|
|
This document describes the AAA Server Group Deadtimer feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.
This document includes the following sections:
The AAA Server Group Deadtimer feature allows each authentication, authorization, and accounting (AAA) server to be fully configured in the server group. Thus, it allows you to direct AAA traffic to separate groups of servers that have different operational characteristics.
 |
Note The deadtime attribute is supported only for RADIUS hosts. Therefore, all "server group" references in this document refer to RADIUS type server groups. |
With the introduction of this feature, deadtime has been added as a new attribute to the server group structure. In addition, a separate timer has been attached to each server host in every server group. Therefore, when a server is found to be unresponsive after numerous retransmissions and time-outs, the server is assumed to be dead. The timers attached to each server host in all server groups are triggered. In essence, the timers are checked and subsequent requests to a server (once it is assumed to be dead) are directed to alternate timers, if configured. When the network access server receives a reply from the server, it checks and stops all configured timers (if running) for that server in all server groups.
If the timer has expired, only the server to which the timer is attached is assumed to be alive. This becomes the only server that can be tried for later AAA requests using the server groups to which the timer belongs.
|
Note Since one server has different timers and may have different deadtime values configured in the server groups, the same server may in the future have different states (dead and alive) at the same time. |
|
Note To change the state of a server, you must start and stop all configured timers in all server groups. |
If deadtime is defined globally, the local server group deadtime configuration will override the global configuration. If deadtime is omitted from the local server group configuration, the value will be inherited from the master list. If the server is not configured, the default value (0) will apply for all.
The size of the server group structure will be slightly increased because of the addition of new timers and the deadtime attribute. The overall impact of the structure depends on the number and size of server groups and how the servers are shared among server groups in a specific configuration
Before the introduction of the AAA Server Group Deadtimer feature, the deadtime attribute could be configured only as a unique, global attribute in Cisco IOS AAA.
This feature allows you to fully configure a server in the server group. And it allows you to configure each dead server timer per server group. Thus, you are no longer limited to a global configuration when configuring a server group.
The deadtime attribute is supported only for RADIUS hosts.
AAA Server Groups, Cisco IOS Release 12.0(5)T, contains features and technologies that are related to AAA Server Group Deadtimer.
The following documents provide information related to AAA Server Group Deadtimer:
AAA Server Group Deadtimer runs on all platforms that support Cisco IOS Release 12.1.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Before you can configure deadtime, you must define a RADIUS type server group.
For more information on defining server groups, please refer to Cisco IOS Security Configuration Guide, Release 12.1.
See the following sections for configuration tasks for the AAA Server Group Deadtimer feature. Each task in the list is identified as optional or required.
Beginning in global configuration mode, enter the following commands to configure deadtime:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#aaa group server radius group1 | Defines a RADIUS type server group. |
Step2 | Router(config-sg)#deadtime 1 | Configures and defines deadtime value in minutes. |
Step3 | Router(config-sg)# | Exits server group configuration mode. |
Enter the following command in EXEC mode to verify the deadtime attribute:
| Command | Purpose |
|---|---|
Router#more system:running config | Displays the contents of the current running configuration file. |
This section provides the following configuration examples:
The following example shows configuring deadtime for group1 (one minute) and group2 (two minutes):
aaa group server radius group1 server 1.1.1.1 auth-port 1645 acct-port 1646 server 2.2.2.2 auth-port 2000 acct-port 2001 deadtime 1 aaa group server radius group2 server 2.2.2.2 auth-port 2000 acct-port 2001 server 3.3.3.3 auth-port 1645 acct-port 1646 deadtime 2
To configure deadtime within the context of RADIUS server groups, use the deadtime server group configuration command. To set deadtime to 0, use the no form of this command.
deadtime minutes
Syntax Description
minutes Length of time for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1server 1.1.1.1 auth-port 1645 acct-port 1646 server 2.2.2.2 auth-port 2000 acct-port 2001 deadtime 1
Syntax Description
radius-server deadtime Sets the deadtime value globally.
Command
Description
AAA---authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
authentication, authorization, and accounting---See AAA.
deadtime---The period during which the AAA server is assumed to be dead.
Posted: Fri May 26 07:44:22 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.