cc/td/doc/product/software/ios121/121newft/121t
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco AAA Server MIB and Additional Enhancements for the Cisco AS5300 and Cisco AS5800 Universal Access Servers

Cisco AAA Server MIB and Additional Enhancements for the Cisco AS5300 and Cisco AS5800 Universal Access Servers

This feature module describes introduces further implementation of the Cisco AAA Server MIB to expand the RADIUS capabilities of the Cisco AS5300 and Cisco AS5800 universal access servers. This document also has information on additional enhancements included in this feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.

This document includes the following sections:

Feature Overview

This feature set provides functionality in these areas:

Addition of ppp pap refuse Command

The new command, ppp pap refuse, allows refusal of a peer request to remote authenticate (PPP) using PAP.

Addition to show caller Command

The show caller command combines the output of the existing call-related show commands. This command displays connection status in summary or in detail. The summary field has been added
(show caller summary) to display the total number of calls, including the number of ISDN and Analog calls, since the last reload. This summary counter is cumulative of all calls since the network access server (NAS) has been up; other counters indicate the current number of calls in the NAS.

Using the show caller command provides the following benefits:

Cisco AAA Server MIB

This MIB provides statistics reflecting the state of AAA server operation within the device, and AAA communications with external servers.

The Cisco AAA server MIB provides the following information:

A server is defined as a logical entity that provides any of the three AAA functions. A TACACS+ server consists of all three functions with a single IP address and single TCP port. A RADIUS server consists of the authentication/accounting pair with a single IP address but distinct UDP ports, or it may consist only of authentication or accounting.

Modification to reload Command for the Cisco AS5800

On the Cisco AS5800 only, to request that the Dial Shelf Controller (DSC) (or DSCs in a redundant configuration) be reloaded at the same time as a reload on the router shelf, use the
reload components all command.

Formerly, to reload a Cisco AS5800, separate reload commands were needed for both the DSC and the Router Shelf.

Benefits

Restrictions

The command reload components all is only available on the Cisco AS5800.

Related Features and Technologies

PAP

The Password Authentication Protocol (PAP) allows PPP peers to authenticate one another. The remote router attempting to connect to the local router is required to send an authentication request. Unlike Challenge Handshake Authentication Protocol (CHAP), PAP passes the password and host name or username unencrypted. PAP does not prevent unauthorized access, but merely identifies the remote end. The router or access server then determines if that user is allowed access. PAP is supported only on PPP lines.

PPP

The Point-to-Point Protocol (PPP) defines methods of sending Internet Protocol (IP) packets over standard EIA/TIA-232 asynchronous serial lines with minimum line speeds of 1200 baud.

Using PPP encapsulation over asynchronous lines is an inexpensive way of connecting PCs to a network. PPP over asynchronous dial-up modems allow a home computer to be connected to a network without the cost of a leased line. Dial-up PPP links can also be used for remote sites that need only occasional telecommuting or backup connectivity. Both public-domain and vendor-supported PPP implementations are available for a variety of computer applications.

Refer to RFCs 1331 and 1332 for more information about PPP.

RADIUS Overview

RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, which can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.

RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

Cisco AAA Server MIB—This MIB provides statistics reflecting the state of AAA server operation within the device, and AAA communications with external servers.

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

Before configuring the Cisco AAA Server MIB and its associated features, you must complete the following tasks on your network access server:

Configuration Tasks

See the following sections for configuration tasks. Each task in the list is identified as either optional or required:

Configuring AAA Server Traps

Command Purpose

Step 1  

Router# conf term

Enters global configuration mode. You enter global configuration mode when the prompt changes to
Router(config)#.

Step 2  

Router(config)# snmp-server enable traps aaa_server

Enables disconnect using SNMP.

Step 3  

Router(config)# snmp-server host ip-address 
community-string

Specifies the recipient of an SNMP notification operation.

Configuring Disconnect Using SNMP

Command Purpose

Step 1  

Router# conf term

Enters global configuration mode. You enter global configuration mode when the prompt changes to
Router(config)#.

Step 2  

Router(config)# aaa session-mib disconnect

Enables disconnect using SNMP.

Configuring PPP PAP Refusal

Command Purpose

Step 1  

Router# conf term

Enters global configuration mode. You enter global configuration mode when the prompt changes to
Router(config)#.

Step 2  

Router(config)# interface dialer 0

Designates a dialer rotary group number.

Step 3  

Router(config-if)# encapsulation ppp

Sets PPP as the encapsulation method used by the interface.

Step 4  

Router(config-if)# ppp pap refuse

Refuses a peer request to remote (PPP) authenticate using PAP.

Configuring Cisco AS5800 Reload of All Components

Command Purpose

Step 1  

Router# reload components all

Requests that the DSC (or DSCs in a redundant configuration) be reloaded at the same time as a reload on the router shelf on the Cisco AS5800.

Verifying Configuration

Command Purpose

Step 1  

Router# show running-config

Displays the configuration information currently running on the terminal.

Configuration Examples

This section provides the following configuration examples:

aaa session-mib disconnect Example

Enabling the aaa session-mib disconnect command requires that AAA already be configured with accounting enabled. The following configuration is an example of a working AAA configuration for PPP users:

Router# conf term
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default group radius
Router(config)# aaa authorization network default group radius
Router(config)# aaa accounting network default start-stop group radius
Router(config)# aaa session-mib disconnect
!
Router# show running-config
Current configuration:
!
hostname Router
!
no logging console
aaa new-model
aaa session-mib disconnect
!

ppp pap refuse Example

Router# config term
Router(config)# interface dialer 0
Router(config-if)# encapsulation ppp
Router(config-if)# ppp pap refuse
!
Router# show running-config
Current configuration:
!
interface Dialer0
 no ip address
 encapsulation ppp
 ppp pap refuse
!

radius-server host alias Examples

The alias field allows you to use multiple IP addresses when referring to RADIUS servers. For example, some RADIUS servers have multiple NIC cards with multiple IP addresses. In redundant networks, the reply packet can come from a different IP address than the NAS has configured. In this case, you would configure the RADIUS alias support to list all of the possible IP addresses for a particular RADIUS server.

Router(config)# radius-server host 172.1.1.1 acct-port 1645 auth-port 1646 
Router(config)# radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1 ..etc

You can have as many as 8 aliases for any given RADIUS server. In the previous example, if the NAS receives a packet from any of the alias addresses, it will know that the packet came from the server configured for 172.1.1.1.

A full configuration of the radius-server host command could look like the following:

Router(config)# radius-server host 1.1.1.1 acct-port 1645 auth-port 1646 non-standard
timeout 5 retransmit 3 key cisco
Router(config)# radius-server host 1.1.1.1 alias 1.1.1.2 1.1.1.3 ... up to 8
!
Router# show running-config
Current configuration:
!
snmp-server engineID local 00000009020000107BE647A6
snmp-server community public view v1default RO
snmp-server host 1.1.1.1 public 
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646
radius-server host 1.1.1.1 auth-port 1646 acct-port 1645 non-standard timeout 5
radius-server host 1.1.1.1 alias 1.1.1.2 1.1.1.3
radius-server retransmit 3
!
end

radius-server key Example

The following example sets the authentication and encryption key to anykey:

Router(config)# service password-encryption
Router(config)# radius-server key anykey
Router(config)# ^Z
Router# copy running-config startup-config
Router#

After you do this, the key will show up as encrypted the next time you do a show running-config:

Router# show running-config
Current configuration:
!
radius-server key 7 19283103834782sda

The leading 7 tells the user that the following text is encrypted.

reload components all Example

The following example reloads all components on a Cisco AS5800:

Router# reload components all

show caller summary Example

The following example shows sample show caller summary output:

Router# show caller summary
      933   Analog calls
        0   ISDN calls
      933   Total users logged in
  1305767   Total users since last reload

show radius statistics Example

The following example shows sample show radius statistics output:

Router# show radius statistics
                                   Auth.      Acct.       Both
          Maximum inQ length:        NA         NA          1
        Maximum waitQ length:        NA         NA          1
        Maximum doneQ length:        NA         NA          1
        Total responses seen:         3          0          3
      Packets with responses:         3          0          3
   Packets without responses:         0          0          0
  Average response delay(ms):      5006          0       5006
  Maximum response delay(ms):     15008          0      15008
   Number of Radius timeouts:         3          0          3
        Duplicate ID detects:         0          0          0

snmp-server enable traps aaa_server Example

The following example enables the router to send aaa_server traps to the host 1.1.1.1 using the public community string: 

Router(config)# snmp-server enable traps aaa_server
Router(config)# snmp-server host 1.1.1.1 public
!
Router# show running-config
Current configuration:
!
snmp-server engineID local 00000009020000107BE647A6
snmp-server community public view v1default RO
snmp-server enable traps aaa_server
snmp-server host 1.1.1.1 public 
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646
radius-server host 1.1.1.1 auth-port 1646 acct-port 1645 non-standard timeout 5
radius-server host 1.1.1.1 alias 1.1.1.2 1.1.1.3
radius-server retransmit 3
!
end

Command Reference

This section documents new or modified commands. All other commands used with these features are documented in the Cisco IOS Release 12.1 command reference publications.

The following are new commands:

The following are modified commands:

aaa session-mib disconnect

To enable disconnect using SNMP, use the aaa session-mib disconnect global configuration command. To disable the disconnect, use the no form of this command.

aaa session-mib disconnect

no aaa session-mib disconnect

Syntax Description

disconnect

Enables AAA session MIB disconnect.

Defaults

None

Command Modes

Global configuration

Command History
Release Modification

12.1(3)T

This command was introduced.

Usage Guidelines

Enabling the aaa session-mib disconnect command requires that AAA already be configured with accounting enabled. The following configuration is an example of a working AAA configuration for PPP users:

aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius

For more information on the AAA session MIB, refer to Cisco AAA Session MIB,
Cisco IOS Release 12.1(3)T.

Examples 

Router# conf term
Router(config)# aaa session-mib disconnect

Related Commands
Command Description

aaa new model

Changes the text displayed when users are prompted to enter a username.

ppp pap refuse

To refuse a peer request to remote (PPP) authenticate using PAP, use the ppp pap refuse interface configuration command. To disable the refusal, use the no form of this command.

ppp pap refuse

no ppp pap refuse

Syntax Description

refuse

Authenticate denied using PAP.

Defaults

None

Command Modes

Interface configuration

Command History
Release Modification

12.1(3)T

This command was introduced.

Usage Guidelines

This is a per-interface command.

Use this command to refuse remote PAP support. For example, to respond to the peer request to authenticate with PAP.

Examples 

Router# conf term
Router(config)# interface dialer 0
Router(config-if)# encapsulation ppp
Router(config-if)# ppp pap refuse

Related Commands
Command Description

aaa authentication ppp

Specifies one or more AAA authentication methods for use on serial interfaces running PPP and TACACS+.

encapsulation ppp

Sets PPP as the encapsulation method used by a serial or ISDN interface.

ppp authentication

Enables CHAP or PAP or both, and specifies the order in which CHAP and PAP authentication are selected on the interface.

ppp pap sent-username

Reenables remote PAP support for an interface and uses the sent-username and password in the PAP authentication request packet to the peer.

radius-server host

To specify a RADIUS server host, use the radius-server host global configuration command. To delete the specified RADIUS host, use the no form of this command.

radius-server host {hostname | ip-address} [acct-port port-number | auth-port port-number |
non-standard | retransmit | timeout | key] [alias {hostname| ip-address}]

no radius-server host {hostname | ip-address}

Syntax Description

hostname

DNS name of the RADIUS server host. Maximum of 8 alpha-numeric characters.

ip-address

IP address of the RADIUS server host.

acct-port port-number

(Optional) Specifies the UDP destination port for accounting requests. Default is 1,646.

Port number for accounting requests; the host is not used for accounting if set to 0.

auth-port port-number

(Optional) Specifies the UDP destination port for authentication requests. Default is 1,645.

Port number for authentication requests; the host is not used for authentication if set to 0.

non-standard

Identifies that the security server is using a vendor-proprietary implementation of RADIUS. Also, it tells the Cisco IOS software to support non-standard RADIUS attributes.

retransmit

Specifies the number of retries to active server.

timeout

Time to wait for this RADIUS server to reply.

key

Per-server encryption key.

alias

Allows 1 to 8 aliases for a server.

Defaults

No RADIUS host is specified. The default port for accounting requests is 1646. The default port for authentication requests is 1645.

Command Modes

Global configuration

Command History
Release Modification

11.3

This command was first introduced.

11.3(8)AA

This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server for the following platforms:

  • Cisco AS5200

  • Cisco AS5300

  • Cisco AS5800

  • Cisco 7200 series.

12.1(3)T

The alias feature was added.

Usage Guidelines

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order that you specify them.

The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

The key command must be the last option entered. If it is entered anywhere else in the line, then everything after the word key is parsed as the key, including spaces.

The command options acct-port, auth-port, and non-standard come before timeout, retransmit, and key. Refer to the Examples section for configuration information.

The alias command is not part of the initial definition of the radius-server host. It is entered on a separate line without the other options. Please refer to the Example section of this command for configuration. The alias feature allows you to have up to 8 aliases for any given RADIUS server.

Examples

The following example specifies host 172.1.1.1 as the RADIUS server and uses default ports for both accounting (1646) and authentication (1645):

radius-server host 172.1.1.1 auth-port 1645 acct-port 1646

You can configure ports if you have that requirement. The following example specifies port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 172.1.1.1:

radius-server host 172.1.1.1 auth-port 12 acct-port 16
Note   Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.

To use separate servers for accounting and authentication, use the zero (0) port value as appropriate. The following example specifies that RADIUS server 172.1.1.1 be used for accounting but not for authentication, and that RADIUS server 172.1.1.2 be used for authentication but not for accounting:

radius-server host 172.1.1.1 auth-port 0 acct-port 1646
radius-server host 172.1.1.2 auth-port 1645 acct-port 0

The following example specifies a vendor-proprietary RADIUS server host 172.1.1.1:

radius-server host 172.1.1.1 non-standard

The alias field allows you to use multiple IP addresses when referring to RADIUS servers. For example, some RADIUS servers have multiple NIC cards with multiple IP addresses. In redundant networks, the reply packet can come from a different IP address than the NAS has configured. In this case, you would configure the RADIUS alias support to list all of the possible IP addresses for a particular RADIUS server.

radius-server host 172.1.1.1 acct-port 1645 auth-port 1646 
radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1 ..etc

You can have as many as 8 aliases for any specific RADIUS server. In the previous example, if the NAS receives a packet from any of the alias addresses, it will know that the packet came from the server configured for 172.1.1.1.

A full configuration of the radius-server host command could look like the following:

Router(config)# radius-server host 1.1.1.1 acct-port 1645 auth-port 1646 non-standard
timeout 5 retransmit 3 key cisco

After this is defined, you set up the aliases:

radius-server host 1.1.1.1 alias 1.1.1.2 1.1.1.3 ... up to 8

Related Commands
Command Description

aaa new-model

Changes the text displayed when users are prompted to enter a username.

radius-server key

Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

radius-server retransmit

Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-server timeout

Sets the interval that a router waits for a server host to reply.

radius-server key

To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key global configuration command. This key must match the encryption used on the RADIUS daemon. To disable the key, use the no form of this command.

radius-server key {0 line | 7 line | line}

no radius-server key

Syntax Description

0

line

Specifies an unencrypted key will follow.

The unencrypted (cleartext) shared key.

7

line

Specifies hidden key will follow.

The hidden shared key.

line

The unencrypted (cleartext) shared key.

Defaults

This feature is disabled by default.

Command Modes

Global configuration

Command History
Release Modification

11.1

This command first appeared.

12.1(3)T

The command line syntax options were modified.

Usage Guidelines

After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.

Note   Specify a RADIUS key after you issue the aaa new-model command.

The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Examples

The following example sets the authentication and encryption key to anykey:

Router(config)# service password-encryption
Router(config)# radius-server key anykey
Router(config)# ^Z
Router# copy running-config startup-config
Router#

After you do this, the key will show up as encrypted the next time you do a show running-config:

Router# show running-config
!
!
radius-server key 7 19283103834782sda

The leading 7 tells the user that the following text is encrypted.

