TACACS+ timeout value ignored

paul.gordon · ‎09-12-2004

I'm running ACS 3.3. I have a bunch of Catalyst 3550 and 3560 switches, some running IOS 12.1(19)EA1c and others running IOS 12.2(20)SE1.

All are configured for TACACS+ as follows:

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ if-authenticated none

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default stop-only group tacacs+

tacacs-server host 10.1.1.1

tacacs-server timeout 2

tacacs-server directed-request

tacacs-server key CISCO

All works fine however the "timeout" value above seems to be ignored on switches running 12.2(20)SE1. It should be that if the TACACS+ server (10.1.1.1) goes down, the switch will fall back to using local authentication after 2 secs. However, it seems to be fixed at 30 secs.

Note that it works fine on 12.1(19)EA1c but always seems fixed at 30 secs on 12.2(20)SE1. This makes it really annoying when TACACS+ is unavailable and you're trying to configure a switch, especially if you're doing command authorization.

Wondering if anyone else has this problem and whether Cisco is aware of it?

Thanks.

PAUL G.

jsivulka · ‎09-17-2004

You are possibly running into CSCed76124 - Tacacs-server timeout value ignored. I guess you will need to track it for a workaround or consider using another IOS version not affected with this defect.