|
|
authentication, authorization, and accounting (AAA)---Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
network access server (NAS)---A Cisco access server or any other Cisco device that is acting as a client to the RADIUS server.
Point-to-Point Protocol (PPP)---A routing protocol that provides router-to-router connections over asynchronous and synchronous circuits.
The following platforms support the AAA Scalability feature:
1. Enable AAA by using the aaa new-model global configuration command. For more information about enabling AAA, refer to the "AAA Overview" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
2. If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. For more information about configuring RADIUS, refer to the "Configuring RADIUS" chapter in the Cisco IOS Release 11.3 Security Configuration Guide. For more information about configuring TACACS+, refer to the "Configuring TACACS+" chapter in the Cisco IOS 11.3 Security Configuration Guide. For more information about configuring Kerberos, refer to the "Configuring Kerberos" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
3. Define the method lists for authentication by using the aaa authentication command. For more information about defining authentication method lists or configuring other authentication parameters, refer to the "Configuring Authentication" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
4. Apply the method lists to a particular line or interface, if required. For more information about applying authentication method lists, refer to the "Configuring Authentication" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
5. (Optional) Configure authorization using the aaa authorization command. For more information about configuring authorization parameters, refer to the "Configuring Authorization" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
6. (Optional) Configure accounting using the aaa accounting command. For more information about configuring accounting parameters, refer to the "Configuring Accounting" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
For detailed information about any of the commands listed above, refer to the Cisco IOS Release 11.3 Security Command Reference.
None
To allocate a specific number of background processes to handle AAA requests for PPP, perform the following task in global configuration mode:
Allocate a specific number of background processes to handle AAA authentication and authorization requests for PPP. | aaa processes number |
The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP and can be configured for any value from 1 to 2147483647. Because of the way the PPP manager handles requests for PPP, this argument also defines the number of new users that can be simultaneously authenticated. This argument can be increased or decreased at any time.
aaa new-model radius-server host alcatraz radius-server key myRaDiUSpassWoRd radius-server configure-nas username root password ALongPassword aaa authentication ppp dialins radius local aaa authentication login admins local aaa authorization network radius local aaa accounting network start-stop radius aaa processes 16 line 1 16 autoselect ppp autoselect during-login login authentication admins modem dialin interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication pap dialins
The lines in this sample RADIUS AAA configuration are defined as follows:
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
number | Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647. |
The default for this command is one allocated background process.
Global configuration
This command first appeared in Cisco IOS Release 11.3(2)AA.
Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized.
The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time.
This example shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP.
configure terminal aaa new-model aaa authentication ppp dialins radius local aaa processes 10 interface 10 encap ppp ppp authentication pap dialins
show ppp queues
This command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.3(2)AA.
Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the NAS and the AAA server.
This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.
The following is sample output from the show ppp queues command:
router#show ppp queues Proc #0 pid=73 authens=59 avg. rtt=118s. authors=160 avg. rtt=94s. Proc #1 pid=74 authens=52 avg. rtt=119s. authors=127 avg. rtt=115s. Proc #2 pid=75 authens=69 avg. rtt=130s. authors=80 avg. rtt=122s. Proc #3 pid=76 authens=44 avg. rtt=114s. authors=55 avg. rtt=106s. Proc #4 pid=77 authens=70 avg. rtt=141s. authors=76 avg. rtt=118s. Proc #5 pid=78 authens=64 avg. rtt=131s. authors=97 avg. rtt=113s. Proc #6 pid=79 authens=56 avg. rtt=121s. authors=57 avg. rtt=117s. Proc #7 pid=80 authens=43 avg. rtt=126s. authors=54 avg. rtt=105s. Proc #8 pid=81 authens=139 avg. rtt=141s. authors=120 avg. rtt=122s. Proc #9 pid=82 authens=63 avg. rtt=128s. authors=199 avg. rtt=80s. queue len=0 max len=499
Table 1 describes the fields shown in the sample display.
| Field | Description |
|---|---|
Proc # | Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process. |
pid= | Identification number of the background process. |
authens= | Number of authentication requests the process has performed. |
avg. rtt= | Average delay (in seconds) until the authentication request was completed. |
authors= | Number of authorization requests the process has performed. |
avg. rtt= | Average delay (in seconds) until the authorization request was completed. |
queue len= | Current queue length. |
max len= | Maximum length the queue ever reached. |
aaa processes
debug ppp tasks
This section documents the new debug ppp tasks command. All other debug commands are documented in the Cisco IOS Release 11.3 Debug Command Reference.
This command first appeared in Cisco IOS Release 11.3(2)AA.
AAA network security services offer you the option to allocate specific background processes to handle AAA authentication and authorization requests for PPP. Use this command to display general information about AAA requests for PPP if you have allocated additional background processes for this purpose.
The following is sample output from the debug ppp tasks command:
router# debug ppp tasks Feb 24 01:25:20.294: As1/8/39: CHAP_RRESPONSE (0x61F87080) id 9 (0s.) busy/0 started 1/1/1 Feb 24 01:25:20.706: As1/8/39: CHAP_RRESPONSE (0x61F87080) id 9 (0s.) busy/0 done in 0 s. 1/1/1 Feb 24 01:25:21.182: Se1/2/10:1: CHAP_RRESPONSE (0x621A1770) id 17 (0s.) busy/1 started 2/2/2 Feb 24 01:25:21.190: As1/8/39: AAA_PER_USER IP_UP (0x624BD894) id 0 (0s.) queued 3/3/3
Table 2 describes the fields shown in the sample display.
| Field | Description |
|---|---|
Feb 24 01:25:20.294 | Timestamp, including the month, day, and time. |
As1/8/39: | Interface name |
CHAP_RRESPONSE | Description of the operation. Possible operations include:
|
(0x61F87080) | Hexadecimal address of the AAA request. |
id | Identification number of the AAA request. |
(0s.) | Length of time, in seconds, the AAA request has been queued. |
busy/0 | Indicates that the request is being processed; the number identifies the background process. |
started | Current state of the request.There are three possible states:
|
1/1/1 | The current position of the request in the queue/the current length of the queue/the maximum length of the queue. |
aaa processes
show ppp queues
Posted: Fri Mar 12 22:46:58 PST 1999
Copyright 1989-1999©Cisco Systems Inc.