Hello Jay,
If you have the resources, ie flash and memory (and are game enough!!) IOS
12.1(1)T supports AAA Broadcast Accounting. In the past a cisco router
would allow you to configure multiple radius/tacacs(+) servers to use in
the order they were configured, and in the event of a timeout the next
server would be used. Broadcast accounting allows you to send the
accounting records to multiple radius servers simultaneously. There is also
the ability to use different AAA server groups based on DNIS in 12.0(7)T
and later. This feature has also been enhanced in 12.1(1)T to provide
broadcast functionality. The other feature that is available is configuring
the same host multiple times for multiple processes on different ports
without binding to different addresses, eg:
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
This will allow you to run multiple radius processes on different ports on
the same machine
Check out the docs at:
For AAA Accounting Broadcast -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/dt_aaaba.htm
And IOS 12.1 AAA -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm
Just remember that 12.1(1) + mainline is based on 12.0(7)T. 12.1(1)T + is
the "bleeding edge".
I know this will only solve part of your problem, but I thought it was
worth mentioning on the list. You could set up different timeout values on
the server for authentication requests and accounting, but this would
require you to specify a multiple groups, one for authentication and one
for accounting.
Regards,
Matt
At 07:39 AM 6/04/2000 -0500, Jay West wrote:
>I'm not sure if this went out to the list, so pardon me if I'm reposting...
>
> > Current setup:
> > Two FreeBSD machines, each one running radiator (radius1 and radius2)
> > Two FreeBSD machines, each one running MySQL for the radiator database
> > (mysql1 and mysql2)
> > Cisco 3640 router (NAS) terminating L2F sessions for each dialup user
> >
> > The cisco 3640 is set to try authenticating via radius first on radius1,
>and
> > if that times out to authenticate on radius2. Radius1 uses the SQL
>database
> > on mysql1 and radius2 uses the SQL database on mysql2. There are some high
> > availability problems with this setup - if mysql1 goes down, the cisco
>won't
> > know it and will keep querying radius1. The cisco does support (at the
> > latest IOS release) rotating between multiple radius servers, but that
>would
> > only let half the folks in.
> >
> > Changes I want to make:
> > What's the best way to set up high availability so that any host (except
>the
> > router) can fail and things will still work? I'm not currently using
> > maxlogins (or simultaneous-logins or maxsessions or whatever) but do plan
>to
> > in the very near future. I see many possibilities - but the first one I'm
> > thinking of is to set each of the two radius servers to query sql1 and if
> > that fails query sql2 (this done via specifying multiple sql servers in
>the
> > radius config file). But then the question becomes how to keep the
>databases
> > in sync between sql1 and sql2. I could set up some batch process to copy
>the
> > databases nightly, but doesn't this get in the way of trying to enforce
> > multiple logon limits?
> >
> > On a directly related note - is there any problems with having two copies
>of
> > radiator - one on each machine - working on the same database?
> >
> > Any hints from those who've done this before?? Net result should be two
> > radiator machines and two sql machines and any one can fail.
> >
> > Thanks in advance!
> >
> > Jay West
>
>
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
