Table Of Contents
RADIUS: Separate Retransmit Counter for Accounting
Supported Standards, MIBs, and RFCs
Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host
Configuring a Retransmit Counter for Accounting per RADIUS Server Group
Verifying Retransmit Configurations
Retransmit Counter for Accounting Comprehensive Configuration Example
Per-Server Configuration Example
radius-server backoff exponential
RADIUS: Separate Retransmit Counter for Accounting
Feature History
Release Modification12.2(15)B
This feature was introduced on the Cisco 6400-NRP-1, Cisco 7200 series, and the Cisco 7400 series.
This document describes the RADIUS: Separate Retransmit Counter for Accounting feature in Cisco IOS Release 12.2(15)B. It includes the following sections:
•Supported Standards, MIBs, and RFCs
Feature Overview
In many environments, a single RADIUS server is used for authentication and accounting. Whenever this server is down for approximately 24 hours, the accounting records of users already on the router are lost after authentication, authorization, and accounting (AAA) does all the retransmissions. Before the introduction of this feature, the retransmissions could be configured for a maximum of 100 retries and the timeout could be configured for 1,000 seconds. Although these configurations keep the accounting records on the router for 24 hours, a timeout of 1,000 seconds is unreasonable, causing problems when the RADIUS server cannot be reached due to network congestion.
The RADIUS: Separate Retransmit Counter for Accounting feature allows users to configure an exponential backoff retransmit. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmission failure until a configured maximum interval is reached. This functionality allows users to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.
This feature can be configured globally (via the radius-server backoff exponential command), per server (via the radius-server host command), or per group (via the backoff exponential command).
Benefits
With this feature, users can extend the time in which the RADIUS client (the router) sends accounting requests to the RADIUS server in the event that the RADIUS server or the connection to the server is down and there is no accounting response confirmation. This functionality enables accounting records to remain on the router for up to 24 hours.
Restrictions
The following tasks will result in excessive memory consumption on the router:
•Configuring this feature on a router with a high call rate.
•Configuring the aaa accounting send stop-record authentication failure command: an accounting record and a RADIUS packet will be generated for each user that fails to authenticate while the RADIUS server is down.
•Configuring interim accounting: new accounting records are generated and stored on the router.
Related Documents
For information on additional RADIUS and AAA accounting configuration tasks and commands, refer to the following documents:
The chapters "Configuring RADIUS" and "Configuring Accounting" in the Cisco IOS Security Configuration Guide, Release 12.2
The chapters "RADIUS Commands" and "Accounting Commands" in the Cisco IOS Security Command Reference, Release 12.2
Supported Platforms
•Cisco 6400-NRP-1
•Cisco 7200 series
•Cisco 7400 series
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
None
Configuration Tasks
See the following sections for configuration tasks for the RADIUS: Separate Retransmit Counter for Accounting feature. Each task in the list is identified as either required or optional.
•Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host (required)
•Configuring a Retransmit Counter for Accounting per RADIUS Server Group (required)
•Verifying Retransmit Configurations (optional)
Configuring a Retransmit Counter for Accounting Globally or per RADIUS Host
To configure exponential backoffs of RADIUS retransmits over an extended period of time on a global basis and per RADIUS host, use the following commands in global configuration mode:
Configuring a Retransmit Counter for Accounting per RADIUS Server Group
To configure exponential backoffs of RADIUS retransmits over an extended period of time per RADIUS server group, use the following commands beginning in global configuration mode:
Verifying Retransmit Configurations
To verify feature functionality, use any of the following EXEC commands:
Configuration Examples
This section provides the following configuration examples:
•Retransmit Counter for Accounting Comprehensive Configuration Example
•Per-Server Configuration Example
Retransmit Counter for Accounting Comprehensive Configuration Example
The following example shows how to configure your router for exponential backoff retransmit of accounting requests. In this example, an exponential backoff is configured globally (via the radius-server backoff exponential command) and for the RADIUS server host "128.107.164.206" (via the radius-server host command).
aaa new-modelaaa authentication login default group radiusaaa authentication ppp default group radiusaaa authorization exec default group radiusaaa authorization network default group radiusaaa accounting send stop-record authentication failureaaa accounting update periodic 1aaa accounting network default start-stop group radius!interface BRI1/0ip address 60.0.0.2 255.0.0.0encapsulation pppno ip mroute-cachedialer idle-timeout 0dialer-group 1isdn switch-type basic-5ess!radius-server host 128.107.164.206 auth-port 1645 acct-port 1646 backoff exponential max-delay 60 backoff-retry 32radius-server backoff exponential max-delay 60 backoff-retry 32radius-server retransmit 3radius-server key rad123end
Per-Server Configuration Example
The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for 3 retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted 3 times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have been achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.
