Cisco Cisco IOS Software Release 12.2(27)SBC
RADIUS Server Load Balancing
Configuration Examples for RADIUS Server Load Balancing
15
Cisco IOS Security Configuration Guide
The authentication server group and the accounting server group do not share any common servers. A
preferred server will never be found for accounting transactions, therefore, authentication and
accounting servers will be load balanced based on transactions. Start and stop records will be sent to the
same server for a session.
preferred server will never be found for accounting transactions, therefore, authentication and
accounting servers will be load balanced based on transactions. Start and stop records will be sent to the
same server for a session.
Preferred Server with Overlapping Authentication and Authorization Servers:
Example
Example
The following example shows an authentication server group that uses servers 209.165.200.225,
209.165.200.226, and 209.165.201.1 and an accounting server group that uses servers 209.165.201.1 and
209.165.201.2. Both server groups have the preferred server flag enabled.
209.165.200.226, and 209.165.201.1 and an accounting server group that uses servers 209.165.201.1 and
209.165.201.2. Both server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
server 209.165.201.1 key radkey3
aaa group server radius accounting-group
server 209.165.201.1 key radkey3
server 209.165.201.2 key radkey4
If all servers have equal transaction processing capability, one-third of all authentication transactions
will be directed towards server 209.165.201.1. Therefore, one-third of all accounting transactions will
also be directed towards server 209.165.201.1. The remaining two-thirds accounting transactions will be
load balanced equally between servers 209.165.201.1 and 209.165.201.2. The server 209.165.201.1 will
receive fewer authentication transactions since server 209.165.201.1 will have outstanding accounting
transactions.
will be directed towards server 209.165.201.1. Therefore, one-third of all accounting transactions will
also be directed towards server 209.165.201.1. The remaining two-thirds accounting transactions will be
load balanced equally between servers 209.165.201.1 and 209.165.201.2. The server 209.165.201.1 will
receive fewer authentication transactions since server 209.165.201.1 will have outstanding accounting
transactions.
Preferred Server with Authentication Servers As a Subset of Authorization
Servers: Example
Servers: Example
The following example shows an authentication server group that uses servers 209.165.200.225 and
209.165.200.226 and an authorization server group that uses servers 209.165.200.225, 209.165.200.226,
and 209.165.201.1. Both server groups have the preferred server flag enabled.
209.165.200.226 and an authorization server group that uses servers 209.165.200.225, 209.165.200.226,
and 209.165.201.1. Both server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
aaa group server radius accounting-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
server 209.165.201.1 key radkey3
One-half of all authentication transactions will be sent to server 209.165.200.225 and the other half to
server 209.165.200.226. Servers 209.165.200.225 and 209.165.200.226 will be the preferred servers for
authentication and accounting transaction, therefore there will be an equal distribution of authentication
and accounting transactions across servers 209.165.200.225 and 209.165.200.226. Server 209.165.201.1
will be relatively unused.
server 209.165.200.226. Servers 209.165.200.225 and 209.165.200.226 will be the preferred servers for
authentication and accounting transaction, therefore there will be an equal distribution of authentication
and accounting transactions across servers 209.165.200.225 and 209.165.200.226. Server 209.165.201.1
will be relatively unused.