Script processing hierarchy – Cisco Cisco Access Registrar 3.5 User Manual

Page 26

Advertising
background image

2-8

Cisco Access Registrar 3.5 Concepts and Reference Guide

OL-2683-02

Chapter 2 Understanding Cisco Access Registrar

Program Flow

The secondary server will not know about the current active sessions that are maintained on the
primary server. Any resources managed by the secondary server must be distinct from those
managed by the primary server, otherwise it will be possible to have two sessions with the same
resources (for example, two sessions with the same IP address).

The primary server will miss important information that allows it to maintain a correct model of
what sessions are currently active (because the authentication and accounting requests are being sent
to the secondary server). This means when the primary server comes back online and the NAS begins
using it, its knowledge of what sessions are active will be out-of-date and the resources for those
sessions are allocated even if they are free to allocate to someone else.

For example, the user-session-limit resource may reject new sessions because the primary server
does not know some of the users using the resource logged out while the primary server was off-line.
It may be necessary to release sessions manually using the aregcmd command release-session.

Note

It may be possible to avoid this situation by having a disk drive shared between two systems
with the second RADIUS server started up once the primary server has been determined to
be off-line. For more information on this setup, contact Technical Support.

Script Processing Hierarchy

For request packets, the script processing order is from the most general to the most specific. For
response packets, the processing order is from the most specific to the most general.

Table 2-6

,

Table 2-7

, and

Table 2-8

show the overall processing order and flow:

(1-6) Incoming Scripts, (7-11) Authentication/Authorization Scripts, and (12-17) Outgoing Scripts.

Note

The client and the NAS can be the same entity, except when the immediate client is acting
as a proxy for the actual NAS.

Table 2-6

Cisco Access Registrar Processing Hierarchy for Incoming Scripts

Table 2-7

Cisco Access Registrar Processing Hierarchy for
Authentication/Authorization Scripts

Overall Flow Sequence

Incoming Scripts

1)

Radius

2)

Vendor of the immediate client.

3)

Immediate client.

4)

Vendor of the specific NAS.

5)

Specific NAS

6)

Service

Overall Flow Sequence

Authentication/Authorization Scripts

7)

Group Authentication.

8)

User Authentication.

9)

Group Authorization.

Advertising
Popular Brands
Popular manuals