 |
» |
|
|
|
The aaa.config file contains keyword-value entries, one-per-line,
which allow the user to override compiled-in default values
in the AAA server. The aaa.config file may be used for performance tuning, debugging,
or override built-in defaults. | | | |  | IMPORTANT: Configuration files have maximum input line length
of 255 characters. No checking is done to insure that a configuration
statement has not exceeded this limit. | | | | |
You can include configuration data in multiple text files
and load them at server startup. For each text file, add a one-line
entry to the aaa.config file that follows the format: If File-name does not specify a path, the server will look
for the file in the configuration directory. Syntax of a Keyword-Value
Entry in aaa.config or hostnameprefix/variable = value |
| | | |  | NOTE: The host name in the host name prefix is the host name
returned by the host name command, not the fully qualified DNS name. Any space or tab characters before the variable or surrounding the equal sign character are ignored.
Space and tab characters after the value may be considered part of the value assigned to
the variable. | | | | |
General
Server Performance Variables | |
- default_reply_holdtime
After a request has been replied to by the REPLY
AATV in the finite state machine (FSM) table, it is held for a period
in case retransmission is necessary. This variable specifies the
number of seconds to hold on to a request after it has been replied
to. The value should be twice the default retransmission period
of the NASs involved, and it is applied if no reply_holdtime is specified for a particular NAS client. This
does not apply to packets that are forwarded to another server. A value of zero invokes special behavior in which the REPLY
AATV does not change the hold time for a request. This would cause
all received authentication or accounting requests to be held for
the full TTL (time-to-live), regardless of how
short or how long the request took before being replied to. | | | | | NOTE: Using the special value of zero or using a hold time
greatly in excess of the retransmission policy of a NAS may cause
the authentication and accounting queues to grow too large. Refer to
the global_acct_q.limit and global_auth_q.limit engine variables. | | | | |
Tailoring of this value should be influenced by the total
and holding values reported on a per-request basis. For example: default_reply_holdtime=0
default_reply_holdtime=6 |
- default_retry_limit
Limit the maximum number of retransmissions
allowed before a RETRY event occurs. A RETRY event
is similar to a TIMEOUT event, and should be caught by the built-in
(default) FSM table. If the value is zero, then no limits are imposed.
The purpose of this is to catch an authentication request and perform
some action when a certain number of retransmissions from a NAS occur. In particular, it may be useful to have a primary authentication
server deny access (using the FAIL AATV) before a backup server
starts to authenticate, allowing the backup server to backup just
the primary and not the whole AAA system. For example: default_retry_limit=8
default_retry_limit=0 |
Also refer to the default_seqch_limit variables. - default_seqch_limit
This variable limits reply-vector and reply-id
changes when counting retransmissions. When the limit is exceeded,
a RETRY event occurs on the request that should be handled by the
built-in (default) FSM table. For example: default_seqch_limit=3
default_seqch_limit=0 |
Also refer to the default_retry_limit variable. - global_acct_q.limit
This variable sets the maximum number of simultaneous
accounting requests to be handled by the system. When this limit
is exceeded, the requests are dropped with a message in the logfile. For example: - global_auth_q.limit
Set the maximum number of active authentication
requests to be handled by the system. When this limit is exceeded,
an access-reject reply is returned and a message added
to the logfile. | | | | | NOTE: When the authentication queue limit is exceeded the
server stops responding to the radcheck command. | | | | |
For example: - send_buffer_size
This variable decreases the send buffer size. It
serves only as a debugging function for a customized server configuration
that might transmit very large packets, and it helps to debug code
intended to prevent an excessively large packet from corrupting
the server. The current send buffer size is 16K (16536 bytes). Limiting
the send_buffer_size to be the UDP MTU for the network will prevent excessively
large packets from being forwarded (or replied to) in certain circumstances.
Network,
DNS, and Other External Variables | |
- Enable
SNMP Support
The AAA server will automatically
check the network for an SNMP master agent to communicate with when
this option is enabled. The AAA server can also be monitored by
an SNMP workstation when this option is enabled. Add the following
to enable SNMP: - dns_address_aging
This variable sets a base value (in
seconds) used to periodically refresh DNS entries. To ensure that
all client entries do not expire at once, zero, fifteen, thirty,
or forty-five minutes is randomly added to the base value
to determine when a DNS entry should be refreshed. The default value
is one hour. For example: - ourhostname
By default, the AAA server determines hostname by
calling the gethostname command. For multihomed hosts this command may
not return the correct name for the interface that the AAA server
should use to send and listen for messages. The ourhostname variable sets the interface (DNS name or IP address)
that a multihomed server should use. For example: ourhostname=interface1.radius.server.net |
Server
Load-Related Variables | |
- radcheck
This variable enables (or disables)
certain reports produced by the radcheck command. New reports produced
by the radcheck command may now be enabled or disabled with this
option. Currently, only two classes of reports are so affected.
The plus (+) character enables the report, while the minus (-) disables
the report: +/-queues (default is + [enable]) |
This shows queue information such as: number of unique requests,
number of queue overflows, number of duplicate requests, for all
of the queues in the system (e.g., authentication and accounting). If the number of accounting requests greatly
exceeds the number of authentication requests, then a NAS/network
configuration error is possible. +/-packets (default - [disabled]) |
Show statistics about the number of octets/packets received,
replied, forwarded, replies received, and redone. These counters
are reset when the server is restarted.
For
example: radcheck=+packets
radcheck=+queues
radcheck=-packets
radcheck=-queues |
Tunneling
Hints | |
This one-entry file uses keywords to specify what
the server should do with tunneling attributes configured as reply
items for a user entry if the Access-Request contains no tunneling
hints. The following entries are valid: NO_HINT Return-Configured-Tunnel-Attributes
NO_HINT Return-No-Tunnel-Attributes
NO_HINT Reject-Access-Request |
The default entry returns configured tunnel attributes. How the
Server Resolves Configured Tunnel Attributes and Client Hints When tunneling hints exist in an Access-Request,
attribute values will be returned to the client according to the
following matrix: Table 15-1 Tunnel Attributes & Client Hints Matrix | | Configured Attributes | Configured and Hints * | No Attributes |
|---|
| All hints match configured values | X | | | | Some hints match configured values | | X | | | No hints match configured values | | X | | | No configured attributes exist | | | X | * When both configured attribute
values and hints are returned, unique attributes are consolidated,
and when the same configured and hint attribute exist, the configured attribute
value is used. |
The first column lists the possible scenarios that can occur
when the server receives an Access-Request.
The other columns indicate what tunneling attributes are used, those configured
for a user or hints in the Access-Request,
when different values are specified for the same attribute. Add the following to reject all requests which do not contain
tunneling hints in the Access-Request: aatv.Tunneling
{
NO_HINT Reject-Access-Request
} |
|
Printable version
