Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Switch AAA authentication fallback to local slow

Hi,

 

I'm testing ACS servers and aaa doing admin authentication on a test switch using tacacs+.

Everything works very well but I noticed when I block access from my test switch to our both ACS servers, local login works but is very slow. I'm doing authorization for all commands:

 

aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

 

When I enable debugging for tacacs events, I can see with every command the switch tries to connect to the 1st ACS server, then the 2nd and after 2x the timeout it tries local. I'm wondering why the state of the tacacs servers is not kept and with every command he tries both of them? In cases of severe network issues, I don't feel like waiting x seconds for every command I enter.

Is there a way I can speed this up without losing the functionality to perform authorization per command?

 

Kr,

1 ACCEPTED SOLUTION

Accepted Solutions

The tacacs-server timeout

The tacacs-server timeout  the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.

in total it will 60 seconds for each commands.

tacacs-server timeout <seconds>

http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158

Tweak the retries and timeout to get a better time on the commands.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

2 REPLIES

The tacacs-server timeout

The tacacs-server timeout  the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.

in total it will 60 seconds for each commands.

tacacs-server timeout <seconds>

http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158

Tweak the retries and timeout to get a better time on the commands.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Cisco Employee

Command Purpose Router(config

Command
 
Purpose
 

Router(config)# tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

 

Specifies a TACACS+ host.

 

Using the tacacs-server host command, you can also configure the following options:

Use the single-connection keyword to specify single-connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon. This is more efficient because it allows the daemon to handle a higher number of TACACS operations.


Note The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.


Use the port integer argument to specify the TCP port number to be used when making connections to the TACACS+ daemon. The default port number is 49.

Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.


Note Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only.

1412
Views
0
Helpful
2
Replies
CreatePlease to create content