With Cisco Secure ACS For Windows TACACS+, authentication fails if ODBC logging is enabled.
This issue is documented in Cisco Feature request:CSCeb21974.
When Open Database Connectivity (ODBC) logging is configured, the Cisco Secure Access Control Server (ACS) blocks authentication until the ODBC logging is done or fails due to a timeout. The ODBC logging timeout failure occurs when the external database is unreachable. The authentication fails if this timeout is longer than the device timeout.
Authentication should not fail if ODBC logging fails - CSCeb21974
Authentication should not fail if odbc logging is on and the external
server is down.
Known Fixed Releases:
Authentication fails because Cisco Secure ACS tries to write the accounting and log information to the ODBC external logging database. When the write operation fails, the Cisco Secure ACS tries again, which causes authentication to fail. This happens because the logging operation has a higher priority than the authentication request.
This is how the Cisco Secure ACS was designed. It is a security hazard to allow authentication without logging it because it creates a weak hole in the network. For instance, if a hacker can bring the Structured Query Language (SQL) server down, the hacker can then run a Dictionary attack or Denial of Service (DoS) attack on the network. In this case, there would be no logs to alert or track the attack.
A feature enhancement request has already been filed for this issue, and the addition of this functionality is planned. This feature would provide the ability to enable and disable this behavior, to log this issue with the same importance as others, and to enable authentication even if logging does not work.
To allow authentication to work despite the ODBC logging failure, try to increase the tacacs-server timeout value on the Network Attached Storage (NAS). This can be done by issuing the tacacs-server timeout command in global configuration mode.
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Timeout interval in seconds. The value is from 1 through 1000. The default is 5.
If the command is not configured, the timeout interval is 5.
This command was introduced.
The following example changes the interval timeout to 10 seconds:
I have a dmz server, listening on port 21, I want this server to be accessible from internet. Here are my options:1) nat (dmz,outside) source static ftp_10.20.30.40 x.x.x.x(publicIP) service FTP_21 FTP_21 ^^ Does NOT work. ======...
Hi everyone, I've been scratching my head with this issue, thus reaching out for help. I have a 3560G running 2.2(58)SE2 and I want to configure dot1x. Here is the config: aaa new-modelaaa group server radius myradiu...
Good day, is it possible to create different profile for different type of OS users to connect to ASA VPN? we have a bunch of WFH users and some have W7 (ya i know right..) and W10 - we would like to have both connecting to the same VPN but due to some se...
Hi, We performed an ASA upgrade on an HA Pair of ASA 5555-X's that are in Active/Standby HA from 9.6(4)34 to 9.12(3)12. We upgraded the secondary/standby unit first. When we failed the active unit to the secondary, all AnyConnect users had connection...