Examples
The following is sample output from the show aaa servers private command. Only the first four lines of the display pertain to the status of private RADIUS servers, and the output fields in this part of the display are described in the table below.
Router# show aaa servers private
RADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645, acct-port 1646
State: current UP, duration 375742s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 5, timeouts 1, failover 0, retransmission 1
Response: accept 4, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 14ms
Transaction: success 4, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 5, timeouts 0, failover 0, retransmission 0
Request: start 3, interim 0, stop 2
Response: start 3, interim 0, stop 2
Response: unexpected 0, server error 0, incorrect 0, time 12ms
Transaction: success 5, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 4d8h22m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 8 hours, 22 minutes ago: 0
low - 8 hours, 22 minutes ago: 0
average: 0
The table below describes the significant fields in the display.
Table 1 show aaa servers Field Descriptions
Field |
Description |
id |
A unique identifier for all AAA servers defined on the router. |
priority |
Order of use for servers within a group. |
host |
IP address of the private RADIUS server host. |
auth-port |
UDP destination port on the AAA server that is used for authentication and authorization requests. The default value is 1645. |
acct-port |
UDP destination port on the AAA server that is used for accounting requests. The default value is 1646. |
State |
Describes the current state of the AAA server; the duration, in seconds, that the server has been in that state; and the duration, in seconds, that the server was in the previous state. The following states are possible:
-
DEAD--Indicates that the server is currently down and, in the case of failovers, this server will be omitted unless it is the last server in the group.
-
duration--Indicates the amount of time the server is assumed to be in the current state, either UP or DEAD.
-
previous duration--Indicates the amount of time the server was considered to be in the previous state.
-
UP--Indicates that the server is currently considered alive and attempts will be made to communicate with it.
|
Dead |
Indicates the number of times that this server has been marked dead, and the cumulative amount of time, in seconds, that it spent in that state. |
Authen |
Provides information about authentication packets that were sent to and received from the server, and authentication transactions that were successful or that failed. The following information may be reported in this field:
-
request--Number of authentication requests that were sent to the AAA server.
-
timeouts--Number of timeouts (no responses) that were observed when a transmission was sent to this server.
-
Response--Provides statistics about responses that were observed from this server and includes the following reports:
-
unexpected--Number of unexpected responses. A response is considered unexpected when it is received after the timeout period for the packet has expired. This may happen if the link to the server is severely congested, for example. An unexpected response can also be produced when a server generates a response for no apparent reason.
-
server error--Number of server errors. This category is a “catchall” for error packets that do not fall into one of the previous categories.
-
incorrect--Number of incorrect responses. A response is considered incorrect if it is of the wrong format than the one expected by the protocol. This frequently happens when an incorrect server key is configured on the router.
-
time--Time (in milliseconds) taken to respond to an authentication packets.
-
Transaction: These fields provide information about authentication, authorization, and accounting transactions related to the server. A transaction is defined as a request for authentication, authorization, or accounting information that is sent by the AAA module, or by an AAA client (such as PPP) to an AAA protocol (RADIUS or TACACS+), which may involve multiple packet transmissions and retransmissions. Transactions may require packet retransmissions to one or more servers in a single server group, to verify success or failure. Success or failure is reported to AAA by the RADIUS and TACACS+ protocols as follows
-
success--Incremented when a transaction is successful.
-
failure--Incremented when a transaction fails; for example, packet retransmissions to another server in the server group failed or did not succeed. A negative response to an Access-Request, such as Access-Reject, is considered to be a successful transaction.
|
Author |
The fields in this category are similar to those in the Authen: fields. An important difference, however, is that because authorization information is carried in authentication packets for the RADIUS protocol, these fields are not incremented when using RADIUS. |
Account |
The fields in this category are similar to those in the Authen: fields, but provide accounting transaction and packet statistics. |
Elapsed time since counters last cleared |
Displays the time in days, hours, and minutes that have passed since the counters were last cleared. |
Note |
In case of Intelligent Services Gateway (ISG), the estimated outstanding accounting transactions will take some time to become zero. This is because there is a constant churn in the interim accounting requests.
|
The fields in the output of the show aaa serverscommand are mapped to Simple Network Management Protocol (SNMP) objects in the Cisco AAA-SERVER-MIB and are used in SNMP reporting. The first line of the sample output of the show aaa serverscommand (RADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645, acct-port 1646) is mapped to the Cisco AAA-SERVER-MIB as follows:
-
id maps to casIndex
-
priority maps to casPriority
-
host maps to casAddress
-
auth-port maps to casAuthenPort
-
acct-port maps to casAcctPort
Mapping the following set of objects listed in the Cisco AAA-SERVER-MIB map to fields displayed by the show aaa servers command is more straightforward. For example, the casAuthenRequests field corresponds to the Authen: request portion of the report, casAuthenRequestTimeouts corresponds to the Authen: timeouts portion of the report, and so on.
-
casAuthenRequests
-
casAuthenRequestTimeouts
-
casAuthenUnexpectedResponses
-
casAuthenServerErrorResponses
-
casAuthenIncorrectResponses
-
casAuthenResponseTime
-
casAuthenTransactionSuccesses
-
casAuthenTransactionFailures
-
casAuthorRequests
-
casAuthorRequestTimeouts
-
casAuthorUnexpectedResponses
-
casAuthorServerErrorResponses
-
casAuthorIncorrectResponses
-
casAuthorResponseTime
-
casAuthorTransactionSuccesses
-
casAuthorTransactionFailures
-
casAcctRequests
-
casAcctRequestTimeouts
-
casAcctUnexpectedResponses
-
casAcctServerErrorResponses
-
casAcctIncorrectResponses
-
casAcctResponseTime
-
casAcctTransactionSuccesses
-
casAcctTransactionFailures
-
casState
-
casCurrentStateDuration
-
casPreviousStateDuration
-
casTotalDeadTime
-
casDeadCount
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs.