aaa authentication issue real world

itdaddy

Hi guys, okay we have TACACs settings on our edge routers. if the edge router cannot access TACACs we have to of course log on locally but when you do it take like I am not kidding 2-3 minutes each time to enter in information. Like it keeps trying to find tacacs and wont let me in the router until it times out. How can I make it not take so long to log on locally with local credentials when it cant find TAC. IT drives me nutz when a client sees it takes so long for me to get in the router. they say WHAT is wrong with your router? I am embarrassed to say it is something I cant fix. Is there a trick to allow it to log on as fast as if I was connected to tacacas vs wating so freaking long since it cant find it but still searches. I think it is earch for tacacas until it failes and times out? what can I do? thanks guys.

DCD

It depends on your company policy but you can change the local login to a local password or username and password and bypass tacac all together.

d4nz1g

It is related to authorization. You could use RBAC instead so the router won't need to check every single command on the tacacs server.

mackenzae

In your method list you could always list to have it check local database first, and then tacacs+.

docrice

Specify a timeout value when configuring TACACS targets. Lots of vendor defaults like to attempt 3 times waiting 5 seconds each. Multiply that by the number of AAA hosts you point to. I find this generally a ridiculous default and trim it down quite considerably.

itdaddy

doccrice you mean adjust this on the TACACS server right? nothing locally on the routers right?

itdaddy

mackenzae I will try this thanks yeah we have tacacs+ first maybe that wil fix this. thanks

Priston

Switch(config)#tacacs-server timeout ?
<1-1000> Wait time (default 5 seconds)

Switch(config)#tacacs-server retransmit ?
<0-100> Number of times to search the TACACS list (default 2)

By default if you have 4 tacacs servers configured on your edge router it will take 40 seconds for it to fail.

docrice

itdaddy wrote: »

doccrice you mean adjust this on the TACACS server right? nothing locally on the routers right?

In IOS, you use something like "tacacs-server timeout 3" to limit the wait time that the device hangs on each configured AAA target. In some newer IOS versions, you'd do:

tacacs server my-aaa-server-01
address ipv4 1.2.3.4
key some-random-string-here
timeout 3

itdaddy

you are a genius thanks somuch i will let u know how it goes

itdaddy

"tacacs-server timeout 10 ours is set to 10 no wonder I want to slit my wrist while waiting hahahaahha thanks man will change this when I have to go in and out all the time when link is down ; we bomgar in and fix so I have to wait and wait omgosh....embarrassing people alwasys ask wow your router is crap hahahahaha now I can fix this hhaah thanks men