Guest

Cisco IOS Software Releases 11.3

AAA Scalability Feature

Hierarchical Navigation

Downloads

Table Of Contents

AAA Scalability Feature

Feature Summary

Benefits

List of Terms

Platforms

Prerequisites

Supported MIBs and RFCs

Configuration Task

Configuration Examples

Command Reference

aaa processes

show ppp queues

Debug Command

debug ppp tasks


AAA Scalability Feature

Feature Summary

The Authentication, Authorization and Accounting (AAA) Scalability feature enables you to configure and monitor the number of background processes allocated by the PPP manager in the network access server (NAS) to deal with AAA authentication and authorization requests. In previous Cisco IOS releases, only one background process was allocated to handle all AAA requests for PPP. This meant that parallelism in AAA servers could not be fully exploited. The AAA Scalability feature enables you to configure the number of processes used to handle AAA requests for PPP, thus increasing the number of users that can be simultaneously authenticated or authorized.

Benefits

The AAA Scalability feature provides an increase in the number of parallel authentication and authorization requests the NAS can forward to the AAA server.

List of Terms

authentication, authorization, and accounting (AAA)—Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.

network access server (NAS)—A Cisco access server or any other Cisco device that is acting as a client to the RADIUS server.

Point-to-Point Protocol (PPP)—A routing protocol that provides router-to-router connections over asynchronous and synchronous circuits.

Platforms

The following platforms support the AAA Scalability feature:

Cisco AS5800 series

Prerequisites

You must configure security using AAA network security services before you can configure the NAS to support AAA scalability. To configure security on a Cisco router or access server using AAA, complete the following tasks:

1 Enable AAA by using the aaa new-model global configuration command. For more information about enabling AAA, refer to the "AAA Overview" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

2 If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. For more information about configuring RADIUS, refer to the "Configuring RADIUS" chapter in the Cisco IOS Release 11.3 Security Configuration Guide. For more information about configuring TACACS+, refer to the "Configuring TACACS+" chapter in the Cisco IOS 11.3 Security Configuration Guide. For more information about configuring Kerberos, refer to the "Configuring Kerberos" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

3 Define the method lists for authentication by using the aaa authentication command. For more information about defining authentication method lists or configuring other authentication parameters, refer to the "Configuring Authentication" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

4 Apply the method lists to a particular line or interface, if required. For more information about applying authentication method lists, refer to the "Configuring Authentication" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

5 (Optional) Configure authorization using the aaa authorization command. For more information about configuring authorization parameters, refer to the "Configuring Authorization" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

6 (Optional) Configure accounting using the aaa accounting command. For more information about configuring accounting parameters, refer to the "Configuring Accounting" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.

For detailed information about any of the commands listed above, refer to the Cisco IOS Release 11.3 Security Command Reference.

Supported MIBs and RFCs

None

Configuration Task

After you have configured the NAS for AAA, complete the following task to configure the AAA Scalability feature.

To allocate a specific number of background processes to handle AAA requests for PPP, perform the following task in global configuration mode:

Allocate a specific number of background processes to handle AAA authentication and authorization requests for PPP.

aaa processes number


The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP and can be configured for any value from 1 to 2147483647. Because of the way the PPP manager handles requests for PPP, this argument also defines the number of new users that can be simultaneously authenticated. This argument can be increased or decreased at any time.

Note   Allocating additional background processes can be expensive. You should configure the minimum number of background processes capable of handling the AAA requests for PPP.

Configuration Examples

The following example shows a general security configuration using AAA with RADIUS as the security protocol. In this example, the NAS is configured to allocate 16 background processes to handle AAA requests for PPP. 

 aaa new-model

 radius-server host alcatraz

 radius-server key myRaDiUSpassWoRd

 radius-server configure-nas

 username root password ALongPassword

 aaa authentication ppp dialins radius local

 aaa authentication login admins local

 aaa authorization network radius local

 aaa accounting network start-stop radius

 aaa processes 16

line 1 16

 autoselect ppp

 autoselect during-login

 login authentication admins

 modem dialin

interface group-async 1

 group-range 1 16

 encapsulation ppp

 ppp authentication pap dialins

The lines in this sample RADIUS AAA configuration are defined as follows:

The aaa new-model command enables AAA network security services.

The radius-server host command defines the name of the RADIUS server host.

The radius-server key command defines the shared secret text string between the network access server and the RADIUS server host.

The radius-server configure-nas command defines that the Cisco router or access server will query the RADIUS server for static routes and IP pool definitions when the device first starts up.

The username command defines the username and password to be used for the PPP Password Authentication Protocol (PAP) caller identification.

The aaa authentication ppp dialins radius local command defines the authentication method list "dialins," which specifies that RADIUS authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP.

The aaa authentication login admins local command defines another method list, "admins," for login authentication.

The aaa authorization network radius local command is used to assign an address and other network parameters to the RADIUS user.

The aaa accounting network start-stop radius command tracks PPP usage.

The aaa processes command allocates 16 background processes to handle AAA requests for PPP.

The line command switches the configuration mode from global configuration to line configuration and identifies the specific lines being configured.

The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up automatically on these selected lines.

The autoselect during-login command is used to display the username and password prompt without pressing the Return key. After the user logs in, the autoselect function (in this case, PPP) begins.

The login authentication admins command applies the "admins" method list for login authentication.

The modem dialin command configures modems attached to the selected lines to only accept incoming calls.

The interface group-async command selects and defines an asynchronous interface group.

The group-range command defines the member asynchronous interfaces in the interface group.

The encapsulation ppp command sets PPP as the encapsulation method used on the specified interfaces.

The ppp authentication pap dialins command applies the "dialins" method list to the specified interfaces.

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.

aaa processes

show ppp queues

aaa processes

To allocate a specific number of background processes to be used to process AAA authentication and authorization requests for PPP, use the aaa processes global configuration command. Use the no form of this command to restore the default value for this command.

aaa processes number
no aaa processes number

Syntax Description

number

Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.


Default

The default for this command is one allocated background process.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(2)AA.

Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized.

The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time.

Examples

This example shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP. 

configure terminal

 aaa new-model

 aaa authentication ppp dialins radius local

 aaa processes 10

interface 10

 encap ppp

 ppp authentication pap dialins

Related Commands

show ppp queues

show ppp queues

To monitor the number of requests processed by each AAA background process, use the show ppp queues Privileged EXEC command:

show ppp queues

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(2)AA.

Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the NAS and the AAA server.

This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.

Sample Display

The following is sample output from the show ppp queues command: 

router#show ppp queues

Proc #0   pid=73  authens=59   avg. rtt=118s. authors=160  avg. rtt=94s.

Proc #1   pid=74  authens=52   avg. rtt=119s. authors=127  avg. rtt=115s.

Proc #2   pid=75  authens=69   avg. rtt=130s. authors=80   avg. rtt=122s.

Proc #3   pid=76  authens=44   avg. rtt=114s. authors=55   avg. rtt=106s.

Proc #4   pid=77  authens=70   avg. rtt=141s. authors=76   avg. rtt=118s.

Proc #5   pid=78  authens=64   avg. rtt=131s. authors=97   avg. rtt=113s.

Proc #6   pid=79  authens=56   avg. rtt=121s. authors=57   avg. rtt=117s.

Proc #7   pid=80  authens=43   avg. rtt=126s. authors=54   avg. rtt=105s.

Proc #8   pid=81  authens=139  avg. rtt=141s. authors=120  avg. rtt=122s.

Proc #9   pid=82  authens=63   avg. rtt=128s. authors=199  avg. rtt=80s.

queue len=0 max len=499


describes the fields shown in the sample display.

Table 1 Show PPP Queues Command Field Descriptions  

Field
Description

Proc #

Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.

pid=

Identification number of the background process.

authens=

Number of authentication requests the process has performed.

avg. rtt=

Average delay (in seconds) until the authentication request was completed.

authors=

Number of authorization requests the process has performed.

avg. rtt=

Average delay (in seconds) until the authorization request was completed.

queue len=

Current queue length.

max len=

Maximum length the queue ever reached.


Related Commands

aaa processes
debug ppp tasks

Debug Command

This section documents the new debug ppp tasks command. All other debug commands are documented in the Cisco IOS Release 11.3 Debug Command Reference.

debug ppp tasks

Use the debug ppp tasks command to display information about AAA requests. The no form of this command disables debugging output.

[no] debug ppp tasks

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(2)AA.

AAA network security services offer you the option to allocate specific background processes to handle AAA authentication and authorization requests for PPP. Use this command to display general information about AAA requests for PPP if you have allocated additional background processes for this purpose.

Sample Display

The following is sample output from the debug ppp tasks command: 

router# debug ppp tasks

Feb 24 01:25:20.294: As1/8/39:  CHAP_RRESPONSE    (0x61F87080) id 9   (0s.) busy/0 
started 1/1/1

Feb 24 01:25:20.706: As1/8/39:  CHAP_RRESPONSE    (0x61F87080) id 9   (0s.) busy/0 done 
in 0 s. 1/1/1

Feb 24 01:25:21.182: Se1/2/10:1:  CHAP_RRESPONSE    (0x621A1770) id 17  (0s.) busy/1 
started 2/2/2

Feb 24 01:25:21.190: As1/8/39:  AAA_PER_USER     IP_UP (0x624BD894) id 0   (0s.) queued 
3/3/3


describes the fields shown in the sample display.

Table 2 Debug PPP Tasks Command Field Descriptions  

Field
Description

Feb 24 01:25:20.294

Timestamp, including the month, day, and time.

As1/8/39:

Interface name

CHAP_RRESPONSE

Description of the operation. Possible operations include:

CHAP_RRESPONSE—CHAP has received the response.

AAA_PER_USER—AAA per-user ip_up operation.

(0x61F87080)

Hexadecimal address of the AAA request.

id

Identification number of the AAA request.

(0s.)

Length of time, in seconds, the AAA request has been queued.

busy/0

Indicates that the request is being processed; the number identifies the background process.

started

Current state of the request.There are three possible states:

queued—AAA request is waiting to be processed.

started—AAA request is currently being processed.

done—AAA request processing is complete.

1/1/1

The current position of the request in the queue/the current length of the queue/the maximum length of the queue.


Related Commands

aaa processes
show ppp queues