https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567342#M529990 <HTML><HEAD></HEAD><BODY><P>Arron-</P><P></P><P>In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.&nbsp; (if it was Cisco recommendation, it wouldn't be unchecked by default) <IMG src="https://community.cisco.com/legacyfs/online/emoticons/wink.png" /></P><P>as for mismatch, i don't usually specify that on the device side.&nbsp; I would image it depend on the accounting stop-start commands sent back to ISE</P><P></P><P></P><P>HTH-</P><P></P><P>Vince</P></BODY></HTML> Thu, 27 Apr 2017 21:47:01 GMT vrostowsky 2017-04-27T21:47:01Z https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567341#M529988 <HTML><HEAD></HEAD><BODY><P> <SPAN style="font-size: 10pt;">Hi team, </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">My customer is asking on Cisco’s recommendation on using a ‘single-connection’ in TACACS+. </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">“We know that single connection will use a lower number of sockets/resources on the tacacs server, and single-connection seems to be referred to as “legacy” but we couldn’t find confirmation of the recommendation from Cisco”. </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">“If there is a mismatch between single-connection settings (on the tacacs server and the network device), what would happen in either case?” </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">Can you help me? </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">Thank you, </SPAN></P><P class="p1"><SPAN class="s1">Arron </SPAN></P></BODY></HTML> Thu, 27 Apr 2017 08:10:30 GMT https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567341#M529988 kerai08 2017-04-27T08:10:30Z https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567342#M529990 <HTML><HEAD></HEAD><BODY><P>Arron-</P><P></P><P>In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.&nbsp; (if it was Cisco recommendation, it wouldn't be unchecked by default) <IMG src="https://community.cisco.com/legacyfs/online/emoticons/wink.png" /></P><P>as for mismatch, i don't usually specify that on the device side.&nbsp; I would image it depend on the accounting stop-start commands sent back to ISE</P><P></P><P></P><P>HTH-</P><P></P><P>Vince</P></BODY></HTML> Thu, 27 Apr 2017 21:47:01 GMT https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567342#M529990 vrostowsky 2017-04-27T21:47:01Z https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567343#M529995 <HTML><HEAD></HEAD><BODY><P>Hi Arron,</P><P></P><P>Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.</P><P></P><P>There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.</P><P></P><P>Hope it helps.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Fri, 28 Apr 2017 17:14:38 GMT https://community.cisco.com/t5/network-access-control/tacacs/m-p/3567343#M529995 kthiruve 2017-04-28T17:14:38Z https://community.cisco.com/t5/network-access-control/tacacs/m-p/4038069#M558471 <P>&gt;&gt; There is no single connect mode on the network device. It is only on the server side.<BR /><BR />Really? This is from IOS XE device (from my lab):<BR /><BR />tacacs server ISE-01<BR />&nbsp; address ipv4 10.0.0.3<BR />&nbsp; key 7 ******<BR />&nbsp; <STRONG>single-connection</STRONG><BR />tacacs server ISE-02<BR />&nbsp; address ipv4 10.0.0.4<BR />&nbsp; key 7 ******<BR />&nbsp; <STRONG>single-connection</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 29 Feb 2020 21:54:51 GMT https://community.cisco.com/t5/network-access-control/tacacs/m-p/4038069#M558471 Alexey Savkin 2020-02-29T21:54:51Z https://community.cisco.com/t5/network-access-control/tacacs/m-p/4038220#M558474 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp;"single connection" mode needs to be agreed upon the first packet exchange between the TACACS client and the TACACS server, if bot set the "Single Connect" Flag. IOS-XE has had this option since a very long time now.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Sun, 01 Mar 2020 16:42:57 GMT https://community.cisco.com/t5/network-access-control/tacacs/m-p/4038220#M558474 Cristian Matei 2020-03-01T16:42:57Z