I'm testing ACS servers and aaa doing admin authentication on a test switch using tacacs+.
Everything works very well but I noticed when I block access from my test switch to our both ACS servers, local login works but is very slow. I'm doing authorization for all commands:
aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
When I enable debugging for tacacs events, I can see with every command the switch tries to connect to the 1st ACS server, then the 2nd and after 2x the timeout it tries local. I'm wondering why the state of the tacacs servers is not kept and with every command he tries both of them? In cases of severe network issues, I don't feel like waiting x seconds for every command I enter.
Is there a way I can speed this up without losing the functionality to perform authorization per command?
Using the tacacs-server host command, you can also configure the following options:
•Use the single-connection keyword to specify single-connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon. This is more efficient because it allows the daemon to handle a higher number of TACACS operations.
Note The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.
•Use the portinteger argument to specify the TCP port number to be used when making connections to the TACACS+ daemon. The default port number is 49.
•Use the timeoutinteger argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.
Note Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :