I've configured a 7400 using http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094ce2.shtml
I have radius authorization of preshared keys working , using the configs and radius profiles in the document, except that I have added l2tp to it (I'm using l2tp/ipsec). but its the ipsec bit that concerns me.
My question is around when the box goes to radius to get keys. It appears to only do so the first time it sees an identity. If for example, I set up a session succesfully, then let the SA's expire (test with a short SA lifetime), and in the meantime change the preshared key on the radius server. The second time I bring up the session all IPSEC still comes up (even thought the preshared key on radius has been changed and no longer matches that presented by the identity). From debug aaa, and debug on the radius server, it doesn't asks the radius for the preshared key the second time it sees a session from the same ID. It must be caching it somehow. Can this be turned off?