Max sessions with more than one AAA server doesn't work, especially with
CSU. How can you guarantee that the same server will process the start and
stop records. It really is an impossible task when CS does not have any
feature to either check with the other server and checkpoint. Given the
fact that one or both of the servers may be down at some time, there can be
no absolute guarantee that any server knows the real session details.
Your only safeguard is the timeout interval for sessions. Basically, if you
do multiple AAA and don't have a concurrency mechanism, switch max sessions
CSU does not probe any boxes, no fingering, no snmp. It just sits there and
waits for records and times out sessions when appropriate.
With the limitations of CSU in this area (having no checkpointing process
with either the NASes or other AAA server), attempting to introduce load
balancing, redundancy or any combination of the above (with max_sessions
enabled of course), whether manually load balancing boxes or automatically
do it through L4/7 switches for example, is in conflict with the way AAA
works. It's not as easy as say persistent http connections.
Load balancing, backup AAA etc works great without max sessions. :)
Make sure you are using CSU 2.3(5).
> I am using cisco secure ACS in Solaris. Max_session seems not working.
> Because stop records are sometimes send to the secondary AAA server.
> I expecting that ACS will finger/snmp NAS when a new user logs in to
> double check max_session. Only server based max_session seems supported.
> Is there anyone uses ACS for UNIX and working max_session = 1
> pls reply to mail
> senol gulgonul
> Sent via Deja.com http://www.deja.com/
> Before you buy.