radius-server host foo.xyz.com backoff exponential max-delay 60 backoff-retry 32After enabling this command, the retransmits will be sent as follows ("t" equals seconds):
t = 0 req sentt = 5 retrans 1t = 10 retrans 2t = 15 retrans 3t = 25 retrans 4t = 45 retrans 5t = 85 retrans 6t = 165 retrans 7t = 325 retrans 8t = 645 retrans 9t = 1285 retrans 10t= 2565 retrans 11t = 5125 retrans 12t = 8725 retrans 13 (The interval has stabilized to 60 minutes here).t = 12325 retrans 14 till retransmit 35After all the retransmits are sent, the RADIUS request follows the same path that it would when all the normal retransmits are done.
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•radius-server backoff exponential
backoff exponential
To configure the router for exponential backoff retransmit of accounting requests per RADIUS server group, enter the backoff exponential command in server-group RADIUS configuration mode. To disable this functionality, use the no form of this command.
backoff exponential [max-delay minutes] [backoff-retry retransmits]
no backoff exponential [max-delay minutes] [backoff-retry retransmits]
Syntax Description
Defaults
This command is not enabled.
Command Modes
Server-group RADIUS configuration
Command History
Usage Guidelines
Before enabling this command, you must configure the aaa group server radius command, which allows you to specify a server group and enter server-group RADIUS configuration mode.
The backoff exponential command allows you to configure an exponential backoff retransmission per RADIUS server group. That is, after the normally configured retransmission retries have been used, the router will keep on trying with an interval that doubles on each retransmit failure until a configured maximum interval is reached. This functionality allows you to retransmit accounting requests for many hours without overloading the RADIUS server when it does come back up.
Examples
The following example shows how to configure an exponential backoff retransmission:
aaa group server radius cat
backoff exponential max-delay 90 backoff-retry 10Related Commands
radius-server backoff exponential
To configure the router for exponential backoff retransmit of accounting requests, use the radius-server backoff exponential command in global configuration mode. To disable this functionality, use the no form of this command.
radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits]
no radius-server backoff exponential [max-delay [minutes] [backoff-retry retransmits]
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Release Modification12.2(15)B
This command was introduced on the Cisco 6400-NRP-1, Cisco 7200 series, and Cisco 7400 series.
Usage Guidelines
The radius-server backoff exponential command is used to keep accounting records on a router for up to 24 hours. After enabling this command, the router will try to send the normal retransmissions for the number of times the retransmits argument is configured. Thereafter, the router will continue to retransmit accounting requests with an interval that doubles on each retransmit failure until a configured maximum interval is reached.
While the router is in "retransmit mode," it will store all accounting records that are generated during that period in its memory; the accounting records will be sent to the RADIUS server after the router comes back up before the retransmit mode is complete.
Examples
The following example shows how to configure your router for exponential backoff retransmit of accounting requests:
aaa new-modelaaa authentication login default group radiusaaa authentication ppp default group radiusaaa authorization exec default group radiusaaa authorization network default group radiusaaa accounting send stop-record authentication failureaaa accounting update periodic 1aaa accounting network default start-stop group radius!interface BRI1/0ip address 60.0.0.2 255.0.0.0encapsulation pppno ip mroute-cachedialer idle-timeout 0dialer-group 1isdn switch-type basic-5ess!radius-server host 128.107.164.206 auth-port 1645 acct-port 1646 backoff exponential max-delay 60 backoff-retry 32radius-server backoff exponential max-delay 60 backoff-retry 32radius-server retransmit 3radius-server key rad123endRelated Commands
Command DescriptionConfigures the router for exponential backoff retransmit of accounting requests per RADIUS server group.
Specifies a RADIUS server host.
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}] [backoff exponential max-delay minutes] [backoff-retry retransmits]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
Examples
The following example specifies "host1" as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named "host1":
radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0radius-server host host2.example.com acct-port 0The following example specifies four aliases on the RADIUS server with IP address 172.1.1.1:
radius-server host 172.1.1.1 acct-port 1645 auth-port 1646radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1
The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for 3 retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted 3 times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.
radius-server host foo.xyz.com backoff exponential max-delay 60 backoff-retry 32
Related Commands