Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2203
Views
5
Helpful
1
Replies

How to mark TACACS server as dead on Cisco IOS-XE switches

Brett Verney
Level 1
Level 1

‎12-08-2021 03:38 PM - edited ‎12-08-2021 03:42 PM

Hi all,

 

I built the following TACACs config for a customer as part of a LAN refresh project. It works fine when the TACACs servers are operational.

 

We had an incident where both TACACs servers weren't reachable, and the CLI was extremely slow to respond to any command when using the local credentials via SSH or Console. Almost unusable.

 

I didn't have this issue when building the switches on the bench. It seems that when the management interface line protocol is down, it knows it can't reach the TACACS servers so doesn't even try, but when connected to the network, it attempts to contact the TACACS servers on every single command before timing out eventually.

 

Is there any way to mark the TACACS servers as 'dead' if it can't reach them? And only start pushing authentication and authorization requests to the server if they are responding? Or am I missing something in my config?

 

I know this is possible with the Wireless LAN Controllers.

 

aaa new-model
!
tacacs server CLEARPASS01
 address ipv4 10.45.234.198
 key 7 xxxxxxx
!
tacacs server CLEARPASS02
 address ipv4 10.45.159.198
 key 7 xxxxxxx
!
aaa group server tacacs+ CLEARPASS-TACACS
 server name CLEARPASS01
 server name CLEARPASS02
 ip tacacs source-interface Vlan187
!
aaa authentication login default group CLEARPASS-TACACS local
aaa authentication enable default group CLEARPASS-TACACS enable
aaa authorization console
aaa authorization exec default group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 0 default group CLEARPASS-TACACS none
aaa authorization commands 1 default group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 15 default group CLEARPASS-TACACS local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group CLEARPASS-TACACS
aaa accounting commands 15 default start-stop group CLEARPASS-TACACS
aaa accounting connection default start-stop group CLEARPASS-TACACS
aaa accounting system default start-stop group CLEARPASS-TACACS
!
line con 0
!
line vty 0 4
 exec-timeout 3 0
 transport input ssh
line vty 5 15
 exec-timeout 3 0
 transport input ssh
!

 

Regards,

Brett

1 Reply 1

amitev
Level 1
Level 1

‎12-08-2021 03:48 PM

Check will AAA dead server detection do the job for you.

 

Cheers

0 Helpful
Customers Also Viewed These Support Documents