Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6162
Views
15
Helpful
4
Replies

TACACS

Go to solution
kerai08
Cisco Employee
Cisco Employee

‎04-27-2017 01:10 AM

Hi team,


My customer is asking on Cisco’s recommendation on using a ‘single-connection’ in TACACS+.


“We know that single connection will use a lower number of sockets/resources on the tacacs server, and single-connection seems to be referred to as “legacy” but we couldn’t find confirmation of the recommendation from Cisco”.


“If there is a mismatch between single-connection settings (on the tacacs server and the network device), what would happen in either case?”


Can you help me?


Thank you,

Arron

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎04-28-2017 10:14 AM

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

View solution in original post

4 Replies 4

Go to solution
vrostowsky
Level 5
Level 5

‎04-27-2017 02:47 PM

Arron-

In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.  (if it was Cisco recommendation, it wouldn't be unchecked by default)

as for mismatch, i don't usually specify that on the device side.  I would image it depend on the accounting stop-start commands sent back to ISE

HTH-

Vince

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎04-28-2017 10:14 AM

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

Go to solution
Alexey Savkin
Cisco Employee
Cisco Employee
In response to kthiruve

‎02-29-2020 01:50 PM - edited ‎02-29-2020 01:54 PM

>> There is no single connect mode on the network device. It is only on the server side.

Really? This is from IOS XE device (from my lab):

tacacs server ISE-01
  address ipv4 10.0.0.3
  key 7 ******
  single-connection
tacacs server ISE-02
  address ipv4 10.0.0.4
  key 7 ******
  single-connection

 

 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Alexey Savkin

‎03-01-2020 08:42 AM

Hi,

 

     "single connection" mode needs to be agreed upon the first packet exchange between the TACACS client and the TACACS server, if bot set the "Single Connect" Flag. IOS-XE has had this option since a very long time now.

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents