cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
2
Helpful
0
Replies

How to setup TACACS+ single-connect properly and safely

Arne Bier
VIP
VIP

Hello

DNAC/Cat Center is a very chatty product and it's constantly logging into devices to run many show commands.

Without single-connect, there will always be a 3-way TCP handshake for every command issued when command authorization is enabled. Below is a Wireshark of a DNAC provisioned device, and executing a few successive show commands:

ArneBier_2-1727126187738.png

 

That made me think that perhaps it's time to investigate TACACS+ single-connect mode to lessen the network latency and make this setup run more efficiently. Below is the same thing with single-connect enabled:

ArneBier_3-1727126267767.png

 

I just haven't found a good technical guide that ties all the pieces together in such a way that I can make informed decisions - hoping that others can chime in and help me with the missing pieces below ...

 

In ISE, a DNAC provisioned IOS-XE device looks like this, which makes you believe you are running single-connect:

ArneBier_0-1727125425180.png

But the IOS-XE config generated by DNAC produces the config that does not enable single-connect, hence, single-connect is not actually running:

tacacs server dnac-tacacs_172.22.131.174
 address ipv4 172.22.131.174
 key 7 ******************
 timeout 4

To activate single-connect mode, you must add the 'single-connection' key word to the IOS-XE config:

tacacs server dnac-tacacs_172.22.131.174
 address ipv4 172.22.131.174
 key 7 *************
 timeout 4
 single-connection

I can see the results in Wireshark.

I have read various articles that say "use legacy", and others say "use TACACS Draft Compliance Single.." - but I am looking for a technical answer to what the differences are, and what the implications are of using either. In Wireshark I could not see any differences.

The other thing is, what is the TCP connection limit in ISE?  I have read 5000. Is that per PSN? Can it be increased?

Let's say it's 5000. If you have more than 5000 devices managed by DNAC, you might run into issues, unless you tune the TCP idle settings, such that the sessions are cleared after DNAC sends its torrent of commands to a device. Perhaps, instead of the 5 min idle time, make it 1min?

Assuming you have enough TCP connections in your ISE nodes, and DNAC polls a device every 10 minutes, then we should tune ISE such that it keeps the connection alive longer than the DNAC polling interval (e.g. 11min).

But does that relate to the Session Timeout, or the Connection Timeout?

ArneBier_1-1727125939547.png

One would most likely enable single-connect for each device type (e.g. IOS-XE version) to ensure that it's behaving as expected, before rolling out across the entire network. And also bearing in mind, that I am asking this from the perspective of a network that is managed by DNAC. If there is no regular network polling involved (i.e. just humans randomly logging into devices ad-hoc), then I don't really care about single-connect.

 

 

 

 

 

 

0 Replies 0