Cisco Cisco IOS Software Release 12.2(27)SBC
AAA Authorization and Authentication Cache
Prerequisites for Implementing Authorization and Authentication Profile Caching
2
Cisco IOS Release 12.2(28)SB
Prerequisites for
Implementing Authorization and
Authentication Profile Caching
The following prerequisites apply to implementing authorization and authentication profile caching:
•
Understand how you would want to implement profile caching, that is, are profiles being cached to
improve network performance or as a failover mechanism if your network authentication and
authorization (RADIUS and TACACS+) servers become unavailable.
improve network performance or as a failover mechanism if your network authentication and
authorization (RADIUS and TACACS+) servers become unavailable.
•
RADIUS and TACACS+ server groups must already be configured.
Information About
Implementing Authorization and
Authentication Profile Caching
To implement authorization and authentication profile caching, you should understand the following
concepts:
concepts:
•
•
•
•
•
Network Performance Optimization Using Authorization and Authentication
Profile Caching
Profile Caching
RADIUS and TACACS+ clients run on Cisco routers and send authentication requests to a central
RADIUS or TACACS+ server that contains all user authentication and network service access
information. The router is required to communicate with an offload RADIUS or TACACS+ server to
authenticate a given call and then apply a policy or service to that call. Unlike authentication,
authorization, and accounting (AAA) accounting, AAA authentication and authorization is a blocking
procedure, which means the call setup may not proceed while the call is being authenticated and
authorized. Thus, the time required to process the call setup is directly impacted by the time required to
process such an authentication or authorization request from the router to the offload RADIUS or
TACACS+ server, and back again. Any communication problems in the transmission, offload server
utilization, and numerous other factors cause significant degradation in a router’s call setup performance
due simply to the AAA authentication and authorization step. The problem is further highlighted when
multiple AAA authentications and authorizations are needed for a single call or session.
RADIUS or TACACS+ server that contains all user authentication and network service access
information. The router is required to communicate with an offload RADIUS or TACACS+ server to
authenticate a given call and then apply a policy or service to that call. Unlike authentication,
authorization, and accounting (AAA) accounting, AAA authentication and authorization is a blocking
procedure, which means the call setup may not proceed while the call is being authenticated and
authorized. Thus, the time required to process the call setup is directly impacted by the time required to
process such an authentication or authorization request from the router to the offload RADIUS or
TACACS+ server, and back again. Any communication problems in the transmission, offload server
utilization, and numerous other factors cause significant degradation in a router’s call setup performance
due simply to the AAA authentication and authorization step. The problem is further highlighted when
multiple AAA authentications and authorizations are needed for a single call or session.
A solution to this problem is to minimize the impact of such authentication requests by caching the
authentication and authorization responses for given users on the router, thereby removing the need to
send the requests to an offload server again and again. This profile caching adds significant performance
improvements to call setup times. Profile caching also provides an additional level of network reliability
because user and service profiles that are returned from authentication and authorization responses can
be queried from multiple sources and need not depend solely on an offload server.
authentication and authorization responses for given users on the router, thereby removing the need to
send the requests to an offload server again and again. This profile caching adds significant performance
improvements to call setup times. Profile caching also provides an additional level of network reliability
because user and service profiles that are returned from authentication and authorization responses can
be queried from multiple sources and need not depend solely on an offload server.