aaa authentication issue real world

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
Hi guys, okay we have TACACs settings on our edge routers. if the edge router cannot access TACACs we have to of course log on locally but when you do it take like I am not kidding 2-3 minutes each time to enter in information. Like it keeps trying to find tacacs and wont let me in the router until it times out. How can I make it not take so long to log on locally with local credentials when it cant find TAC. IT drives me nutz when a client sees it takes so long for me to get in the router. they say WHAT is wrong with your router? I am embarrassed to say it is something I cant fix. Is there a trick to allow it to log on as fast as if I was connected to tacacas vs wating so freaking long since it cant find it but still searches. I think it is earch for tacacas until it failes and times out? what can I do? thanks guys.

Comments

  • DCDDCD Senior Member Member Posts: 469 ■■■■□□□□□□
    It depends on your company policy but you can change the local login to a local password or username and password and bypass tacac all together.
  • d4nz1gd4nz1g Padawan Member Posts: 464
    It is related to authorization. You could use RBAC instead so the router won't need to check every single command on the tacacs server.
  • mackenzaemackenzae Member Member Posts: 77 ■□□□□□□□□□
    In your method list you could always list to have it check local database first, and then tacacs+.
  • docricedocrice Random Member Member Posts: 1,706 ■■■■■■■■■■
    Specify a timeout value when configuring TACACS targets. Lots of vendor defaults like to attempt 3 times waiting 5 seconds each. Multiply that by the number of AAA hosts you point to. I find this generally a ridiculous default and trim it down quite considerably.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    doccrice you mean adjust this on the TACACS server right? nothing locally on the routers right?
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    mackenzae I will try this thanks yeah we have tacacs+ first maybe that wil fix this. thanks
  • PristonPriston Guest Member Posts: 999 ■■■■□□□□□□
    Switch(config)#tacacs-server timeout ?
    <1-1000> Wait time (default 5 seconds)

    Switch(config)#tacacs-server retransmit ?
    <0-100> Number of times to search the TACACS list (default 2)

    By default if you have 4 tacacs servers configured on your edge router it will take 40 seconds for it to fail.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • docricedocrice Random Member Member Posts: 1,706 ■■■■■■■■■■
    itdaddy wrote: »
    doccrice you mean adjust this on the TACACS server right? nothing locally on the routers right?

    In IOS, you use something like "tacacs-server timeout 3" to limit the wait time that the device hangs on each configured AAA target. In some newer IOS versions, you'd do:

    tacacs server my-aaa-server-01
    address ipv4 1.2.3.4
    key some-random-string-here
    timeout 3
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    you are a genius thanks somuch i will let u know how it goes
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    "tacacs-server timeout 10 ours is set to 10 no wonder I want to slit my wrist while waiting hahahaahha thanks man will change this when I have to go in and out all the time when link is down ; we bomgar in and fix so I have to wait and wait omgosh....embarrassing people alwasys ask wow your router is crap hahahahaha now I can fix this hhaah thanks men
Sign In or Register to comment.