Server Properties

Set the maximum simultaneous number of processes for a AA_FORK or AA_FREPLY type AATV plug-in. This value is normally compiled into the header of a forking type plug-in. This is a performance enhancing feature intended to prevent a UNIX platform from being consumed by too many simultaneously forked processes. The default value zero means that no maximum is applied.

After a request has been replied to by the REPLY action in the finite state machine (FSM) table, it is held for a period of time in case retransmission is necessary. This property specifies the number of seconds to hold on to a request after it has been replied to. The value should be twice the default retransmission period of the NASs involved, and it is applied if no reply_holdtime is specified for a particular NAS client. This does not apply to packets that are forwarded to another server.

A value of zero invokes special behavior in which the REPLY action does not change the hold time for a request. This would cause all received authentication or accounting requests to be held for the full TTL (time-to-live), regardless of how short or how long the request took before being replied to.

	NOTE: Using the special value of zero or using a hold time greatly in excess of the retransmission policy of a NAS may cause the authentication and accounting queues to grow too large.

Tailoring of this value should be influenced by the total and holding values reported on a per-request basis.

Limit the maximum number of retransmissions allowed before a RETRY event occurs. A RETRY event is similar to a TIMEOUT event and should be caught by the built-in (default) FSM table. If the value is zero, the default, then no limits are imposed. The purpose of this is to catch an authentication request and perform some action when a certain number of retransmissions from a NAS occur.

In particular, it may be useful to have a primary authentication server deny access (using the FAIL action) before a backup server starts to authenticate, allowing the backup server to backup just the primary and not the whole AAA system. Also see the Special duplicate limit property.

This property sets a limit for detecting special duplicates created by early implementations of MS-CHAP on some older PPP clients. A higher limit will make the server more forgiving in accepting these duplicates. A lower limit will make the server drop more requests that appear to be special duplicates. Also see the Global retry limit property.

This property indicates the number of seconds each accounting request should be held after it has been replied to. When the time the request is released. This hold time allows the server to capture duplicate requests. You should specify a value that is twice the retransmission interval configured on your access device.

This property indicates the number of seconds each authentication request should be held after it has been replied to. When the time the request is released. This hold time allows the server to capture duplicate requests. You should specify a value that is twice the retransmission interval configured on your access device.

This property sets the maximum number of simultaneous accounting requests to be handled by the system. When this limit is exceeded, the requests are dropped with a message in the logfile. The same equation used for sizing the Max. authentication requests may also be used for Max. accounting requests.

Set the maximum number of active authentication requests to be handled by the system. When this limit is exceeded, an Access-Reject reply is returned and a message added to the logfile.

The auth queue must be sized correctly in order to buffer the arrival rate of access requests. If the arrival rate of requests is relatively steady then you can size the queue and hold time as follows:

This property decreases the send buffer size. It serves only as a debugging function for a customized server configuration that might transmit very large packets, and it helps to debug code intended to prevent an excessively large packet from corrupting the server.

The current send buffer size is 16K (16536 bytes). Limiting the send_buffer_size to be the UDP MTU for the network will prevent excessively large packets from being forwarded (or replied to) in certain circumstances.

This property sets a base value (in seconds) used to periodically refresh DNS entries. To ensure that all the client entries don't expire at once, a designed-in randomness adds zero, fifteen, thirty, or forty-five minutes to the base value to determine when a DNS entry should be refreshed. The default value is one hour.

When a DNS entry for a configured client expires (needs refreshing), all other clients that will be refreshed within the specified number of seconds are refreshed immediately.

When this option is set to Enabled, the AAA server will automatically check the network for an SNMP master agent to communicate with, and the server can be monitored by an SNMP workstation. When set to Disabled, the server will not communicate with an SNMP master agent and cannot be monitored by an SNMP workstation.

This property uses keywords to specify what the server should do with tunneling attributes configured as reply items for a user entry if the Access-Request contains no tunneling hints.