The RADIUS Server Load Balancing feature considers the server status when assigning batches. Transaction batches are sent
only to live servers. We recommend that you test the status of all RADIUS load-balanced servers, including low usage servers
(for example, backup servers).
Transactions are not sent to a server that is marked dead. A server is marked dead until its timer expires, at which time
it moves to quarantine state. A server is in quarantine until it is verified alive by the RADIUS automated tester functionality.
To determine if a server is alive and available to process transactions, the RADIUS automated tester sends a request periodically
to the server for a test user ID. If the server returns an Access-Reject message, the server is alive; otherwise the server
is either dead or quarantined.
A transaction sent to an unresponsive server is failed over to the next available server before the unresponsive server is
marked dead. We recommend that you use the retry reorder mode for failed transactions.
When using the RADIUS automated tester, verify that the authentication, authorization, and accounting (AAA) servers are responding
to the test packets that are sent by the network access server (NAS). If the servers are not configured correctly, packets
may be dropped and the server erroneously marked dead.
Caution
|
We recommend that you use a test user that is not defined on the RADIUS server for the RADIUS server automated testing to
protect against security issues that may arise if the test user is not correctly configured.
|
Note
|
Use the test
aaa
group command to check load-balancing transactions.
|
The automate-tester username
name
probe-on command is used to verify the status of a server by sending RADIUS packets. After this command is configured, a five-second
dead timer is started and a RADIUS packet is sent to the external RADIUS server after five seconds. The server state is updated
if there is a response from the external RADIUS server. If there is no response, the packets are sent out according to the
timeout interval that is configured using the radius-server timeout command. This will continue for 180 seconds, and if there is still no response, a new dead timer is started based on the
configured radius-server deadtime command.