cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1998
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

 

Introduction

With Cisco Secure ACS For  Windows TACACS+, authentication fails if ODBC logging is enabled.

Core issue

This issue is documented in Cisco Feature request: CSCeb21974.

When Open Database Connectivity (ODBC) logging is configured, the Cisco Secure Access Control Server (ACS) blocks authentication until the ODBC logging is done or fails due to a timeout. The ODBC logging timeout failure occurs when the external database is unreachable. The authentication fails if this timeout is longer than the device timeout.

Authentication should not fail if ODBC logging fails - CSCeb21974
Description
Authentication should not fail if odbc logging is on and the external
server is down.
 
Known Fixed Releases: 
4.1(1)

Resolution

Authentication fails because Cisco Secure ACS tries to write the accounting and log information to the ODBC external logging database. When the write operation fails, the Cisco Secure ACS tries again, which causes authentication to fail. This happens because the logging operation has a higher priority than the authentication request.

This is how the Cisco Secure ACS was designed. It is a security hazard to allow authentication without logging it because it creates a weak hole in the network. For instance, if a hacker can bring the Structured Query Language (SQL) server down, the hacker can then run a Dictionary attack or Denial of Service (DoS) attack on the network. In this case, there would be no logs to alert or track the attack.

A feature enhancement request has already been filed for this issue, and the addition of this functionality is planned. This feature would provide the ability to enable and disable this behavior, to log this issue with the same importance as others, and to enable authentication even if logging does not work.

To allow authentication to work despite the ODBC logging failure, try to increase the tacacs-server timeout value on the Network Attached Storage (NAS). This can be done by issuing the  tacacs-server timeout command in global configuration mode.

tacacs-server timeout

To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.

tacacs-server timeout seconds

no tacacs-server timeout seconds

Syntax Description

 

seconds

 

Timeout interval in seconds. The value is from 1 through 1000. The default is 5.

 

Command Default

If the command is not configured, the timeout interval is 5.

Command Modes

Global configuration

Command History

ReleaseModification

10.0This command was introduced.

 

Examples

The following example changes the interval timeout to 10 seconds:

 Router (config)# tacacs-server timeout 10

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

Cisco Secure access control server

Reference

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: