Step 3 is repeated until the specified maximum number of transmissions has been made. If the end of the list is reached before the maximum number of transmissions has been reached, the router goes back to the beginning of the list and continues from there.

This scenario does not allow for multiple RADIUS servers to share transaction load because each RADIUS server is used until marked dead. To balance the load between various servers and specify the initial server for the router or access server, use the radius-server retry method reorder command in global configuration mode.

If this command is configured, the decision about which RADIUS server to use will be as follows:

• The router or NAS maintains the status of the first server to which a transmission is sent. This server is identified as the "flagged" server. At boot time, the flagged server is the first server listed in the server group. If the flagged server is marked as dead, the next nondead server listed after the flagged server is designated for this role. If the flagged server is the last server in the list and it is marked dead, the transaction fails, and the first server on the list becomes the flagged server.

• The transmission is sent to the flagged server for the configured number of retransmissions.

• NAS then sequentially sends the transmission through the list of nondead servers in the server group until a response is received or the maximum retries (a configurable parameter) is reached.

A server is marked dead only if both of the following conditions are met:

1. The server has not responded to the configured number of retransmission. The number of retransmission is configurable via the radius-server transaction max-tries command.

2. The server has not responded to any requests for the configured period of time. RADIUS Authentication Example

To use a RADIUS server for AAA authentication at login or PPP, AAA must be enabled. Then, specify the RADIUS server IP or host name and key.

0 0

Post a comment