Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
5
Helpful
2
Replies

Slow command execution when ACS is not reachable

weilyguruh
Level 1
Level 1

‎02-27-2014 09:59 PM - edited ‎03-10-2019 09:28 PM

Hi,

We recently deployed Cisco ACS for TACACS+.

During a test, we found out that when ACS is unreachable, the switch took at least 30secs to login and execute a command.

We have set server timeout at 2secs but doesn't help.

Anyone has the same experience?

Cisco ACS:

Version 5.4.0.46.0a

Switch:

WS-C3750X-48PF-L

IOS: 15.0(2)SE4

WS-C2960-48TT-L

IOS: 15.0(2)SE4

Command:

aaa group server tacacs+ TACACS-GROUP

     server-private xx.xx.xx.xx timeout 2 key xxxx

Rgds,

Weilyjaya

Labels:
0 Helpful
2 Replies 2

Naveen Kumar
Level 4
Level 4

‎03-06-2014 02:21 AM

EAP-TLS authentication fails if the:

Server fails to verify the client's certificate, and rejects EAP-TLS authentication.

Client fails to verify the server's certificate, and rejects EAP-TLS authentication.

Certificate validation fails if the:

Certificate has expired.

Server or client cannot find the certificate issuer.

Signature check failed.

The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a session timeout period, ACS caches each TLS session for the duration of the timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

ACS 5.4 supports EAP-TLS session resumption without session state to be stored at the server. It also supports session ticket extension as described in RFC 5077. The ACS server creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ACS to resume a session.

The Stateless session resumption is supported in the distributed deployment, so that a session ticket issued by one node is accepted by another node.

The entire ticket is authenticated over its fields using a MAC with a 128-bit authentication key. The fields are encrypted using AES-CBC with a 128-bit encryption key and IV that are found in the ticket. The ACS administrator configures a limited lifetime for the session ticket.

weilyguruh
Level 1
Level 1

‎03-06-2014 02:44 AM

Work around:

remove timeout command on tacacs server

apply global timeout command

tacacs-server timeout 2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents