RADIUS Configuration Guide Cisco IOS XE Release 3S
RADIUS Separate Retransmit Counter for Accounting
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 3.43MB) | The complete bookePub (ePub - 458.0KB) | Feedback

Contents

RADIUS Separate Retransmit Counter for Accounting

The RADIUS: Separate Retransmit Counter for Accounting feature allows users to configure an exponential backoff retransmit. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmission failure until a configured maximum interval is reached. This functionality allows users to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for RADIUS Separate Retransmit Counter for Accounting

The following tasks will result in excessive memory consumption on the router:

  • Configuring this feature on a router with a high call rate.
  • Configuring the aaa accounting send stop-record authentication failure command: an accounting record and a RADIUS packet will be generated for each user that fails to authenticate while the RADIUS server is down.
  • Configuring interim accounting: new accounting records are generated and stored on the router.

Information About RADIUS Separate Retransmit Counter for Accounting

How Retransmission of Accounting Requests Works

In many environments, a single RADIUS server is used for authentication and accounting. Whenever this server is down for approximately 24 hours, the accounting records of users already on the router are lost after authentication, authorization, and accounting (AAA) does all the retransmissions. Before the introduction of this feature, the retransmissions could be configured for a maximum of 100 retries and the timeout could be configured for 1,000 seconds. Although these configurations keep the accounting records on the router for 24 hours, a timeout of 1,000 seconds is unreasonable, causing problems when the RADIUS server cannot be reached due to network congestion.

The RADIUS: Separate Retransmit Counter for Accounting feature allows users to configure an exponential backoff retransmit. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmission failure until a configured maximum interval is reached. This functionality allows users to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.

This feature can be configured globally (via the radius-server backoff exponential command), per server (via the radius-server host command), or per group (via the backoff exponential command).

Benefits

With this feature, users can extend the time in which the RADIUS client (the router) sends accounting requests to the RADIUS server in the event that the RADIUS server or the connection to the server is down and there is no accounting response confirmation. This functionality enables accounting records to remain on the router for up to 24 hours.

How to Configure RADIUS Separate Retransmit Counter for Accounting

Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host

To configure exponential backoffs of RADIUS retransmits over an extended period of time on a global basis and per RADIUS host, perform the following steps:

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    Router(config)# radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits

    4.    Router(config)# radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds] [backoff exponential {backoff-retry number-of-retransmits | key encryption-key | max-delay minutes}]


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Router> enable
     

    Enters privileged EXEC mode.

    Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 Router(config)# radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits

    Example:
    Router (config)# radius-server backoff exponential max-delay 60 backoff-retry 32
     

    Configures the router for exponential backoff retransmit of accounting requests.

     
    Step 4 Router(config)# radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds] [backoff exponential {backoff-retry number-of-retransmits | key encryption-key | max-delay minutes}]

    Example:
    Router (config)# radius-server host 192.0.2.1 test username test1 auth-port 1645 acct-port 1646
     

    Specifies a RADIUS server host and configures that RADIUS server host for exponential backoff retransmit of accounting requests.

     

    Configuring a Retransmit Counter for Accounting per RADIUS Server Group

    To configure exponential backoffs of RADIUS retransmits over an extended period of time per RADIUS server group, perform the following steps:

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    Router(config)# aaa group server radius group-name

      4.    Router(config -sg-radius)# backoff exponential max-delay minutes] [backoff-retry retransmits


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Router> enable
       

      Enters privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router (config)# configure terminal
       

      Enters global configuration mode.

       
      Step 3 Router(config)# aaa group server radius group-name 

      Groups different RADIUS server hosts into distinct lists and distinct methods and enters server-group RADIUS configuration mode.

       
      Step 4 Router(config -sg-radius)# backoff exponential max-delay minutes] [backoff-retry retransmits 

      Configures the router for exponential backoff retransmit of accounting requests per RADIUS server group.

       

      Verifying Retransmit Configurations

      To verify feature functionality, use any of the following EXEC commands:

      SUMMARY STEPS

        1.    enable

        2.    debug radius

        3.    show accounting

        4.    show radius statistics


      DETAILED STEPS
          Command or Action Purpose
        Step 1 enable


        Example:
        Router> enable
         

        Enters privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 debug radius


        Example:
        Router# debug radius
         

        Displays information associated with RADIUS.

         
        Step 3 show accounting


        Example:
        Router# show accounting
         

        Displays all active sessions and prints all the accounting records for actively accounted functions.

         
        Step 4 show radius statistics


        Example:
        Router# show radius statistics
         

        Displays the RADIUS statistics for accounting packets.

         

        Configuration Examples for RADIUS Separate Retransmit Counter for Accounting

        This section provides the following configuration examples:

        Retransmit Counter for Accounting Comprehensive Configuration Example

        The following example shows how to configure your router for exponential backoff retransmit of accounting requests. In this example, an exponential backoff is configured globally (via the radius-server backoff exponential command) and for the RADIUS server host “172.107.164.206” (via the radius-server host command).

        aaa new-model
        aaa authentication login default group radius
        aaa authentication ppp default group radius
        aaa authorization exec default group radius 
        aaa authorization network default group radius 
        aaa accounting send stop-record authentication failure 
        aaa accounting update periodic 1
        aaa accounting network default start-stop group radius
        !
        radius-server host 172.107.164.206 auth-port 1645 acct-port 1646 backoff exponential max-delay 60 backoff-retry 32 
        radius-server backoff exponential max-delay 60 backoff-retry 32 
        radius-server retransmit 3
        radius-server key rad123
        end

        Per-Server Configuration Example

        The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for 3 retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted 3 times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have been achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.

        radius-server host foo.xyz.com backoff exponential max-delay 60 backoff-retry 32
        

        After enabling this command, the retransmits will be sent as follows (“t” equals seconds):

        t = 0 req sent 
        t = 5 retrans 1 
        t = 10 retrans 2 
        t = 15 retrans 3 
        t = 25 retrans 4 
        t = 45 retrans 5 
        t = 85 retrans 6 
        t = 165 retrans 7 
        t = 325 retrans 8 
        t = 645 retrans 9 
        t = 1285 retrans 10 
        t= 2565 retrans 11 
        t = 5125 retrans 12 
        t = 8725 retrans 13 (The interval has stabilized to 60 minutes here). 
        t = 12325 retrans 14 till retransmit 35 
        

        After all the retransmits are sent, the RADIUS request follows the same path that it would when all the normal retransmits are done.

        Additional References

        The following sections provide references related to the RADIUS: Separate Retransmit Counter for Accounting.

        Related Documents

        Related Topic

        Document Title

        RADIUS and AAA accounting configuration tasks and commands

        • The chapters “Configuring RADIUS” and “Configuring Accounting” in th e Cisco IOS XE Security Configuration Guide: Configuring User Services , Release 2
        • Cisco IOS Security Command Reference

        Standards

        Standard

        Title

        No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

        --

        MIBs

        MIB

        MIBs Link

        No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

        To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        RFCs

        RFC

        Title

        No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

        --

        Technical Assistance

        Description

        Link

        The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

        To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

        Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​techsupport

        Feature Information for RADIUS Separate Retransmit Counter for Accounting

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for RADIUS: Separate Retransmit Counter for Accounting

        Feature Name

        Releases

        Feature Information

        RADIUS: Separate Retransmit Counter for Accounting

        Cisco IOS XE Release 2.1

        The RADIUS: Separate Retransmit Counter for Accounting feature allows users to configure an exponential backoff retransmit. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmission failure until a configured maximum interval is reached. This functionality allows users to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.

        In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers.

        The following commands were introduced or modified: backoff exponential, radius-server host, radius-server backoff exponential.