Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

RADIUS: Separate Retransmit Counter for Accounting

  • Viewing Options

  • PDF (245.8 KB)
  • Feedback
RADIUS: Separate Retransmit Counter for Accounting

Table Of Contents

RADIUS: Separate Retransmit Counter for Accounting

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host

Configuring a Retransmit Counter for Accounting per RADIUS Server Group

Verifying Retransmit Configurations

Configuration Examples

Retransmit Counter for Accounting Comprehensive Configuration Example

Per-Server Configuration Example

Command Reference

backoff exponential

radius-server backoff exponential

radius-server host


RADIUS: Separate Retransmit Counter for Accounting


Feature History

Release
Modification

12.2(15)B

This feature was introduced on the Cisco 6400-NRP-1, Cisco 7200 series, and the Cisco 7400 series.


This document describes the RADIUS: Separate Retransmit Counter for Accounting feature in Cisco IOS Release 12.2(15)B. It includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview

In many environments, a single RADIUS server is used for authentication and accounting. Whenever this server is down for approximately 24 hours, the accounting records of users already on the router are lost after authentication, authorization, and accounting (AAA) does all the retransmissions. Before the introduction of this feature, the retransmissions could be configured for a maximum of 100 retries and the timeout could be configured for 1,000 seconds. Although these configurations keep the accounting records on the router for 24 hours, a timeout of 1,000 seconds is unreasonable, causing problems when the RADIUS server cannot be reached due to network congestion.

The RADIUS: Separate Retransmit Counter for Accounting feature allows users to configure an exponential backoff retransmit. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmission failure until a configured maximum interval is reached. This functionality allows users to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.

This feature can be configured globally (via the radius-server backoff exponential command), per server (via the radius-server host command), or per group (via the backoff exponential command).

Benefits

With this feature, users can extend the time in which the RADIUS client (the router) sends accounting requests to the RADIUS server in the event that the RADIUS server or the connection to the server is down and there is no accounting response confirmation. This functionality enables accounting records to remain on the router for up to 24 hours.

Restrictions

The following tasks will result in excessive memory consumption on the router:

Configuring this feature on a router with a high call rate.

Configuring the aaa accounting send stop-record authentication failure command: an accounting record and a RADIUS packet will be generated for each user that fails to authenticate while the RADIUS server is down.

Configuring interim accounting: new accounting records are generated and stored on the router.

Related Documents

For information on additional RADIUS and AAA accounting configuration tasks and commands, refer to the following documents:

The chapters "Configuring RADIUS" and "Configuring Accounting" in the Cisco IOS Security Configuration Guide, Release 12.2

The chapters "RADIUS Commands" and "Accounting Commands" in the Cisco IOS Security Command Reference, Release 12.2

Supported Platforms

Cisco 6400-NRP-1

Cisco 7200 series

Cisco 7400 series

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

None

Configuration Tasks

See the following sections for configuration tasks for the RADIUS: Separate Retransmit Counter for Accounting feature. Each task in the list is identified as either required or optional.

Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host (required)

Configuring a Retransmit Counter for Accounting per RADIUS Server Group (required)

Verifying Retransmit Configurations (optional)

Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host

To configure exponential backoffs of RADIUS retransmits over an extended period of time on a global basis and per RADIUS host, use the following commands in global configuration mode:

Command
Purpose

Router(config)# radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits]

Configures the router for exponential backoff retransmit of accounting requests.

Router(config)# radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [backoff exponential max-delay minutes] [backoff-retry retransmits]

Specifies a RADIUS server host and configures that RADIUS server host for exponential backoff retransmit of accounting requests.


Configuring a Retransmit Counter for Accounting per RADIUS Server Group

To configure exponential backoffs of RADIUS retransmits over an extended period of time per RADIUS server group, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# aaa group server radius group-name

Groups different RADIUS server hosts into distinct lists and distinct methods and enters server-group RADIUS configuration mode.

Step 2 

Router(config-sg-radius)# backoff exponential [max-delay minutes] [backoff-retry retransmits]

Configures the router for exponential backoff retransmit of accounting requests per RADIUS server group.

