cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6163
Views
15
Helpful
4
Replies

TACACS

kerai08
Cisco Employee
Cisco Employee

Hi team,


My customer is asking on Cisco’s recommendation on using a ‘single-connection’ in TACACS+.


“We know that single connection will use a lower number of sockets/resources on the tacacs server, and single-connection seems to be referred to as “legacy” but we couldn’t find confirmation of the recommendation from Cisco”.


“If there is a mismatch between single-connection settings (on the tacacs server and the network device), what would happen in either case?”


Can you help me?


Thank you,

Arron

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

View solution in original post

4 Replies 4

vrostowsky
Level 5
Level 5

Arron-

In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.  (if it was Cisco recommendation, it wouldn't be unchecked by default)

as for mismatch, i don't usually specify that on the device side.  I would image it depend on the accounting stop-start commands sent back to ISE

HTH-

Vince

kthiruve
Cisco Employee
Cisco Employee

Hi Arron,

Single Connect mode is for chatty devices. This is to minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. There are two modes legacy and TACACS+ draft, choose TACACS+ draft mode and not legacy for this.

There is no single connect mode on the network device. It is only on the server side. So if you think that you have a lot of unnecessary transactions from devices (or) any network device that is non-Cisco behaving incorrectly (or) using scripts to do administration that loops and is not controlled use this. Remember, this also consumes the TCP sockets so in a large environment you have to be careful to use this across network devices.

Hope it helps.

Thanks

Krishnan

>> There is no single connect mode on the network device. It is only on the server side.

Really? This is from IOS XE device (from my lab):

tacacs server ISE-01
  address ipv4 10.0.0.3
  key 7 ******
  single-connection
tacacs server ISE-02
  address ipv4 10.0.0.4
  key 7 ******
  single-connection

 

 

Hi,

 

     "single connection" mode needs to be agreed upon the first packet exchange between the TACACS client and the TACACS server, if bot set the "Single Connect" Flag. IOS-XE has had this option since a very long time now.

 

Regards,

Cristian Matei.