First Published: December 5, 2006
This chapter provides enhancement tips you can apply for optimal feature performance, and includes the following topics:
•RADIUS Reorder (Round Robin)
•RADIUS Load Balancing
RADIUS Reorder (Round Robin)
You can configure a RADIUS server as the initial server, and a list of RADIUS servers to use as failover servers in the event that the initial RADIUS server is not operational. This feature is set to disable, by default.
The following global commands are used to enable this feature:
radius-server retry method reorder
radius-server transactions max-tries <n>
When RADIUS Reorder Is Not Configured
Each RADIUS server is used until marked nonoperational. The operational server closest to the beginning of the list is used for the first transaction transmission and for the configured number of retransmissions. Each operational server in the list is thereafter tried in turn (round robin).
When RADIUS Reorder Is Configured
The following process determines which RADIUS server is used as the initial RADIUS server:
•The Network Access Server (NAS) flags the configured RADIUS server, which will be the first server to receive a transmission.
•After the transmission is sent to the flagged server, it is resent to the flagged server for the configured number of retransmits.
•The NAS then fails over sequentially through the list of operational RADIUS servers in the server group, starting with the one after the flagged server, until the configured transaction max-tries is reached, or a response is received.
•At boot time, the flagged server is the first RADIUS server in the server group list established by CLI.
•If the flagged RADIUS server is marked as nonoperational (even if the nonoperational time is 0), the first operational RADIUS server, after the flagged RADIUS server, becomes the flagged RADIUS server.
•If the flagged RADIUS server is the last server in the list and it is marked nonoperational, the flagged RADIUS server becomes the first operational server in the list.
•If all servers are marked nonoperational, the transaction fails, and no change is made to the flagged RADIUS server.
•If the flagged RADIUS server is marked nonoperational and its timer expires, no action is taken.
RADIUS Load Balancing
Cisco IOS software includes a RADIUS load-balancing technique that sends requests to a server with the fewest outstanding requests. To enable this feature, use the following command (which is part of the server-group configuration):
load-balance method least-outstanding [batch-size <n>]
nas(config)#aaa group server radius lbgroup
nas(config-sg-radius)#load-balance method least-outstanding [batch-size <n>]
batch-size <n> the number of requests that are allocated to the server with the fewest outstanding requests. (After load-balancing, a re-calculation is performed to verify the server with the fewest outstanding requests.)
Use the following command to debug the request allocations:
debug aaa sg-server-selection
For optimal feature performance, it is best to define items on the Intelligent Services Gateway (ISG) and then reference them using profiles, whenever possible.
For example, to define an ACL-based firewall feature, you could configure the ISG with a named IP access list and then reference the named IP access list in the service profile.
In the following command example, the ISG is configured with the named IP access list "personal-firewall":
ip access-list extended personal-firewall
A service profile can then reference the named IP access list "personal-firewall":
Firewall Password = "default'
Filter-ID = "personal-firewall.[in|out]"