This configuration method is preferred as it can be re-used amongst multiple applications (Subscriber authentication and accounting, L2TP tunnel accounting, WLAN gateway RADIUS proxy) and enables additional functionality not available in the legacy configuration method. For example:
A RADIUS server policy operational state can be controlled by reception of accounting on or off responses.
Buffering of accounting messages: When all servers in a radius-server-policy are unreachable, it is possible to buffer the acct-stop and acct-interim-update messages for up to 25 hours. When a RADIUS server becomes reachable again then the messages in the buffer are retransmitted.
A configurable hold down time for accounting servers that are marked down and during which no new communication attempts are made (hold-down-time).
A configurable maximum number of outstanding RADIUS requests for accounting servers (pending-requests-limit).
Increased retry and timeout values for unsuccessful RADIUS communication.
Enhanced RADIUS server statistics
IPv6 RADIUS server
Where consecutive timeouts are defined by the number of retries configured below the RADIUS server policy servers.
The default number of retries is 3, meaning 1 initial try and 2 retries.
If, for example, the RADIUS server has ‟2 timeouts, 1 reply, 1 timeouts”, whereby the timeouts are originated for the same host, the server is not marked down because intermediate replies were received.
To attach a RADIUS server policy to an authentication policy:
For example,
configure
subscriber-mgmt
authentication-policy "auth-policy-1" create
radius-server-policy "aaa-server-policy-1‟
exit
exit
All commands in the radius-authentication-server context
accept-authorization-change
coa-script-policy
accept-script-policy
request-script-policy
The fallback-action command specifies the action when no RADIUS server is available is configured direct in the config>subscr-mgmt>auth-plcy CLI context.
To attach a RADIUS server policy to a RADIUS accounting policy:
For example:
configure
subscriber-mgmt
radius-accounting-policy "acct-policy-1" create
radius-server-policy "aaa-server-policy-1‟
exit
exit
All commands in the radius-accounting-server context
acct-request-script-policy
To configure the RADIUS servers in a RADIUS server policy:
For example:
configure
aaa
radius-server-policy "aaa-server-policy-1" create
description "Radius AAA server policy"
accept-script-policy "script-policy-2"
acct-on-off oper-state-change
acct-request-script-policy "script-policy-3"
auth-request-script-policy "script-policy-1"
no python-policy
servers
access-algorithm direct
hold-down-time sec 30
no ipv6-source-address
retry 3
router "Base"
no source-address
timeout sec 5
buffering
acct-interim min 60 max 3600 lifetime 5
acct-stop min 60 max 3600 lifetime 5
exit
server 1 name "server-1"
server 2 name ‟server-2”
exit
exit
exit
To configure the RADIUS servers in the routing instance:
In the Base routing instance: config>router>radius-server.
In a VPRN routing instance: config>service>vprn 10>radius-server.
In the management routing instance (out of band): config>router management>radius-server.
For example:
configure
router
radius-server
server "server-1" address 172.16.1.1 secret <shared secret> hash2 create
accept-coa
coa-script-policy "script-policy-4"
description "Radius server 1"
pending-requests-limit 4096
acct-port 1813
auth-port 1812
exit
server "server-2" address 172.16.1.2 secret <shared secret> hash2 create
accept-coa
coa-script-policy "script-policy-4"
description "Radius server 2"
pending-requests-limit 4096
acct-port 1813
auth-port 1812
exit
exit
exit