Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The Cisco IOS version 12.2 AP bombards the AAA server with HTTP authentication requests

Core issue

This issue occurs due to the presence of Cisco bug ID CSCeb52431.

When the web GUI is used to manage a Cisco IOS  Access Point (AP) (for example the AP350, AP1100, and AP1200) and an Authentication, Authorization, Accounting (AAA) server to authenticate the HTTP accesses, the AP sends several authentication requests to the AAA server for each web page accessed.

If the AAA server is able to keep up with the extreme authentication load, which can be hundreds of requests, authentication succeeds.  If the AAA server (or network path to the server) is not able to keep up with the load, authentication requests can intermittently fail. This is seen widely when the TACACS+ protocol for authentication, is used, as it uses more CPU per authentication to process. It can also be seen with RADIUS authentication.

Also, if One-Time Password (OTP) authentication is used, authentication tends to fail. This is because access to the single web page generates many separate authentication requests, but only the first passes authentication because the password can only be used once.

Resolution

The Cisco IOS HTTP/AAA implementation requires that each separate HTTP connection be independently authenticated. The wireless Cisco IOS GUI involves many dozens of separate files referenced within a single web page (for example, Javascript and GIFs). As a result, loading a single page in the wireless Cisco IOS GUI can result in dozens and dozens of separate authentication or authorization requests that hit the AAA server.

This is a workaround for all Cisco IOS versions. For HTTP authentication, use RADIUS or local authentication. The RADIUS server is still subjected to the multiple authentication requests, but RADIUS is more scalable than TACACS+. This provides a less adverse performance impact.

If you must use TACACS+ and have a CiscoSecure ACS for Windows server, use the single-connection tacacs-server keyword. This spares the ACS server most of the TCP connection setup or teardown overhead and reduces the load on the server somewhat.

This bug was first found in versions 12.2(8)JA, 12.2(15)JA, 12.3(2)JA02. The fix for the bug is available in Cisco IOS version 12.3(7)JA and subsequent releases. Use the AAA Auth Cache feature to cache the information returned from the RADIUS or TACACS+ server.

This is an example:

aaa group server radius tac_admin
server 192.168.134.229
cache expiry 1
cache authentication profile admin_cache
cache authorization profile admin_cache
!
aaa authentication login default local cache tac_admin group tac_admin
aaa authorization exec default local cache tac_admin group tac_admin
aaa cache profile admin_cache
all

A Download and upgrade of the Cisco IOS version to either 12.3(7)JA  or any latest edition also helps solve this problem.

1163
Views
0
Helpful
0
Comments