cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

515
Views
5
Helpful
2
Replies
Highlighted
Beginner

Slow command execution when ACS is not reachable

Hi,

We recently deployed Cisco ACS for TACACS+.

During a test, we found out that when ACS is unreachable, the switch took at least 30secs to login and execute a command.

We have set server timeout at 2secs but doesn't help.

Anyone has the same experience?

Cisco ACS:

Version 5.4.0.46.0a

Switch:

WS-C3750X-48PF-L

IOS: 15.0(2)SE4

WS-C2960-48TT-L

IOS: 15.0(2)SE4

Command:

aaa group server tacacs+ TACACS-GROUP

     server-private xx.xx.xx.xx timeout 2 key xxxx

Rgds,

Weilyjaya

Everyone's tags (4)
2 REPLIES 2
Enthusiast

Slow command execution when ACS is not reachable

EAP-TLS authentication fails if the:

Server fails to verify the client's certificate, and rejects EAP-TLS authentication.

Client fails to verify the server's certificate, and rejects EAP-TLS authentication.

Certificate validation fails if the:

Certificate has expired.

Server or client cannot find the certificate issuer.

Signature check failed.

The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a session timeout period, ACS caches each TLS session for the duration of the timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

ACS 5.4 supports EAP-TLS session resumption without session state to be stored at the server. It also supports session ticket extension as described in RFC 5077. The ACS server creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ACS to resume a session.

The Stateless session resumption is supported in the distributed deployment, so that a session ticket issued by one node is accepted by another node.

The entire ticket is authenticated over its fields using a MAC with a 128-bit authentication key. The fields are encrypted using AES-CBC with a 128-bit encryption key and IV that are found in the ticket. The ACS administrator configures a limited lifetime for the session ticket.

Beginner

Slow command execution when ACS is not reachable

Work around:

remove timeout command on tacacs server

apply global timeout command

tacacs-server timeout 2