16-42
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 16 Configuring RADIUS Features
RADIUS Transmit Retries
Authorization Reject and Accounting Accept Configuration Example
The following example shows how to configure a reject list for RADIUS authorization and configure an
accept list for RADIUS accounting. Although you cannot configure more than one accept or reject list
per server group for authorization or accounting, you can configure one list for authorization and one
list for accounting per server group.
aaa new-model
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
server 10.1.1.1
authorization reject bad-author
accounting accept usage-only
!
radius-server host 10.1.1.1 key mykey1
radius-server attribute list usage-only
attribute 1,40,42-43,46
!
radius-server attribute list bad-author
attribute 22,27-28,56-59
Rejecting Required Attributes Configuration Example
The following example shows debug output for the
debug aaa accounting
command. In this example,
required attributes 44, 40, and 41 have been added to the reject list:
Router#
debug aaa authorization
AAA/ACCT(6): Accounting method=radius-sg (radius)
RADIUS: attribute 44 cannot be rejected
RADIUS: attribute 61 rejected
RADIUS: attribute 31 rejected
RADIUS: attribute 40 cannot be rejected
RADIUS: attribute 41 cannot be rejected
Caution
Because debugging output is assigned high priority in the CPU process, it can render the system
unusable. For this reason, use debug commands only to troubleshoot specific problems or during
troubleshooting sessions with Cisco Systems technical support personnel. Moreover, it is best to use
debug commands during periods of lower network traffic and fewer users. Debugging during these
periods decreases the likelihood that increased debug command processing overhead will affect system
use.
RADIUS Transmit Retries
The Cisco 10000 router supports an extended RADIUS transmit retries range. Extending the range of
RADIUS transmit retries can protect against lost records if the RADIUS server goes down or
communication to it is lost.
You use the
radius-server
command to specify the number of times you want the router to retry
transmitting to the RADIUS server. The extended range of values is from 1 to a value higher than 17280.
The RADIUS Transmit Retries feature is described in the following topics:
•
Feature History for RADIUS Transmit Retries, page 16-43