Related Commands
Command Description

radius-server host

Specifies a RADIUS server host.

service password-encryption

Encrypts passwords.

reload

To request that the DSC (or DSCs in a redundant configuration) be reloaded at the same time as a reload on the Router Shelf on the Cisco AS5800, use the reload components all EXEC command. To cancel a reload, use the reload cancel command.

reload {line | at hh:mm | cancel | components [all] | in [hhh:]mmm}

reload cancel

Syntax Description

line

Reason for the reload, 1 to 255 characters in length.

at hh:mm

Schedule a reload of the software to take place at the specified time (using a 24-hour clock). If you specify the month and day, the reload is scheduled to take place at the specified time and date. If you do not specify the month and day, the reload takes place at the specified time on the current day (if the specified time is later than the current time), or on the next day (if the specified time is earlier than the current time). Specifying 00:00 schedules the reload for midnight. The reload must take place within approximately 24 days.

cancel

Cancel a scheduled reload.

components

[all]

Specify additional components to reload.

All attached components should reload.

in [hhh:]mmm

Schedule a reload of the software to take effect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days.

Defaults

None

Command Modes

EXEC

Command History
Release Modification

10.0

This command was introduced.

12.1(3)T

The components all feature was added to support the Cisco AS5800.

Usage Guidelines

The reload command halts the system. If the system is set to restart on error, it reboots itself. Use the reload command after configuration information is entered into a file and saved to the startup configuration.

On the Cisco AS5800 only, to request that the DSC (or DSCs in a redundant configuration) be reloaded at the same time as a reload on the Router Shelf, use the reload components all command.

You cannot reload from a virtual terminal if the system is not set up for automatic booting. This prevents the system from dropping to the ROM monitor and thereby taking the system out of remote user control.

If you modify your configuration file, the system prompts you to save the configuration. During a save operation, the system asks you if you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists. If you say "yes" in this situation, the system goes to setup mode upon reload.

When you schedule a reload to occur at a later time, it must take place within approximately 24 days.

The at keyword can only be used if the system clock has be set on the router (either through NTP, the hardware calendar, or manually). The time is relative to the configured time zone on the router. To schedule reloads across several routers to occur simultaneously, the time on each router must be synchronized with NTP.

To display information about a scheduled reload, use the show reload command.

Examples

The following example immediately reloads the software on the router:

Router# reload

The following example reloads the software on the router in 10 minutes:

Router# reload in 10
Router# Reload scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)
Proceed with reload? [confirm]

The following example reloads the software on the router at 1:00 p.m. today:

Router# reload at 13:00
Router# Reload scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and 2 minutes)
Proceed with reload? [confirm]

The following example reloads the software on the router on April 20 at 2:00 a.m.:

Router# reload at 02:00 apr 20
Router# Reload scheduled for 02:00:00 PDT Sat Apr 20 1996 (in 38 hours and 9 minutes)
Proceed with reload? [confirm]

The following example cancels a pending reload:

Router# reload cancel
%Reload cancelled.

The following example reloads all components on a Cisco AS5800:

Router# reload components all

Related Commands
Command Description

show reload

Displays the reload status on the router.

show caller

To display caller information, enter the show caller EXEC command.

show caller {full | interface [Async | Dialer | Serial ] | ip | line range [full] | summary | timeouts
| user name [detailed]}

Syntax Description

full

This option provides expanded information.

interface

Displays a summary of caller information for the interface name you provide:

Async 1-169—Async interface number

Dialer 0-799—Dialer interface number

Serial 0-3—Serial interface number

ip

Displays a summary of caller information for the IP address you provide.

line range

Displays a summary of caller information for the range of lines you define.

summary

Displays total users logged and total ISDN/Analog users since the last reload.

timeouts

Displays session and idle limits and disconnect time.

user name

Displays a summary of caller information for the username you provide.

detailed—This options provides expanded information.

Defaults

None

Command Modes

EXEC

Command History
Release Modification

11.3(5)AA

This command was introduced.

12.1(3)T

The summary feature was added.

