ACS 4.2 QUESTION

Unanswered Question
Sep 9th, 2009

Hi

we are working as Remote operations engineer.

During normal conditions when Priamary link is up, we get access to AAA server, when primary link fails we login to the devices

using via back up link using line passswords, config is pasted below

My questionsis when ever we are using back up link( when primary fail) it take long time to promt for user name and password,

can any one tells me how to redue the time for login

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Adhitya

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Sharma Wed, 09/09/2009 - 22:00

HI Adhitya,

Whenever the authentication process starts, device first tries to send the authentication request to tacacs+ server. Since the tacacs+ server is not avilable, the device tries it 3 times i.e. 5 seconds for each try. That is the reason thier is a delay in the prompt. ONce the 3rd try is done, the device fallback to other method.

The deadtime period begins as soon as the last server in the AAA

server group has been marked as down (unresponsive). A server is

marked as down when the max-attempts value is reached and AAA fails to

receive a response. When the deadtime period expires, the AAA server

group is active and all requests are submitted again to the AAA servers

in the AAA server group.

This means each server in the list should be tried before the group

is marked dead.

The failover is depending on 2 values ie : " Server timeout " and " Failback

retry value ".

Vinay

adhityakarthik Thu, 09/10/2009 - 19:20

Hi Vinay,

Thanks very much for the update.

I am L2 resource i am doing this project of bulding new acs server.

Could you please let me know how to configure server timeout or fallback retry value(Please share doc regd the same)

Can you please give ur email id

Thanks very much in advance for the help

Adhitya

Jatin Katyal Fri, 09/11/2009 - 05:39

Hi Adhitya,

Here are the commnands:

*****************************************

Enter the number of times the server searches the list of TACACS+ servers before stopping.

tacacs-server retransmit retries

Set the interval the server waits for a TACACS+ server host to reply.

tacacs-server timeout seconds

Set the number of login attempts that can be made on the line.

tacacs-server attempts count

For more info:

http://docstore.mik.ua/univercd/cc/td/doc/product/lan/c2900xl/29_35sa6/eescg/mascupf.htm#xtocid173290

Default timeout value is 5 sec

In order to calculate total delay before you are prompted for username/password; you would be require to run debugs on the device.

Debug aaa authentication

debug aaa authorization

debug tacacs

term mon

Also provide the output of the below listed command

sh run | in tacacs

HTH

Regards,

JK

adhityakarthik Sun, 09/13/2009 - 21:35

Dear All,

Thanks very much to all for the valuble inputs.

Right now we are using ACS 3.1 and we are doing fresh instlaation to ACS 4.2

I am finding cisco documents bit diifficult to understand

can you please suggest me some good document for buliding new ACS 4.2 even if it is cisco

Adhitya

Actions

This Discussion