Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2487
Views
0
Helpful
4
Replies

AAA has slow login when device is not attached to network

bret
Level 3
Level 3

‎04-02-2012 11:18 AM - edited ‎03-10-2019 06:57 PM

I'm sure something is missing, but I've given it a stab and cant figure it out. Scenario: I am configuring a switch to be sent to a site. I have my cookie cutter config on it and its not connected to the network. When I login via ssh cable between laptop and switch - in it takes a really long time before I can get to privileged EXEC mode. I'm sure it is because the request to login can not communicate with the tacacs server. So I ask given the below config. What can I change to speed up the login for a device that can not communicate with tacacs?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

Thanks!

Labels:
0 Helpful
4 Replies 4

Nicolas Darchis
Cisco Employee
Cisco Employee

‎04-02-2012 11:41 AM

I suggest reducing "tacacs-server timeout" and "tacacs-server retransmits".

It takes a long time because the IOS will retry and wait before declaring tacacs server dead. Reducing those timers, will reduce wait time.

Nicolas

0 Helpful

bret
Level 3
Level 3
In response to Nicolas Darchis

‎04-02-2012 12:45 PM

That didnt work Nicholas. I think the "tacacs-server retransmit" was depricated in 12.2 its not an option. I have tried the following and still nogo.

tacacs-server host x.x.x.x single-connection timeout 3

tacacs-server timeout 3

I timed it and it takes 10-30 seconds after I login before I get password prompt

when i put the password in it takes 10 seconds and puts me in user EXEC mode

I type enable and it takes 1 minute before I get a login prompt.

I thought since this was a new switch with time not configured that was the problem, so I configured it and still nogo. This is not a big deal it just bothers me not having an answer. Thanks for your help.

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to bret

‎04-02-2012 02:02 PM

You should try the "deadtime" command, by default = 0.

aaa group server tacacs ACS

server 10.10.10.10

deadtime 1

Please rate if it helps. Kind regards

0 Helpful

naivel.molewa
Level 1
Level 1
In response to Eduardo Aliaga

‎07-09-2018 07:29 AM

Since the device is not yet in the network, it's obvious that it wont reach tacacs servers specified(if specified, i don't see commands tacacs-server host x.x.x.x that specifies the servers) , the device will then hang till the it reaches tacacs timeout. i prefer leaving tacacs out until i confirm that i can reach tacacs servers when the device in the network. 

0 Helpful
Customers Also Viewed These Support Documents