Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9855
Views
25
Helpful
3
Replies

Switch AAA authentication fallback to local slow

Go to solution
askaerr
Level 1
Level 1

‎06-26-2014 06:25 AM - edited ‎03-10-2019 09:50 PM

Hi,

 

I'm testing ACS servers and aaa doing admin authentication on a test switch using tacacs+.

Everything works very well but I noticed when I block access from my test switch to our both ACS servers, local login works but is very slow. I'm doing authorization for all commands:

 

aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

 

When I enable debugging for tacacs events, I can see with every command the switch tries to connect to the 1st ACS server, then the 2nd and after 2x the timeout it tries local. I'm wondering why the state of the tacacs servers is not kept and with every command he tries both of them? In cases of severe network issues, I don't feel like waiting x seconds for every command I enter.

Is there a way I can speed this up without losing the functionality to perform authorization per command?

 

Kr,

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
edwardcollins7
Level 1
Level 1

‎06-26-2014 09:31 AM

The tacacs-server timeout  the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.

in total it will 60 seconds for each commands.

tacacs-server timeout <seconds>

http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158

Tweak the retries and timeout to get a better time on the commands.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

View solution in original post

3 Replies 3

Go to solution
edwardcollins7
Level 1
Level 1

‎06-26-2014 09:31 AM

The tacacs-server timeout  the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.

in total it will 60 seconds for each commands.

tacacs-server timeout <seconds>

http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158

Tweak the retries and timeout to get a better time on the commands.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Go to solution
mohanak
Cisco Employee
Cisco Employee
In response to edwardcollins7

‎06-26-2014 09:58 AM

Command
 
Purpose
 

Router(config)# tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

 

Specifies a TACACS+ host.

 

Using the tacacs-server host command, you can also configure the following options:

Use the single-connection keyword to specify single-connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon. This is more efficient because it allows the daemon to handle a higher number of TACACS operations.

Note The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.

Use the port integer argument to specify the TCP port number to be used when making connections to the TACACS+ daemon. The default port number is 49.

Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.

Note Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only.

Go to solution
bbb bbb
Level 1
Level 1
In response to mohanak

‎02-08-2018 04:07 AM - edited ‎02-08-2018 04:33 AM

Hello,

i tried this on our 2960 switch and below is my config. and response was fast after testing failed reachability to tacacs server



aaa group server tacacs+ ise_server
server name ise01.company.org
server name ise02.company.org
!tacacs-server timeout 1 ------->not required <--------
tacacs server ise01.company.org
address ipv4 x.x.x.x
key cisco123
timeout 1 <----------------------------- 
single-connection
tacacs server ise02.company.org
address ipv4 y.y.y.y
key cisco123
timeout 1 <-------------------------------
single-connection

 

 

Since we are using ISE as our tacacs server, another way to speed up is to remove authorization on your vty lines. i noticed this on line vty 0, we didnt put other AAA commands but on line vty 1 4. on my first login (vty 0) response was fast, on second and consecutive login response had little delay.

 

line vty 0
exec-timeout 15 0
password 7 0508151D2E435A
authorization exec AAA
logging synchronous
login authentication AAA
transport input ssh

line vty 1 4
exec-timeout 15 0
password 7 0205174904091B
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
logging synchronous
login authentication AAA
line vty 7 15

thank you and regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents