[c-nsp] Central Authentication (Tacacs+ / Radius)
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Apr 6 02:14:24 EDT 2005
Scott,
> I see that you've had great experiences using RADIUS on IOS with
> failover. Can you share some of the tuning parameters you use to for
> failover... server-timeouts, retries, and such?
I think this will heavily depend on the particular application, Radius
server capacitiy, etc. I often see timeouts of 3-5 seconds with 2-3
retries.
Deadtime plays an important role, and the deadtime algorithm has changed
significantly in 12.3/12.3T to cope with extrem scenarios like a high
number of simultaenous requests, search CCO for "AAA Dead-Server
Detection" which explains the new algorithm in great detail
("radius-server dead-criteria ...").
> I have noted that IOS with RADIUS, in the application I am using it
> for, seems to retry the failed server on each new instance or session
> despite having marked the server dead in the prior instance. I am
> wondering if this is an IOS issue I have run into, or if it is normal
> behavior.
It is normal behavior if the server's deadtime has expired. It can be
changed with "radius-server retry method reorder" (use a halfway recent
12.3M/12.3T image when you want to use this feature to get some
important bug fixes related to this command).
oli
More information about the cisco-nsp
mailing list