Re: Cisco ISE TACACS connection termination process

sondevi · ‎04-25-2019

HI Team,

I have a query regarding ISE or simple TACACS connection termination process. there are three scenarios, either the user abort/exit the connection by typing the command on NAD to terminate the connection OR leaves the connection idle for time being or close the NAD access terminal without terminating the connection using exit/quit command.

What process is followed to terminate the connection in 2nd and 3rd scenario. any default timeout value is set on NAD devices or ISE terminates the connection after specific timeout.

Tried to find out the exact information on many blogs/pages/rfc. any helpful link or info will be much appreciated.

sondevi · ‎04-26-2019

Hi Team,

any input please.

Arne Bier · ‎04-28-2019

If this is an IOS device, then the default behaviour is the exec session timeout under the vty section

e.g. example below will kick user out after 20 minutes. This is regardless of whether the user connected via TACACS or not.

You can probably override that with an AVPair but I haven't a clue (never done it myself).

The behaviour might be different on every vendor kit (even on a Cisco WLC for example)

line vty 0 4
 exec-timeout 20 0
 privilege level 15
 logging synchronous
 transport input ssh
 transport output ssh