Verifying Retransmit Configurations

To verify feature functionality, use any of the following EXEC commands:

Command
Purpose

Router# debug radius

Displays information associated with RADIUS.

Router# show accounting

Displays all active sessions and prints all the accounting records for actively accounted functions.

Router# show radius statistics

Displays the RADIUS statistics for accounting packets.


Configuration Examples

This section provides the following configuration examples:

Retransmit Counter for Accounting Comprehensive Configuration Example

Per-Server Configuration Example

Retransmit Counter for Accounting Comprehensive Configuration Example

The following example shows how to configure your router for exponential backoff retransmit of accounting requests. In this example, an exponential backoff is configured globally (via the radius-server backoff exponential command) and for the RADIUS server host "128.107.164.206" (via the radius-server host command).

aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization exec default group radius 
aaa authorization network default group radius 
aaa accounting send stop-record authentication failure 
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
interface BRI1/0
 ip address 60.0.0.2 255.0.0.0
 encapsulation ppp
 no ip mroute-cache
 dialer idle-timeout 0
 dialer-group 1
 isdn switch-type basic-5ess
!
radius-server host 128.107.164.206 auth-port 1645 acct-port 1646 backoff exponential 
max-delay 60 backoff-retry 32 
radius-server backoff exponential max-delay 60 backoff-retry 32 
radius-server retransmit 3
radius-server key rad123

end

Per-Server Configuration Example

The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for 3 retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted 3 times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have been achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.

radius-server host foo.xyz.com backoff exponential max-delay 60 backoff-retry 32

After enabling this command, the retransmits will be sent as follows ("t" equals seconds):

t = 0 req sent 
t = 5 retrans 1 
t = 10 retrans 2 
t = 15 retrans 3 
t = 25 retrans 4 
t = 45 retrans 5 
t = 85 retrans 6 
t = 165 retrans 7 
t = 325 retrans 8 
t = 645 retrans 9 
t = 1285 retrans 10 
t= 2565 retrans 11 
t = 5125 retrans 12 
t = 8725 retrans 13 (The interval has stabilized to 60 minutes here). 
t = 12325 retrans 14 till retransmit 35 

After all the retransmits are sent, the RADIUS request follows the same path that it would when all the normal retransmits are done.

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

backoff exponential

radius-server backoff exponential

radius-server host

backoff exponential

To configure the router for exponential backoff retransmit of accounting requests per RADIUS server group, enter the backoff exponential command in server-group RADIUS configuration mode. To disable this functionality, use the no form of this command.

backoff exponential [max-delay minutes] [backoff-retry retransmits]

no backoff exponential [max-delay minutes] [backoff-retry retransmits]

Syntax Description

max-delay minutes

(Optional) Number of retransmissions done in exponential max-delay mode. Valid range for the minutes argument is 1 to 120; if minutes is not specified, the default value (60 minutes) will be used.

backoff-retry retransmits

(Optional) Number of retransmissions done in exponential backoff mode in addition to normal and max-delay retransmissions. Valid range for the retransmits argument is 1 to 50; if retransmits is not specified, the default value (5 retransmits) will be used.


Defaults

This command is not enabled.

Command Modes

Server-group RADIUS configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.


Usage Guidelines

Before enabling this command, you must configure the aaa group server radius command, which allows you to specify a server group and enter server-group RADIUS configuration mode.

The backoff exponential command allows you to configure an exponential backoff retransmission per RADIUS server group. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmit failure until a configured maximum interval is reached. This functionality allows you to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.

Examples

The following example shows how to configure an exponential backoff retransmission:

aaa group server radius cat
 backoff exponential max-delay 90 backoff-retry 10

Related Commands

Command
Description

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

radius-server backoff exponential

Configures the router for exponential backoff retransmit of accounting requests.


radius-server backoff exponential

To configure the router for exponential backoff retransmit of accounting requests, use the radius-server backoff exponential command in global configuration mode. To disable this functionality, use the no form of this command.

radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits]

no radius-server backoff exponential [max-delay [minutes] [backoff-retry retransmits]

Syntax Description

max-delay minutes

(Optional) Number of retransmissions done in exponential max-delay mode. Valid range for the minutes argument is 1 to 120; if this option is not specified, the default value (60 minutes) will be used.

backoff-retry retransmits

(Optional) Number of retransmissions done in exponential backoff mode in addition to normal and max-delay retransmissions. Valid range for the retransmits argument is 1 to 50; if this option is not specified, the default value (5 retransmits) will be used.


Defaults

This command is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced on the Cisco 6400-NRP-1, Cisco 7200 series, and Cisco 7400 series.


Usage Guidelines

The radius-server backoff exponential command is used to keep accounting records on a router for up to 24 hours. After enabling this command, the router will try to send the normal retransmissions for the number of times the retransmits argument is configured. Thereafter, the router will continue to retransmit accounting requests with an interval that doubles on each retransmit failure until a configured maximum interval is reached.

While the router is in "retransmit mode," it will store all accounting records that are generated during that period in its memory; the accounting records will be sent to the RADIUS server after the router comes back up before the retransmit mode is complete.

Examples

The following example shows how to configure your router for exponential backoff retransmit of accounting requests:

aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization exec default group radius 
aaa authorization network default group radius 
aaa accounting send stop-record authentication failure 
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
interface BRI1/0
 ip address 60.0.0.2 255.0.0.0
 encapsulation ppp
 no ip mroute-cache
 dialer idle-timeout 0
 dialer-group 1
 isdn switch-type basic-5ess
!
radius-server host 128.107.164.206 auth-port 1645 acct-port 1646 backoff exponential 
max-delay 60 backoff-retry 32 
radius-server backoff exponential max-delay 60 backoff-retry 32 
radius-server retransmit 3
radius-server key rad123
end

Related Commands

Command
Description

backoff exponential

Configures the router for exponential backoff retransmit of accounting requests per RADIUS server group.

radius-server host

Specifies a RADIUS server host.


radius-server host

To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}] [backoff exponential max-delay minutes] [backoff-retry retransmits]

no radius-server host {hostname | ip-address}

Syntax Description

hostname

Domain Name System (DNS) name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

auth-port

(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests.

port-number

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.

acct-port

(Optional) Specifies the UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.

timeout

(Optional) Time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.

seconds

(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.

retransmit

(Optional) Number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

retries

(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.

key

(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.

The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

string

(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

alias

(Optional) Allows up to eight aliases per line for any given RADIUS server.

backoff exponential max-delay minutes

(Optional) Number of retransmissions done in exponential max-delay mode. Valid range for the minutes argument is 1 to 120; if this option is not specified, the default value (60 minutes) will be used.

backoff-retry retransmits

(Optional) Number of retransmissions done in exponential backoff mode in addition to normal and max-delay retransmissions. Valid range for the retransmits argument is 1 to 50; if this option is not specified, the default value (5 retransmits) will be used.


Defaults

No RADIUS host is specified; use global radius-server command values.

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.

12.0(5)T

This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server.

12.1(3)T

The alias keyword was added on the Cisco AS5300 and AS5800 universal access servers.

12.2(15)B

The backoff exponential max-delay minutes and backoff-retry retransmits options were added.


Usage Guidelines

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.

If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.

Examples

The following example specifies "host1" as the RADIUS server and uses default ports for both accounting and authentication:

radius-server host host1

The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named "host1":

radius-server host host1 auth-port 1612 acct-port 1616

Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.

The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:

radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key 
rad123

To use separate servers for accounting and authentication, use the zero port value as appropriate.

The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:

radius-server host host1.example.com auth-port 0
radius-server host host2.example.com acct-port 0

The following example specifies four aliases on the RADIUS server with IP address 172.1.1.1:

radius-server host 172.1.1.1 acct-port 1645 auth-port 1646 

radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1

The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for 3 retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted 3 times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.

radius-server host foo.xyz.com backoff exponential max-delay 60 backoff-retry 32

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authentication ppp

Specifies one or more AAA authentication method for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict network access to a user.

ppp

Starts an asynchronous connection using PPP.

ppp authentication

Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface.

radius-server key

Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

radius-server retransmit

Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-server timeout

Sets the interval a router waits for a server host to reply.

username

Establishes a username-based authentication system, such as PPP CHAP and PAP.