This issue occurs due to the presence of Cisco bug ID CSCeb52431.
When the web GUI is used to manage a Cisco IOS Access Point (AP) (for example the AP350, AP1100, and AP1200) and an Authentication, Authorization, Accounting (AAA) server to authenticate the HTTP accesses, the AP sends several authentication requests to the AAA server for each web page accessed.
If the AAA server is able to keep up with the extreme authentication load, which can be hundreds of requests, authentication succeeds. If the AAA server (or network path to the server) is not able to keep up with the load, authentication requests can intermittently fail. This is seen widely when the TACACS+ protocol for authentication, is used, as it uses more CPU per authentication to process. It can also be seen with RADIUS authentication.
Also, if One-Time Password (OTP) authentication is used, authentication tends to fail. This is because access to the single web page generates many separate authentication requests, but only the first passes authentication because the password can only be used once.
This is a workaround for all Cisco IOS versions. For HTTP authentication, use RADIUS or local authentication. The RADIUS server is still subjected to the multiple authentication requests, but RADIUS is more scalable than TACACS+. This provides a less adverse performance impact.
If you must use TACACS+ and have a CiscoSecure ACS for Windows server, use the single-connection tacacs-server keyword. This spares the ACS server most of the TCP connection setup or teardown overhead and reduces the load on the server somewhat.
This bug was first found in versions 12.2(8)JA, 12.2(15)JA, 12.3(2)JA02. The fix for the bug is available in Cisco IOS version 12.3(7)JA and subsequent releases. Use the AAA Auth Cache feature to cache the information returned from the RADIUS or TACACS+ server.
This is an example:
aaa group server radius tac_admin server 192.168.134.229 cache expiry 1 cache authentication profile admin_cache cache authorization profile admin_cache ! aaa authentication login default local cache tac_admin group tac_admin aaa authorization exec default local cache tac_admin group tac_admin aaa cache profile admin_cache all
ADownload and upgrade of the Cisco IOS version to either 12.3(7)JA or any latest edition also helps solve this problem.