Throttling of AAA RADIUS Records

The Throttling of AAA (RADIUS) Records feature supports throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server. This feature allows a user to configure the appropriate throttling rate to avoid network congestion and instability; such as when there is insufficient bandwidth to accommodate a sudden burst of records generated from the router to the RADIUS server.

Information About Throttling of AAA RADIUS Records

Benefits of the Throttling of AAA RADIUS Records Feature

A Network Access Server (NAS), acting as RADIUS client, can generate a burst of accounting or access requests, causing severe network congestion or causing the RADIUS server to become overloaded with a burst of RADIUS traffic. This problem could be compounded when multiple NASs interact with the RADIUS servers.

The following conditions can trigger a sudden burst of RADIUS traffic:

  • An interface flap, which in turn brings down all the subscriber sessions and generates accounting requests for each subscriber.

  • The High Availability (HA) program generating a START record for every session that survived a switchover, such as the scenario described the preceding bullet.

A large number of generated requests can make the network unstable if there is insufficient bandwidth or if the RADIUS server is slow to respond. Neither the User Datagram Protocol (UDP) transport layer nor the RADIUS protocol has a flow control mechanism. The throttling mechanism provided by this feature provides a solution for these issues.

Throttling Access Requests and Accounting Records

The Throttling of AAA (RADIUS) Records feature introduces a mechanism to control packets (flow control) at the NAS level, which improves the RADIUS server performance.

Because of their specific uses, access requests and accounting records must be treated separately. Access request packets are time sensitive, while accounting record packets are not.

  • If a response to an access request is not returned to the client in a timely manner, the protocol or the user will time out, impacting the device transmission rates.

  • Accounting records packets are not real-time critical.

When configuring threshold values on the same server, it is important to prioritize threshold values for the handling of the time-sensitive access request packets and to place a lesser threshold value on the accounting records packets.

In some cases, when an Internet Service Provider (ISP) is using separate RADIUS servers for access requests and accounting records, only accounting records throttling may be required.

Summary

  • The Throttling of AAA (RADIUS) Records is disabled, by default.

  • Throttling functionality can be configured globally or at server group level.

How to Configure Throttling of AAA RADIUS Records

This section describes how to configure throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server for both, global and server groups.

Server-group configurations are used to enable or disable throttling for a particular server group and to specify the threshold value for that server group.


Note

Server-group configurations override any configured global configurations.

Throttling Accounting and Access Request Packets Globally

To globally configure the throttling of accounting and access request packets, perform the following task.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. radius-server throttle { accounting threshold ] [access threshold [access-timeout number-of-timeouts ]]}
  4. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

radius-server throttle { accounting threshold ] [access threshold [access-timeout number-of-timeouts ]]}

Example:


Router(config)# radius-server throttle accounting 100 access 200 access-timeout 2

Configures global throttling for accounting and access request packets.

For this example:

  • The accounting threshold value (the range is 0-65536) is set to 100, and the access threshold value is set to 200.

Note

 

The default threshold value is 0 (throttling disabled).

  • The number of timeouts per transaction value (the range is 1-10) is set to 2.

Step 4

exit

Example:


Router(config)# exit

Exits global configuration mode.

Throttling Accounting and Access Request Packets Per Server Group

The following server-group configuration can be used to enable or disable throttling for a specified server group and to specify the threshold value for that server group.

To configure throttling of server-group accounting and access request packets, perform the following task.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa group server radius server-group-name
  4. throttle {[accounting threshold ] [access threshold [access-timeout number-of-timeouts ]]}
  5. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

aaa group server radius server-group-name

Example:


Device(config)# aaa group server radius myservergroup

Enters server-group configuration mode.

Step 4

throttle {[accounting threshold ] [access threshold [access-timeout number-of-timeouts ]]}

Example:


Device(config-sg-radius)# throttle accounting 100 access 200 access-timeout 2

Configures the specified server-group throttling values for accounting and access request packets.

For this example:

  • The accounting threshold value (the range is 0-65536) is set to 100, and the access threshold value is set to 200.

Note

 

The default threshold value is 0 (throttling disabled).

  • The number of time-outs per transaction value (the range is 1-10) is set to 2.

Step 5

exit

Example:


Device(config-sg-radius)# exit

Exits server-group configuration mode.

Configuration Examples for Throttling of AAA RADIUS Records

Throttling Accounting and Access Request Packets Globally Example

The following example shows how to limit the number of accounting requests sent to a server to 100: 


enable
configure terminal
radius-server throttle accounting 100

The following example shows how to limit the number of access requests packets sent to a server to 200 and sets the number of time-outs allowed per transactions to 2: 


enable
configure terminal
radius-server throttle access 200
radius-server throttle access 200 access-timeout 2

The following example shows how to throttle both accounting and access request packets: 


enable
configure terminal
radius-server throttle accounting 100 access 200

Throttling Accounting and Access Request Packets Per Server Group Example

The following example shows how to limit the number of accounting requests sent to server-group-A to 100: 


enable
configure terminal
aaa group server radius server-group-A
throttle accounting 100

The following example shows how to limit the number of access requests packets sent to server-group-A to 200 and sets the number of time-outs allowed per transactions to 2: 


enable
configure terminal
aaa group server radius server-group-A
throttle access 200 access-timeout 2

The following example shows how to throttle both accounting and access request packets for server-group-A: 


enable
configure terminal
aaa group server radius server-group-A
throttle accounting 100 access 200

Additional References

The following sections provide references related to the Throttling of AAA (RADIUS) Records feature.

Related Documents

Related Topic

Document Title

Security features

Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2

Security commands

Cisco IOS Security Command Reference

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Throttling of AAA RADIUS Records

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Throttling of AAA (RADIUS) Records

Feature Name

Releases

Feature Information

Throttling of AAA (RADIUS) Records

Cisco IOS XE Release 2.1

The Throttling of AAA (RADIUS) Records feature supports throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server. This feature allows a user to configure the appropriate throttling rate to avoid network congestion and instability; such as when there is insufficient bandwidth to accommodate a sudden burst of records generated from the Cisco IOS XE router to the RADIUS server.

In Cisco IOS XE Release 2.1, this feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

The following commands were introduced or modified by this feature: radius-server throttle, throttle