Usage Guidelines

The show caller command is used to:

You can configure output modifiers for each option type of the show caller command.

Examples

The following example shows sample show caller output:

Router# show caller
  Line      User                  Service       Active   
  con 0     -                     TTY           00:08:21
  BR0:1     hatteras              PPP           00:00:14
  Vi1       hatteras              PPP   Bundle  00:00:13

The following example shows sample show caller summary output:

Router# show caller summary
      933   Analog calls
        0   ISDN calls
      933   Total users logged in
  1305767   Total users since last reload

show radius statistics

To show the RADIUS statistics for accounting and authentication packets, use the
show radius statistics EXEC command.

show radius statistics

Syntax Description

statistics

Shows the RADIUS statistics for accounting and authentication packets.

Defaults

None

Command Modes

EXEC

Command History
Release Modification

12.1(3)T

This command first appeared.

Examples 

Router# show radius statistics
                                   Auth.      Acct.       Both
          Maximum inQ length:        NA         NA          1
        Maximum waitQ length:        NA         NA          1
        Maximum doneQ length:        NA         NA          1
        Total responses seen:         3          0          3
      Packets with responses:         3          0          3
   Packets without responses:         0          0          0
  Average response delay(ms):      5006          0       5006
  Maximum response delay(ms):     15008          0      15008
   Number of Radius timeouts:         3          0          3
        Duplicate ID detects:         0          0          0
 




Table 1: Field Descriptions for Show Radius Statistics Command


 Auth.


 Statistics for Authentication packets only.


 


 Acct.


 Statistics for Accounting packets only.


 


 Both


 Combined Statistics for Authentication and Accounting.


 


 Maximum inQ length


 Maximum number of entries in the queue that holds the radius messages not yet sent.


 


 Maximum waitQ length


 Maximum number of entries in the queue that holds the radius messages that have been sent and are waiting on a response.


 


 Maximum doneQ length


 Maximum number of entries in the queue that holds the messages that have received a response, and will be next given to the code that is waiting for these messages.


 


 Total responses seen


 Number of radius responses seen from the server.  In addition to the expected packets, this includes repeated packets and packets that have no matching message in the waitQ.


 


 Packets with responses


 Number of packets that got a response from the radius server.


 


 Packets without responses


 Number of packets that never got a response from any radius server.


 


 Average response delay


 Average time from when the packet was first transmitted to when it got a response.  If the response timed out and the packet was sent again, this value includes the timeout.  If the packet never got a response, this is not included in the average.


 


 Maximum response delay


 Maximum delay observed while gathering average response delay information.


 


 Number of RADIUS timeouts


 Number of times a server did not respond and RADIUS re-sent the packet.


 


 Duplicate ID detects


 RADIUS has a maximum of 255 unique IDs.  In some instances there can be more than 255 outstanding packets.  When a packet is received, the doneQ is searched from the oldest entry to the youngest.  If the IDs are the same, further techniques are used to see if this response matches this entry.  If it is determined that this does not match, the duplicate ID detect counter is increased.

Related Commands
Command Description

radius-server host

Specifies a RADIUS server host.

radius-server retransmit

Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-server timeout

Sets the interval a router waits for a server host to reply

snmp-server enable traps

To enable the router to send SNMP traps, use the snmp-server enable traps global configuration command. To disable SNMP traps, use the no form of this command.

snmp-server enable traps [trap-type] [trap-option]

no snmp-server enable traps [trap-type] [trap-option]

Syntax Description

trap-type

(Optional) Type of trap to enable. If no type is specified, all traps are sent (including the envmon and repeater traps). The trap type can be one of the following keywords:

  • aaa_server—Sends AAA server state change traps.

  • bgp—Sends Border Gateway Protocol (BGP) state change traps.

  • config—Sends configuration traps.

  • entity—Sends entity MIB modification traps.

  • envmon—Sends Cisco enterprise-specific environmental monitor traps when an environmental threshold is exceeded. When the envmon keyword is used, you can specify a trap-option value.

  • frame-relay—Sends Frame Relay traps.

  • isdn—Sends Integrated Services Digital Network (ISDN) traps.

  • repeater—Sends Ethernet hub repeater traps. When the repeater keyword is selected, you can specify a trap-option value.

  • rtr—Sends Response Time Reporter (RTR) traps.

  • snmp—Sends Simple Network Management Protocol (SNMP) traps. When the snmp keyword is used, you can specify a trap-option value.

  • syslog—Sends error message traps (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command.

trap-option

(Optional) When the envmon keyword is used, you can enable a specific environmental trap type, or accept all trap types from the environmental monitor system. If no option is specified, all environmental types are enabled. The option can be one or more of the following keywords: voltage, shutdown, supply, fan, and temperature.

When the repeater keyword is used, you can specify the repeater option. If no option is specified, all repeater types are enabled. The option can be one or more of the following keywords:

  • health—Enables IETF repeater hub MIB (RFC 1516) health trap.

  • resetEnables IETF repeater hub MIB (RFC 1516) reset trap.

When the snmp keyword is used, you can specify the authentication option to enable SNMP authentication failure traps. (The
snmp-server enable traps snmp authentication command replaces the snmp-server trap-authentication command.) If no option is specified, all SNMP traps are enabled.

Defaults

This command is disabled by default. No traps are enabled.

If you enter this command with no keywords, the default is to enable all trap types.

Some trap types cannot be controlled with this command. These traps are either always enabled or enabled by some other means. For example, the linkUpDown messages are disabled by the
no snmp trap link-status command.

Command Modes

Global configuration

Command History
Release Modification

11.1

This command was introduced.

12.1(3)T

The aaa_server trap type was added.

Usage Guidelines

This command is useful for disabling traps that are generating a large amount of uninteresting or useless noise.

If you do not enter an snmp-server enable traps command, no traps controlled by this command are sent. In order to configure the router to send these SNMP traps, you must enter at least one
snmp-server enable traps command. If you enter the command with no keywords, all trap types are enabled. If you enter the command with a keyword, only the trap type related to that keyword is enabled. To enable multiple types of traps, you must issue a separate snmp-server enable traps command for each trap type and option.

The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP traps. To send traps, you must configure at least one snmp-server host command.

For a host to receive a trap controlled by this command, both the snmp-server enable traps command and the snmp-server host command for that host must be enabled. If the trap type is not controlled by this command, only the appropriate snmp-server host command must be enabled.

The trap types used in this command all have an associated MIB object that allows them to be globally enabled or disabled. Not all of the trap types available in the snmp-server host command have notificationEnable MIB objects, so some of these cannot be controlled using the
snmp-server enable traps command.

Examples

The following example enables the router to send all traps to the host 1.1.1.1 using the public community string:

snmp-server enable traps
snmp-server host 1.1.1.1 public

The following example enables the router to send AAA server traps to the host 1.1.1.1 using the public community string: 

snmp-server enable traps aaa_server
snmp-server host 1.1.1.1 public

Related Commands
Command Description

snmp-server host

Specifies the recipient of an SNMP trap operation.

snmp-server trap-source

Specifies the interface (and the corresponding IP address) from where an SNMP trap should originate from.

Glossary

AAA—authentication, authorization, and accounting. Pronounced "triple a."

MIB—Management Information Base. Database of network management information that is used and maintained by a network management protocol such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a GUI network management system. MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.

NAS—network access server. Cisco platform (or collection of platforms such as an AccessPath system which interfaces between the packet world (the Internet) and the circuit world (the PSTN).

PAP—Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one another. The remote router attempting to connect to the local router is required to send an authentication request. Unlike CHAP, PAP passes the password and host name or username in the clear (unencrypted). PAP does not itself prevent unauthorized access, but merely identifies the remote end. The router or access server then determines if that user is allowed access. PAP is supported only on PPP lines.

PPP—Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Although SLIP was designed to work with IP, PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.

RADIUS—Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP monitors and controls network devices, and manages configurations, statistics collection, performance, and security.

trap—Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.

Note   For a list of other internetworking terms, see Internetworking Terms and Acronyms, available on the Documentation CD-ROM and Cisco Connection Online (CCO) at the following URL: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm.

hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Sep 19 17:59:32 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.