dead, the transaction fails, and no change is made to the flagged server.
  • If the flagged server is marked as dead, and the dead timer expires, nothing happens.

Note


Some types of transmissions (for example, Challenge Handshake Authentication Protocol [CHAP], Microsoft CHAP [MS-CHAP], and Extensible Authentication Protocol [EAP]) require multiple roundtrips to a single server. For these special transactions, the entire sequence of roundtrips to the server are treated as though they were one transmission.

When RADIUS Servers Are Dead

A server can be marked as dead if the criteria in 1 and 2 are met:

  1. The server has not responded to at least the configured number of retransmissions as specified by the radius-server transaction max-tries command.
  2. The server has not responded to any request for at least the configured timeout. The server is marked dead only if both criteria (this and the one listed above) are met. The marking of a server as dead, even if the dead time is zero, is significant for the RADIUS server retry method reorder system.

How to Configure RADIUS Server Reorder on Failure

Configuring a RADIUS Server to Reorder on Failure

Perform this task to configure a server in a server group to direct traffic to another server in the server group when the first server fails.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    aaa new-model

4.    radius-server retry method reorder

5.    radius-server retransmit {retries}

6.    radius-server transaction max-tries { number }

7.    radius-server host { hostname | ip-address } [ key string ]

8.    radius-server host { hostname | ip-address } [ key string ]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
aaa new-model


Example:

Router (config)# aaa new-model

 

Enables the AAA access control model.

 
Step 4
radius-server retry method reorder


Example:



Example:

Router (config)# radius-server retry method reorder

 

Specifies the reordering of RADIUS traffic retries among a server group.

 
Step 5
radius-server retransmit {retries}


Example:

Router (config)# radius-server retransmit 1

 

Specifies the number of times the Cisco IOS XE software searches the list of RADIUS server hosts before giving up.

The retries argument is the maximum number of retransmission attempts. The default is 3 attempts.

 
Step 6
radius-server transaction max-tries { number }


Example:

Router (config)# radius-server transaction max-tries 3

 

Specifies the maximum number of transmissions per transaction that may be retried on a RADIUS server.

The number argument is the total number of transmissions per transaction. If this command is not configured, the default is eight transmissions.

Note    This command is global across all RADIUS servers for a given transaction.
 
Step 7
radius-server host { hostname | ip-address } [ key string ]


Example:

Router (config)# radius-server host 10.2.3.4 key radi23

 

Specifies a RADIUS server host.

Note    You can also configure a global key for all RADIUS servers that do not have a per-server key configured by issuing the radius-server key command.
 
Step 8
radius-server host { hostname | ip-address } [ key string ]


Example:

Router (config)# radius-server host 10.5.6.7 key rad234

 

Specifies a RADIUS server host.

Note    At least two servers must be configured.
 

Monitoring RADIUS Server Reorder on Failure

To monitor the server-reorder-on-failure process on your router, use the following commands:

SUMMARY STEPS

1.    enable

2.    debug aaa sg-server selection

3.    debug radius


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
debug aaa sg-server selection


Example:

Router# debug aaa sg-server selection

 

Displays information about why the RADIUS and TACAC+ server group system in the router is choosing a particular server.

 
Step 3
debug radius


Example:

Router# debug radius

 

Displays information about why the router is choosing a particular RADIUS server.

 

Example

The following two debug outputs display the behavior of the RADIUS Server Reorder on Failure feature:

In the following sample output, the RADIUS Server Reorder on Failure feature is configured. The server retransmits are set to 0 (so each server is tried just one time before failover to the next configured server), and the transmissions per transaction are set to 4 (the transmissions stop on the third failover). The third server in the server group (10.107.164.118) has accepted the transaction on the third transmission (second failover).

00:38:35: %SYS-5-CONFIG-I: Configured from console by console 
00:38:53: RADIUS/ENCODE(OOOOOOOF) : ask "Username: " 
00:38:53: RADIUS/ENCODE (0000000F) : send packet; GET-USER 
00:38:58: RADIUS/ENCODE (0000000F) : ask "Password: " 
00:38:58: RADIUS/ENCODE(0000000F) : send packet; GET-PASSWORD 
00:38:59: RADIUS: AAA Unsupported [152] 4 
00:38:59: RADIUS: 7474 [tt] 
00:38:59: RADIUS (0000000F) : Storing nasport 2 in rad-db 
00:38:59: RADIUS/ENCODE(0000000F) : dropping service type, "radius-server attribute 6 on-for-login-auth" is off 
00:38:59: RADIUS (0000000F) : Config NAS IP: 0.0.0.0 
00:38:59: RADIUS/ENCODE (0000000F) : acct-session-id: 15 
00:38:59: RADIUS (0000000F) : sending 
00:38:59: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 192.1.1.1 
00:38:59: RAPIUS(0000000F) : Send Access-Request to 10.10.10.10:1645 id 21645/11, len 78 
00:38:59: RADIUS:: authenticator 4481 E6 65 2D 5F 6F OA -lE F5 81 8F 4E 1478 9C 
00:38:59: RADIUS: User-Name [1] 7 "username1" 
00:38:59: RADIUS: User-Password [2] 18 * 
00:38:59: RADIUS: NAS-Port fSl 6 2 
00:~8:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
00:38:59: RADIUS: Calling-Station-Id [31] 15 "10.19.192.23"
00:39:00: RADIUS: NAS-IP-Address [4] 6 10.0.1.130 
00:39:02: RADIUS: Fail-over to (10.2.2.2:1645,1646) for id 21645/11 
00:39:02: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 192.2.2.2 00:39:04: RADIUS: Fail-over to (10.107.164.118:1645,1646) for id 21645/11 
00:39:04: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 128.107.164.118
00:39:05: RADIUS: Received from id 21645/11 10.107.164.118:1645, Access-Accept, len 26 00:39:05: RADIUS: authenticator 5609 56 F9 64 4E DF 19- F3 A2 DD 73 EE 3F 9826
00:39:05: RADIUS: Service-Type [6] 6 Login [1]

In the following sample output, the RADIUS Server Reorder on Failure feature is configured. The server retransmits are set to 0, and the transmissions per transaction are set to 8. In this transaction, the transmission to server 10.10.10.0 has failed on the eighth transmission.

00:42:30: RADIUS(00000011): Received from id 21645/13 
00:43:34: RADIUS/ENCODE(00000012) : ask "Username: " 
00:43:34: RADIUS/ENCODE(00000012) : send packet; GET-USER
00:43:39: RADIUS/ENCODE(00000012) : ask "Password: " 
00:43:39: RADIUS/ENCODE(00000012) : send packet; GET-PASSWORD
00:43:40: RADIUS: AAA Unsupported [152] 4 
00:43:40: RADIUS: 7474 [tt]
00:43:40: RADIUS(00000012) : Storing nasport 2 in rad-db 
00:43:40: RADIUS/ENCODE(00000012): dropping service type, "radius-server attribute 6 on-for-login-auth" is off 
00:43:40: RADIUS(00000012) : Co~fig NAS IP: 0.0.0.0 
00:43:40: RADIUS/ENCODE(00000012) : acct-session-id: 18
00:43:40: RADIUS(00000012) : sending
00:43:40: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.107.164.118 00:43:40: RADIUS(00000012) : Send Access-Request to 10.107.164.118:1645 id 21645/14, len 78 00:43:40: RADIUS: authenticator B8 OA 51 3A AF A6 0018 -B3 2E 94 5E 07 OB 2A IF 00:43:40: RADIUS: User-Name [1] 7 "username1" 00:43:40: RADIUS: User-Password [2] 18 * 00:43:40: RADIUS: NAS-Port [5] 6 2 
00:43:40: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 00:43:40: RADIUS: Calling-Station-]d [31] 15 "172.19.192.23" 00:43:40: RADIUS: NAS-IP-Address [4] 6 10.0.1.130 
00:43:42: RADIUS: Fail-over to (10.10.10.10:1645,1646) for id 21645/14 
00:43:42: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.1.1.1 00:43:44: RADius: Fail-over to (10.2.2.2:1645,1646) for id 21645/14 
00:43:44: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.2.2.2 00:43:46: RADIUS: Fail-over to (10.107.164.118:1645,1646) for id 21645/14 
00:43:46: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.107.164.118 00:43:48: RADIUS: Fail-over to (10.10.10.10:1645,1646) for id 21645/14 
00:43:48: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.1.1.1 00:43:50: RADIUS: Fail-over to (10.2.2.2:1645,1646) for id 21645/14 
00:43:50: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.2.2.2 00:43:52: RADIUS: Fail-over to (10.107.164.118:1645,1646) for id 21645/14 
00:43:52: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.107.164.118 00:43:54: RADIUS: Fail-over to (10.10.10.10:1645,1646) for id 21645/14 
00:43:54: RADIUS/ENCODE: Best Local IP-Address 10.0.1.130 for Radius-Server 10.1.1.1 00:43:56: RADIUS: No response from (10.10.10.10:1645,1646) for id 21645/14 00:43:56: RADIUS/DECODE: parse response no app start; FAIL 00:43:56: RADIUS/DECODE: parse response; FAIL 

Configuration Examples for RADIUS Server Reorder on Failure

Configuring a RADIUS Server to Reorder on Failure Example

The following configuration example shows that a RADIUS server is configured to reorder on failure. The maximum number of transmissions per transaction that may be retried on the RADIUS server is six.

aaa new-model
radius-server retry method reorder
radius-server retransmit 0
radius-server transaction max-tries 6
radius-server host 10.2.3.4 key rad123
radius-server host 10.5.6.7 key rad123

Determining Transmission Order When RADIUS Servers Are Dead

If at boot time you have configured the following:

Router(config)# aaa new-model
Router(config)# radius-server retry method reorder
Router(config)# radius-server retransmit 0
Router(config)# radius-server transaction max-tries 6
Router(config)# radius-server host 10.2.3.4
Router(config)# radius-server host 10.5.6.7

and both servers are down, but not yet marked dead, for the first transaction you would see the transmissions as follows:

10.2.3.4
10.5.6.7
10.2.3.4
10.5.6.7
10.2.3.4
10.5.6.7

If you configure the reorder as follows:

Router(config)# aaa new-model
Router(config)# radius-server retry method reorder
Router(config)# radius-server retransmit 1
Router(config)# radius-server transaction max-tries 3
Router(config)# radius-server host 10.2.3.4
Router(config)# radius-server host 10.4.5.6

and both RADIUS servers are not responding to RADIUS packets but are not yet marked dead (as after the NAS boots), the transmissions for the first transaction are as follows:

10.2.3.4
10.2.3.4
10.4.5.6

Subsequent transactions may be transmitted according to a different pattern. The transmissions depend on whether the criteria for marking one (or both) servers as dead have been met, and as per the server flagging pattern already described.

If you configure the reorder as follows:

Router(config)# aaa new-model
Router(config)# radius-server retry method reorder
Router(config)# radius-server retransmit 1
Router(config)# radius-server max-tries-per-transaction 8
Router(config)# radius-server host 10.1.1.1
Router(config)# radius-server host 10.2.2.2
Router(config)# radius-server host 10.3.3.3
Router(config)# radius-server timeout 3

And the RADIUS server 10.1.1.1 is not responding to RADIUS packets but is not yet marked as dead, and the remaining two RADIUS servers are live, you see the following:

For the first transaction:

10.1.1.1
10.1.1.1
10.2.2.2

For any additional transaction initiated for any transmissions before the server is marked as dead:

10.1.1.1
10.1.1.1
10.2.2.2

For transactions initiated thereafter:

10.2.2.2

If servers 10.2.2.2 and 10.3.3.3 then go down as well, you see the following transmissions until servers 10.2.2.2 and 10.3.3.3 meet the criteria for being marked as dead:

10.2.2.2
10.2.2.2
10.3.3.3
10.3.3.3
10.1.1.1
10.1.1.1
10.2.2.2
10.2.2.2

The above is followed by the failure of the transmission and by the next method in the method list being used (if any).

If servers 10.2.2.2 and 10.3.3.3 go down but server 10.1.1.1 comes up at the same time, you see the following:

10.2.2.2
10.2.2.2
10.3.3.3
10.3.3.3
10.1.1.1

When servers 10.2.2.2 and 10.3.3.3 are then marked as dead, you see the following:

10.1.1.1

Additional References

Related Documents

Related Topic

Document Title

RADIUS

"Configuring RADIUS" in the Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2

AAA and RADIUS commands

Cisco IOS Security Command Reference

Enabling AAA

Authentication, Authorization, and Accounting (AAA) section of the Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2.

Security commands

Cisco IOS Security Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for RADIUS Server Reorder on Failure

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for RADIUS Server Reorder on Failure

Feature Name

Releases

Feature Information

RADIUS Server Reorder on Failure

Cisco IOS XE Release 2.1

The RADIUS Server Reorder on Failure feature provides for failover to another server in the server group during periods of high load or when server failure occurs.

In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers.

The following commands were introduced or modified by this feature: debug aaa sg-server selection, radius-server retry method reorder, radius-server transaction max-tries.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.