https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548206#M89705 <P>The tacacs-server timeout &nbsp;the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.</P><P>in total it will 60 seconds for each commands.</P><P><SPAN style="font-weight: bold; color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">tacacs</SPAN><SPAN style="color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">-</SPAN><SPAN style="font-weight: bold; color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">server timeout &lt;seconds&gt;</SPAN></P><P>http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158</P><P>Tweak the retries and timeout to get a better time on the commands.</P><P>Rate if Useful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Sharing knowledge makes you Immortal.</P><P>Regards,</P><P>Ed</P> Thu, 26 Jun 2014 16:31:44 GMT edwardcollins7 2014-06-26T16:31:44Z https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548205#M89704 <P>Hi,</P><P>&nbsp;</P><P>I'm testing ACS servers and aaa doing admin authentication on a test switch using tacacs+.</P><P>Everything works very well but I noticed when I block access from my test switch to our both ACS servers, local login works but is very slow. I'm doing authorization for all commands:</P><P>&nbsp;</P><P><CODE>aaa authorization commands 1 default group tacacs+ local<BR />aaa authorization commands 15 default group tacacs+ local</CODE></P><P>&nbsp;</P><P>When I enable debugging for tacacs events, I can see with every command the switch tries to connect to the 1st ACS server, then the 2nd and after 2x the timeout it tries local. I'm wondering why the state of the tacacs servers is not kept and with every command he tries both of them? In cases of severe network issues, I don't feel like waiting x seconds for every command I enter.</P><P>Is there a way I can speed this up without losing the functionality to perform authorization per command?</P><P>&nbsp;</P><P>Kr,</P> Mon, 11 Mar 2019 04:50:04 GMT https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548205#M89704 askaerr 2019-03-11T04:50:04Z https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548206#M89705 <P>The tacacs-server timeout &nbsp;the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.</P><P>in total it will 60 seconds for each commands.</P><P><SPAN style="font-weight: bold; color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">tacacs</SPAN><SPAN style="color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">-</SPAN><SPAN style="font-weight: bold; color: rgb(84, 84, 84); font-family: arial, sans-serif; font-size: small; line-height: 18.200000762939453px;">server timeout &lt;seconds&gt;</SPAN></P><P>http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_chapter09186a008074a898.html#wp1737158</P><P>Tweak the retries and timeout to get a better time on the commands.</P><P>Rate if Useful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Sharing knowledge makes you Immortal.</P><P>Regards,</P><P>Ed</P> Thu, 26 Jun 2014 16:31:44 GMT https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548206#M89705 edwardcollins7 2014-06-26T16:31:44Z https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548207#M89706 <TABLE border="1" cellpadding="2" cellspacing="0" id="wp1000979table1000977" width="80%"><TBODY><TR align="left" valign="bottom"><TH scope="col"><DIV class="pCH1_CellHead1"><SPAN style="font-family:times new roman,times,serif;"><SPAN style="color: Black; font-style: normal; font-weight: bold; text-decoration: none; vertical-align: baseline;">Command</SPAN></SPAN></DIV></TH><TH scope="col">&nbsp;<DIV class="pCH1_CellHead1"><SPAN style="font-family:times new roman,times,serif;">Purpose</SPAN></DIV></TH></TR><TR align="left" valign="top"><TD>&nbsp;<P class="pExT_ExampleTable"><SPAN style="font-family:times new roman,times,serif;">Router(config)#&nbsp;<B class="cBold">tacacs-server host</B> <EM class="cEmphasis">hostname</EM> [<B class="cBold">single-connection</B>] [<B class="cBold">port</B> <EM class="cEmphasis">integer</EM>] [<B class="cBold">timeout</B> <EM class="cEmphasis">integer</EM>] [<B class="cBold">key</B> <EM class="cEmphasis">string</EM>]</SPAN></P></TD><TD>&nbsp;<P class="pB1_Body1"><SPAN style="font-family:times new roman,times,serif;">Specifies a TACACS+ host.</SPAN></P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P class="pB1_Body1"><SPAN style="font-family:times new roman,times,serif;">Using the <B class="cBold">tacacs-server host</B> command, you can also configure the following options:</SPAN></P><P class="pBu1_Bullet1"><SPAN style="font-family:times new roman,times,serif;">•<IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="19" />Use the <B class="cBold">single-connection</B> keyword to specify single-connection (only valid with CiscoSecure Release&nbsp;1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon. This is more efficient because it allows the daemon to handle a higher number of TACACS operations.</SPAN></P><DIV class="Note3"><SPAN style="font-family:times new roman,times,serif;"><IMG alt="" src="http://www.cisco.com/c/dam/en/us/td/i/templates/note.gif" /></SPAN></DIV><HR class="Note3" /><P class="pN3_Note3"><SPAN style="font-family:times new roman,times,serif;"><B>Note </B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="6" />The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.</SPAN></P><HR class="Note3" /><P class="pBu1_Bullet1"><SPAN style="font-family:times new roman,times,serif;">•<IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="19" />Use the <B class="cBold">port</B> <EM class="cCi_CmdItalic">integer</EM> argument to specify the TCP port number to be used when making connections to the TACACS+ daemon. The default port number is 49.</SPAN></P><P class="pBu1_Bullet1"><SPAN style="font-family:times new roman,times,serif;">•<IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="19" />Use the <B class="cBold">timeout</B> <EM class="cCi_CmdItalic">integer</EM> argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.</SPAN></P><DIV class="Note3"><SPAN style="font-family:times new roman,times,serif;"><IMG alt="" src="http://www.cisco.com/c/dam/en/us/td/i/templates/note.gif" /></SPAN></DIV><HR class="Note3" /><P class="pN3_Note3"><SPAN style="font-family:times new roman,times,serif;"><B>Note </B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="6" />Specifying the timeout value with the <B class="cBold">tacacs-server host</B> command overrides the default timeout value set with the <B class="cBold">tacacs-server timeout</B> command for this server only.</SPAN></P> Thu, 26 Jun 2014 16:58:44 GMT https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/2548207#M89706 mohanak 2014-06-26T16:58:44Z https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/3327438#M89707 <P>Hello,<BR /><BR />i tried this on our 2960 switch and below is my config. and response was fast after testing failed reachability to tacacs server<BR /><BR /><BR /><BR />aaa group server tacacs+ ise_server<BR />server name ise01.company.org<BR />server name ise02.company.org<BR />!tacacs-server timeout 1 -------&gt;not required &lt;--------<BR />tacacs server ise01.company.org<BR />address ipv4 x.x.x.x<BR />key cisco123<BR />timeout 1 &lt;-----------------------------&nbsp;<BR />single-connection<BR />tacacs server ise02.company.org<BR />address ipv4 y.y.y.y<BR />key cisco123<BR />timeout 1 &lt;-------------------------------<BR />single-connection</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Since we are using ISE as our tacacs server, another way to speed up is to&nbsp;remove authorization on your vty lines. i noticed this&nbsp;on line vty&nbsp;0, we didnt&nbsp;put other AAA commands but on line&nbsp;vty 1 4. on my first login (vty 0) response was fast, on second and consecutive login response had little delay.</P> <P>&nbsp;</P> <P>line vty 0<BR />exec-timeout 15 0<BR />password 7 0508151D2E435A<BR />authorization exec AAA<BR />logging synchronous<BR />login authentication AAA<BR />transport input ssh</P> <P>line vty&nbsp;1 4<BR />exec-timeout 15 0<BR />password 7 0205174904091B<BR /> <FONT color="#000000"><STRONG>authorization commands 0 AAA</STRONG></FONT><BR /><FONT color="#000000"><STRONG> authorization commands 1 AAA</STRONG></FONT><BR /><FONT color="#000000"><STRONG> authorization commands 15 AAA</STRONG></FONT><BR />authorization exec AAA<BR />logging synchronous<BR />login authentication AAA<BR />line vty 7 15<BR /><BR />thank you and regards,</P> Thu, 08 Feb 2018 12:33:26 GMT https://community.cisco.com/t5/network-access-control/switch-aaa-authentication-fallback-to-local-slow/m-p/3327438#M89707 bbb bbb 2018-02-08T12:33:26Z