06-26-2014 06:25 AM - edited 03-10-2019 09:50 PM
Hi,
I'm testing ACS servers and aaa doing admin authentication on a test switch using tacacs+.
Everything works very well but I noticed when I block access from my test switch to our both ACS servers, local login works but is very slow. I'm doing authorization for all commands:
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
When I enable debugging for tacacs events, I can see with every command the switch tries to connect to the 1st ACS server, then the 2nd and after 2x the timeout it tries local. I'm wondering why the state of the tacacs servers is not kept and with every command he tries both of them? In cases of severe network issues, I don't feel like waiting x seconds for every command I enter.
Is there a way I can speed this up without losing the functionality to perform authorization per command?
Kr,
Solved! Go to Solution.
06-26-2014 09:31 AM
The tacacs-server timeout the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.
in total it will 60 seconds for each commands.
tacacs-server timeout <seconds>
http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158
Tweak the retries and timeout to get a better time on the commands.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
06-26-2014 09:31 AM
The tacacs-server timeout the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.
in total it will 60 seconds for each commands.
tacacs-server timeout <seconds>
http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158
Tweak the retries and timeout to get a better time on the commands.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
06-26-2014 09:58 AM
Command | Purpose |
---|---|
Router(config)# tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string] | Specifies a TACACS+ host. |
Using the tacacs-server host command, you can also configure the following options:
•Use the single-connection keyword to specify single-connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon. This is more efficient because it allows the daemon to handle a higher number of TACACS operations.
Note The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.
•Use the port integer argument to specify the TCP port number to be used when making connections to the TACACS+ daemon. The default port number is 49.
•Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.
Note Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only.
02-08-2018 04:07 AM - edited 02-08-2018 04:33 AM
Hello,
i tried this on our 2960 switch and below is my config. and response was fast after testing failed reachability to tacacs server
aaa group server tacacs+ ise_server
server name ise01.company.org
server name ise02.company.org
!tacacs-server timeout 1 ------->not required <--------
tacacs server ise01.company.org
address ipv4 x.x.x.x
key cisco123
timeout 1 <-----------------------------
single-connection
tacacs server ise02.company.org
address ipv4 y.y.y.y
key cisco123
timeout 1 <-------------------------------
single-connection
Since we are using ISE as our tacacs server, another way to speed up is to remove authorization on your vty lines. i noticed this on line vty 0, we didnt put other AAA commands but on line vty 1 4. on my first login (vty 0) response was fast, on second and consecutive login response had little delay.
line vty 0
exec-timeout 15 0
password 7 0508151D2E435A
authorization exec AAA
logging synchronous
login authentication AAA
transport input ssh
line vty 1 4
exec-timeout 15 0
password 7 0205174904091B
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
logging synchronous
login authentication AAA
line vty 7 15
thank you and regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: