With Cisco Secure ACS For Windows TACACS+, authentication fails if ODBC logging is enabled.
This issue is documented in Cisco Feature request:CSCeb21974.
When Open Database Connectivity (ODBC) logging is configured, the Cisco Secure Access Control Server (ACS) blocks authentication until the ODBC logging is done or fails due to a timeout. The ODBC logging timeout failure occurs when the external database is unreachable. The authentication fails if this timeout is longer than the device timeout.
Authentication should not fail if ODBC logging fails - CSCeb21974
Authentication should not fail if odbc logging is on and the external
server is down.
Known Fixed Releases:
Authentication fails because Cisco Secure ACS tries to write the accounting and log information to the ODBC external logging database. When the write operation fails, the Cisco Secure ACS tries again, which causes authentication to fail. This happens because the logging operation has a higher priority than the authentication request.
This is how the Cisco Secure ACS was designed. It is a security hazard to allow authentication without logging it because it creates a weak hole in the network. For instance, if a hacker can bring the Structured Query Language (SQL) server down, the hacker can then run a Dictionary attack or Denial of Service (DoS) attack on the network. In this case, there would be no logs to alert or track the attack.
A feature enhancement request has already been filed for this issue, and the addition of this functionality is planned. This feature would provide the ability to enable and disable this behavior, to log this issue with the same importance as others, and to enable authentication even if logging does not work.
To allow authentication to work despite the ODBC logging failure, try to increase the tacacs-server timeout value on the Network Attached Storage (NAS). This can be done by issuing the tacacs-server timeout command in global configuration mode.
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Timeout interval in seconds. The value is from 1 through 1000. The default is 5.
If the command is not configured, the timeout interval is 5.
This command was introduced.
The following example changes the interval timeout to 10 seconds:
aaa new-modelradius-server localnas 192.168.51.175 key 0 ciscouser test password testuser testa password test When I create a local radius server I am unable to test it with the free radius tool radtestfreeRadius:~# radtest -t pap test test 192.168.5...
routingHello,For some reason I am not able to each peer's IP, though port channel and their subs are up. Arista [eth5]====[gi4]Cisco CSR ping 10.248.100.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.248.100.5, timeout is 2 ...
I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443...
unable to connect I am getting the following debug information? SA KE N NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID*May 14 15:17:05.067: IKEv2:(SESSION ID...
I've got ISE-PIC setup for testing. I am seeing active sessions logged after setting a group policy to enable "Audit Kerberos Authentication Service" and "Audit Kerberos Service Ticket Operations" My problem is this only shows users ...