08-24-2010 06:47 PM - edited 03-10-2019 05:21 PM
Hi,
I have successfully configured a new Linux based Cisco Secure ACS server (version is 5.0.0.21 and Internal build: B.2757) and integrated it with AD. Both the internal users and the AD users are authenticating ok and are successfully logged onto the end devices on privilege level 15. The issue that I am getting is that for some strange reason AD users are taking too long (approx 38 secs) to get authenticated/authorised etc. Infact this was causing authentication issues previously as the tacacs timeout on the end device was set too low and thus the TACACS server response was timing out. I rectified this by increasing the TACACS timeout to around 25 secs which then resulted in successful TACACS authentication/authorisation.
The high response time is however very frustrating. We have an existing Windows based (4.2) TACACS server and when I point my end devices (routers, switches) to this old server it takes only a few seconds for authentication but with the new ACS server it takes close to 38 secs. I am suspecting it might be to do with AD integration as the internal users on the new server are working fine. There are no latency or networking issues with the new server as the pings are looking ok.
I have pasted my debug tacacs output obtained from the end device below. The first is with the new server (y.y.y.y) and the second is with the old (working) server (x.x.x.x) :
New Server:
4d09h: TAC+: send AUTHEN/START packet ver=192 id=64484812
4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CCF630 to y.y.y.y/49
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/START/LOGIN/ASCII queued
4d09h: TAC+: (64484812) AUTHEN/START/LOGIN/ASCII processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETUSER
4d09h: TAC+: send AUTHEN/CONT packet id=64484812
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
4d09h: TAC+: (64484812) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETPASS
4d09h: TAC+: send AUTHEN/CONT packet id=64484812
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
4d09h: TAC+: (64484812) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = PASS
4d09h: TAC+: Closing TCP/IP 0x80CCF630 connection to y.y.y.y/49
4d09h: TAC+: using previously set server y.y.y.y from group tacacs+
4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CCFAC4 to y.y.y.y/49
4d09h: TAC+: Opened y.y.y.y index=1
4d09h: TAC+: y.y.y.y (1028597070) AUTHOR/START queued
4d09h: TAC+: (1028597070) AUTHOR/START processed
4d09h: TAC+: (1028597070): received author response status = PASS_ADD
4d09h: TAC+: Closing TCP/IP 0x80CCFAC4 connection to y.y.y.y/49
4d09h: TAC+: Received Attribute "priv-lvl=15"
jontest#
Old (Working) Server:
4d09h: TAC+: send AUTHEN/START packet ver=192 id=1150277789
4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CD10D4 to x.x.x.x/49
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/START/LOGIN/ASCII queued
4d09h: TAC+: (1150277789) AUTHEN/START/LOGIN/ASCII processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETUSER
4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
4d09h: TAC+: (1150277789) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETPASS
4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
4d09h: TAC+: (1150277789) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = PASS
4d09h: TAC+: Closing TCP/IP 0x80CD10D4 connection to x.x.x.x/49
4d09h: TAC+: using previously set server x.x.x.x from group tacacs+
4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CD1568 to x.x.x.x/49
4d09h: TAC+: Opened x.x.x.x index=1
4d09h: TAC+: x.x.x.x (551069827) AUTHOR/START queued
4d09h: TAC+: (551069827) AUTHOR/START processed
4d09h: TAC+: (551069827): received author response status = PASS_ADD
4d09h: TAC+: Closing TCP/IP 0x80CD1568 connection to x.x.x.x/49
4d09h: TAC+: Received Attribute "priv-lvl=15"
Any suggestions would be much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide