|
Thread Index Cisco and RFC2866 note was [RE: Comindico auth problem]
<x-flowed> Just a note to all cisco ISPs out there who want RFC2866 compliance need to enable the hidden command 'radius-server unique-ident <n>' Minimum IOS: 12.1(4.1)T. Acct-Session-Id should be unique and wrap after every 256 reboots. You must reboot after entering this command to take effect. If not, you will observe after 10 minutes of entering this command, the following message. %RADIUS-3-IDENTFAIL: Save of unique accounting ident aborted. So.. ras#conf t Enter configuration commands, one per line. End with CNTL/Z. ras(config)#radius-s unique-ident 1 ras(config)#end ras#wr mem Building configuration... [OK] 00:15:52: %SYS-5-CONFIG_I: Configured from console by console ras#reload Proceed with reload? [confirm] 00:15:56: %SYS-5-RELOAD: Reload requested <router rebooted> ras#sh run | include unique radius-server unique-ident 3 ras# Building configuration... [OK] 00:10:30: %RADIUS-6-IDENTSAVE: Saving config with new acct ident in nvram. 10 minutes after reload you will see: (if anything is changed after reload - even if it is just entering config mode and coming to EXEC mode without changing anything you will see the IDENTFAIL message)... 00:10:30: %RADIUS-6-IDENTSAVE: Saving config with new acct ident in nvram. This indicates that the IOS saved the new value of "unique-ident" to nv memory by causing a "write memory" action to occur. From now on every reboot (plus 10 minutes of idle time when nothing has changed) of router will generate a unique acct-session-id. Aidan Systems Engineer - Telco/SP cisco Systems Australia At 04:05 PM 19/01/2002, David Luyer wrote: >Saliya wrote: > > It's also useful for determining whether or not you are > > receiving multiple > > instances of a unique session (that, in combination with the > > NAS-IP-Address should be a unique key for a particular type > > of record). > >The actual unique set is (NAS-IP, Session-Id, last boot of NAS); >session ID's are typically reset at NAS reboot. > >Of course, you don't know the last boot of the NAS. > >What good RADIUS software does is keeps a cache of the last >5 minutes (note: time, not record count... you can easily >get 5,000+ RADIUS STOP records in a minute when a popular >TV show - eg, the 2000 Olympic opening ceromony - comes on, >and this is exactly when you'll get timeouts and duplicates, >so you don't want some arbitrary count of a certain number of >STOP records, you want it based on time) of NAS-IP,Session-Id >pairs, and if the NAS-IP,Session-Id pair of a particular STOP >record have already been seen within the last 5 minutes, it >ignores the new record (which will typically be the old record >with a new Acct-Delay-Time). > >Duplicate start/stop records are a fact of life. If the RADIUS >software doesn't handle them, that's a big problem waiting to happen >(or already happening). > >David. >-- >David Luyer Phone: +61 3 9674 7525 >Network Manager P A C I F I C Fax: +61 3 9699 8693 >Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE >http://www.pacific.net.au/ NASDAQ: PCNTF > > > > </x-flowed>
Thread Index |
|
