Introduction
With Cisco Secure ACS For Windows TACACS+, authentication fails if ODBC logging is enabled.
Core issue
This issue is documented in Cisco Feature request: CSCeb21974.
When Open Database Connectivity (ODBC) logging is configured, the Cisco Secure Access Control Server (ACS) blocks authentication until the ODBC logging is done or fails due to a timeout. The ODBC logging timeout failure occurs when the external database is unreachable. The authentication fails if this timeout is longer than the device timeout.
Authentication should not fail if ODBC logging fails - CSCeb21974
Description
Authentication should not fail if odbc logging is on and the external
server is down.
Known Fixed Releases:
4.1(1)
Resolution
Authentication fails because Cisco Secure ACS tries to write the accounting and log information to the ODBC external logging database. When the write operation fails, the Cisco Secure ACS tries again, which causes authentication to fail. This happens because the logging operation has a higher priority than the authentication request.
This is how the Cisco Secure ACS was designed. It is a security hazard to allow authentication without logging it because it creates a weak hole in the network. For instance, if a hacker can bring the Structured Query Language (SQL) server down, the hacker can then run a Dictionary attack or Denial of Service (DoS) attack on the network. In this case, there would be no logs to alert or track the attack.
A feature enhancement request has already been filed for this issue, and the addition of this functionality is planned. This feature would provide the ability to enable and disable this behavior, to log this issue with the same importance as others, and to enable authentication even if logging does not work.
To allow authentication to work despite the ODBC logging failure, try to increase the tacacs-server timeout value on the Network Attached Storage (NAS). This can be done by issuing the tacacs-server timeout command in global configuration mode.
tacacs-server timeout
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
seconds | Timeout interval in seconds. The value is from 1 through 1000. The default is 5. |
Command Default
If the command is not configured, the timeout interval is 5.
Command Modes
Global configuration
Command History
ReleaseModification
10.0 | This command was introduced. |
Examples
The following example changes the interval timeout to 10 seconds:
Router (config)# tacacs-server timeout 10
Problem Type
Connectivity to the device
Troubleshoot software feature
Product Family
Cisco Secure access control server
Reference