ACS 4.2 and 3750x switches

Craig Le-Butt · ‎09-30-2013

Hi

We're still using ACS 4.2 for authenticating to switches.

Since we've been rolling out the 3750x we seem to be coming across speed issues.

It take 2-3 times as long to run a command on a 3705x using universalk9 15.0(1)

Once we remove the TACACS the speed of the switch is fine.

Have no issues using this script on the 3750's

aaa new-model
aaa authentication fail-message ^CFailed login. Try again.^C
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common

!
tacacs-server host
tacacs-server key

We've checked line by line with a working switch on the same IOS.

We seem to get this accross 3 different sites, some work some don't

The management is in it's own vlan 4000 which is routed around the network, but it we put a management address for the switch in out of vlan 1, there is now speed issues. We just can't find the issue, any help would be much appreciated.

Marvin Rhoads · ‎09-30-2013

Hmm. Are you set on 15.0(1)? It was a bit buggy release and there is at least one TACACS-specific bug that is resolved in a later release.

15.0(2)SE4 woud be a good target image.

If you don't have the option of that, I would turn on tacacs debug while the problem occurs on a switch and examine the output for clues.

Also, you didn't mention are you using the Ethernet management (physical port) on your 3750X's?