cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2787
Views
8
Helpful
4
Replies
Highlighted
Cisco Employee

TACACS

Hi team,


My customer is asking on Cisco’s recommendation on using a ‘single-connection’ in TACACS+.


“We know that single connection will use a lower number of sockets/resources on the tacacs server, and single-connection seems to be referred to as “legacy” but we couldn’t find confirmation of the recommendation from Cisco”.


“If there is a mismatch between single-connection settings (on the tacacs server and the network device), what would happen in either case?”


Can you help me?


Thank you,

Arron

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

View solution in original post

4 REPLIES 4
Highlighted
Contributor

Arron-

In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.  (if it was Cisco recommendation, it wouldn't be unchecked by default)

as for mismatch, i don't usually specify that on the device side.  I would image it depend on the accounting stop-start commands sent back to ISE

HTH-

Vince

Highlighted
Cisco Employee

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

View solution in original post

Highlighted

>> There is no single connect mode on the network device. It is only on the server side.

Really? This is from IOS XE device (from my lab):

tacacs server ISE-01
  address ipv4 10.0.0.3
  key 7 ******
  single-connection
tacacs server ISE-02
  address ipv4 10.0.0.4
  key 7 ******
  single-connection

 

 

Highlighted

Hi,

 

     "single connection" mode needs to be agreed upon the first packet exchange between the TACACS client and the TACACS server, if bot set the "Single Connect" Flag. IOS-XE has had this option since a very long time now.

 

Regards,

Cristian Matei.