Unanswered Question
Sep 9th, 2009
User Badges:


we are working as Remote operations engineer.

During normal conditions when Priamary link is up, we get access to AAA server, when primary link fails we login to the devices

using via back up link using line passswords, config is pasted below

My questionsis when ever we are using back up link( when primary fail) it take long time to promt for user name and password,

can any one tells me how to redue the time for login

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vinay Sharma Wed, 09/09/2009 - 22:00
User Badges:
  • Gold, 750 points or more

HI Adhitya,

Whenever the authentication process starts, device first tries to send the authentication request to tacacs+ server. Since the tacacs+ server is not avilable, the device tries it 3 times i.e. 5 seconds for each try. That is the reason thier is a delay in the prompt. ONce the 3rd try is done, the device fallback to other method.

The deadtime period begins as soon as the last server in the AAA

server group has been marked as down (unresponsive). A server is

marked as down when the max-attempts value is reached and AAA fails to

receive a response. When the deadtime period expires, the AAA server

group is active and all requests are submitted again to the AAA servers

in the AAA server group.

This means each server in the list should be tried before the group

is marked dead.

The failover is depending on 2 values ie : " Server timeout " and " Failback

retry value ".


adhityakarthik Thu, 09/10/2009 - 19:20
User Badges:

Hi Vinay,

Thanks very much for the update.

I am L2 resource i am doing this project of bulding new acs server.

Could you please let me know how to configure server timeout or fallback retry value(Please share doc regd the same)

Can you please give ur email id

Thanks very much in advance for the help


Jatin Katyal Fri, 09/11/2009 - 05:39
User Badges:
  • Cisco Employee,

Hi Adhitya,

Here are the commnands:


Enter the number of times the server searches the list of TACACS+ servers before stopping.

tacacs-server retransmit retries

Set the interval the server waits for a TACACS+ server host to reply.

tacacs-server timeout seconds

Set the number of login attempts that can be made on the line.

tacacs-server attempts count

For more info:

Default timeout value is 5 sec

In order to calculate total delay before you are prompted for username/password; you would be require to run debugs on the device.

Debug aaa authentication

debug aaa authorization

debug tacacs

term mon

Also provide the output of the below listed command

sh run | in tacacs




adhityakarthik Sun, 09/13/2009 - 21:35
User Badges:

Dear All,

Thanks very much to all for the valuble inputs.

Right now we are using ACS 3.1 and we are doing fresh instlaation to ACS 4.2

I am finding cisco documents bit diifficult to understand

can you please suggest me some good document for buliding new ACS 4.2 even if it is cisco



This Discussion