cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2892
Views
8
Helpful
6
Replies

Slow response on AAA Authorization

anasubra_2
Level 1
Level 1

Hi,

We were configuring the AAA to use one of the TACACS server for authentication,authorization and accounting purpose. When we did the same, the command executed response become slow and even some times gives a message authorization failed. We thought, there should be useful information on the TACACS server to debug the same, but we were not able to find any message like that. The below is the config added and when we remove the configuration of AAA the login response and the command execution are good. We checked the path to reach from this router to TACACS server and seems good with no packet loss. Your asssistance would be really appreciated.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

!

tacacs-server host <ip address> timeout 5

tacacs-server directed-request

tacacs-server key <key>

Regards

Anantha Subramanian Natarajan

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

Hi Anantha,

So you are getting "authorization failed" message and NOT "Command authorization failed " ?

Is it CAT3750 ? what is the IOS ver running on the box ?

Regards,

~JG

Hi JG,

Thanks for the response. Yes, the "% Authorization failed." is the message(frequent but not always).

The box is 7609 and the IOS running is 122-33.SRA2 (s72033-adventerprisek9_wan-mz.122-33.SRA2.bin).

Thanks

Regards

Anantha Subramanian Natarajan

Anantha,

On ACS, have you enabled "Single Connect TACACS+" for 7609 ? If yes, then disable it.

Also do you get this message during a specific configuration or its random.

eg. This error pops up only when you try to make any changes on the interfaces

Regards,

~JG

Hi JG,

Thanks for the reply.

Actually, I am not sure whether on our TACACS server,the single connect TACACS+ is enabled or not but I am just curious as the other router having same platform with same configuration details connecting to the same TACACS server is working fine.

The error message appears frequently and atleast not specific to some command. Infact every other time, it gives the error.

Our TACACS and SNMP engineer is suggesting to chenage the IOS as it seems have some identified bug related to the SNMP and hopefully we are planning to do the same.

Meantime , if you can know something more precise or any suggestions would be hugely appreciated.

Thanks

Regards

Anantha Subramanian Natarajan

Hi Anantha,

This error can also come if the connection between acs and router breaks.

Can you try a constant ping to ACS and see if there is any timeouts ? Just need to eliminate network issues.

Also on the router enable single-connection for that tacacs server:

tacacs-server host 172.18.173.112 single-connection

tacacs-server directed-request

tacacs-server key cisco

It is a better way to proceed when you are doing command authorization on a 7200. This way there will be one TCP connection, therefore eliminating the out of order packet and duplicate packet issue, and eliminating some strain on the ACS server.

Let me know how that goes !

All the best !

Regards,

~JG

Hi JG,

Sorry, I didn't gave the whole picture .. We did test the connectivity(Ping from the router(sourcing loopback used for TACACS) to the TACACS server and didn't had any timeouts.

We just tried the commands suggested and unfortunately seems the same.

Really appreciated for the help so far and would be changing the IOS.

Thanks

Regards

Anantha Subramanian Natarajan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: