S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
17-3
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 17 Configuring RADIUS
Information About RADIUS
RADIUS Server Monitoring
An unresponsive RADIUS server can cause delay in processing of AAA requests. You can configure the
Nexus 5000 Series switch to periodically monitor a RADIUS server to check whether it is responding
(or alive) to save time in processing AAA requests. The Nexus 5000 Series switch marks unresponsive
RADIUS servers as dead and does not send AAA requests to any dead RADIUS servers. The switch
periodically monitors the dead RADIUS servers and brings them to the alive state once they respond.
This monitoring process verifies that a RADIUS server is in a working state before real AAA requests
are sent its way. Whenever a RADIUS server changes to the dead or alive state, a Simple Network
Management Protocol (SNMP) trap is generated and the Nexus 5000 Series switch displays an error
message that a failure is taking place. See
Figure 17-1
.
Figure 17-1
RADIUS Server States
Note
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS
server.
Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF
uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for
general use. The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1,
which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is an equal sign (=)
for mandatory attributes, and an asterisk
(
*
) indicates optional attributes.
When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol
directs the RADIUS server to return user attributes, such as authorization information, along with
authentication results. This authorization information is specified through VSAs.
No
response
Test
Test
Idle timer
expired
Directed
AAA request
Dead timer expired
Response from
remote server
AAA packets
sent
Alive
Alive and
used
Dead and
testing
Alive and
testing
Dead
Application
request
Process
application
request
154534
Summary of Contents for N5010P-N2K-BE
Page 50: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 102: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 240: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 312: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 400: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 418: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 436: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...
Page 658: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...