Cisco Cisco ASR 5000
AAA Server Group Configuration Mode Commands
▀ radius accounting server
▄ Command Line Interface Reference, StarOS Release 18
186
Important:
The same RADIUS server IP address and port can be configured in multiple RADIUS server groups
within a context.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The
encrypted
keyword
indicates the key specified is encrypted.
In 12.1 and earlier releases, the key
In 12.1 and earlier releases, the key
value
must be an alphanumeric string of 1 through 127 characters
without encryption, and 1 through 256 characters with encryption.
In StarOS 12.2 and later releases, the key
In StarOS 12.2 and later releases, the key
value
must be an alphanumeric string of 1 through 127 characters
without encryption, and 1 through 236 characters with encryption enabled.
The
The
encrypted
keyword is intended only for use by the chassis while saving configuration scripts. The
system displays the
encrypted
keyword in the configuration file as a flag that the variable following the
key
keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the
configuration file.
acct-on { disable | enable }
This keyword enables/disables sending of the Accounting-On message when a new RADIUS server is added
to the configuration. By default, this keyword will be disabled.
When enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration.
However, if for some reason the Accounting-On message cannot be sent at the time of server configuration
(for example, if the interface is down), then the message is sent as soon as possible. Once the Accounting-On
message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is
retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the
system no longer attempts to send the Accounting-On message for this server.
In releases prior to 18.0, whenever a chassis boots up or when a new RADIUS accounting server or RADIUS
mediation-device accounting server is configured with Acct-On configuration enabled, the state of the
RADIUS server in all the AAA manager instances was initialized to “Waiting-for-response-to-Accounting-
On”. The Acct-On transmission and retries are processed by the Admin-AAAmgr.
When the Acct-On transaction is complete (i.e., when a response for Accounting-On message is received or
when Accounting-On message is retried and timed-out), Admin-AAAmgr changes the state of the RADIUS
accounting server to Active in all the AAA manager instances. During the period when the state of the server
is in “Waiting-for-response-to-Accounting-On”, any new RADIUS accounting messages which are generated
as part of a new call will not be transmitted towards the RADIUS accounting server but it will be queued.
Only when the state changes to Active, these queued up messages will be transmitted to the server.
During ICSR, if the interface of the radius nas-ip address is srp-activated, then in the standby chassis, the
sockets for the nas-ip will not be created. The current behavior is that if the interface is srp-activated
Accounting-On transaction will not happen at ICSR standby node and the state of the RADIUS server in all
the AAAmgr instances will be shown as “Waiting-for-response-to-Accounting-On” till the standby node
becomes Active.
In 18.0 and later releases, whenever the chassis boots up or when a new RADIUS accounting server or
RADIUS mediation-device accounting server is configured with Acct-On configuration enabled, the state of
the RADIUS server will be set to Active for all the non-Admin-AAAmgr instances and will be set to
“Waiting-for-response-to-Accounting-On” for only Admin-AAAmgr instance. The Accounting-On
transaction logic still holds good from Admin-AAAmgr perspective. However, when any new RADIUS
accounting messages are generated even before the state changes to Active in Admin-AAAmgr, these newly
generated RADIUS accounting messages will not be queued at the server level and will be transmitted to the
RADIUS server immediately.
During ICSR, even if the interface of radius nas-ip address is srp-activated, the state of the RADIUS
accounting server will be set to Active in all non-Admin-AAAmgr instances and will be set to “Waiting-for-
response-to-Accounting-On” in Admin-AAAmgr instance.
to the configuration. By default, this keyword will be disabled.
When enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration.
However, if for some reason the Accounting-On message cannot be sent at the time of server configuration
(for example, if the interface is down), then the message is sent as soon as possible. Once the Accounting-On
message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is
retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the
system no longer attempts to send the Accounting-On message for this server.
In releases prior to 18.0, whenever a chassis boots up or when a new RADIUS accounting server or RADIUS
mediation-device accounting server is configured with Acct-On configuration enabled, the state of the
RADIUS server in all the AAA manager instances was initialized to “Waiting-for-response-to-Accounting-
On”. The Acct-On transmission and retries are processed by the Admin-AAAmgr.
When the Acct-On transaction is complete (i.e., when a response for Accounting-On message is received or
when Accounting-On message is retried and timed-out), Admin-AAAmgr changes the state of the RADIUS
accounting server to Active in all the AAA manager instances. During the period when the state of the server
is in “Waiting-for-response-to-Accounting-On”, any new RADIUS accounting messages which are generated
as part of a new call will not be transmitted towards the RADIUS accounting server but it will be queued.
Only when the state changes to Active, these queued up messages will be transmitted to the server.
During ICSR, if the interface of the radius nas-ip address is srp-activated, then in the standby chassis, the
sockets for the nas-ip will not be created. The current behavior is that if the interface is srp-activated
Accounting-On transaction will not happen at ICSR standby node and the state of the RADIUS server in all
the AAAmgr instances will be shown as “Waiting-for-response-to-Accounting-On” till the standby node
becomes Active.
In 18.0 and later releases, whenever the chassis boots up or when a new RADIUS accounting server or
RADIUS mediation-device accounting server is configured with Acct-On configuration enabled, the state of
the RADIUS server will be set to Active for all the non-Admin-AAAmgr instances and will be set to
“Waiting-for-response-to-Accounting-On” for only Admin-AAAmgr instance. The Accounting-On
transaction logic still holds good from Admin-AAAmgr perspective. However, when any new RADIUS
accounting messages are generated even before the state changes to Active in Admin-AAAmgr, these newly
generated RADIUS accounting messages will not be queued at the server level and will be transmitted to the
RADIUS server immediately.
During ICSR, even if the interface of radius nas-ip address is srp-activated, the state of the RADIUS
accounting server will be set to Active in all non-Admin-AAAmgr instances and will be set to “Waiting-for-
response-to-Accounting-On” in Admin-AAAmgr instance.