[c-nsp] Central Authentication (Tacacs+ / Radius)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Apr 6 02:14:24 EDT 2005


Scott,

> I see that you've had great experiences using RADIUS on IOS with
> failover.  Can you share some of the tuning parameters you use to for
> failover... server-timeouts, retries, and such?

I think this will heavily depend on the particular application, Radius
server capacitiy, etc. I often see timeouts of 3-5 seconds with 2-3
retries. 
Deadtime plays an important role, and the deadtime algorithm has changed
significantly in 12.3/12.3T to cope with extrem scenarios like a high
number of simultaenous requests, search CCO for "AAA Dead-Server
Detection" which explains the new algorithm in great detail
("radius-server dead-criteria ...").

> I have noted that IOS with RADIUS, in the application I am using it
> for, seems to retry the failed server on each new instance or session
> despite having marked the server dead in the prior instance.  I am
> wondering if this is an IOS issue I have run into, or if it is normal
> behavior.

It is normal behavior if the server's deadtime has expired. It can be
changed with "radius-server retry method reorder" (use a halfway recent
12.3M/12.3T image when you want to use this feature to get some
important bug fixes related to this command).

	oli



More information about the cisco-nsp mailing list