[tac_plus] Re: single connection

[Schmidt, Daniel]

Thank you kindly for your reply again. 

I have hundreds of devices that I put it on.  Are we to understand that
Cisco recommends single-connection on one hand, and then on the other
hand tells us that single-connection does not work and they won't fix
it?  I suppose I had better start work on removing it.  

Rather than removing your debug code, perhaps a warning would be in
order?  It would be a shame to have an upgrade break tacacs for those
who have been following their lousy CCNP book.  As I mentioned,
single-connection does work, just not well.  If you check tacacs, you
will note aborts and errors.  

Funny that it seems to work right in IOS-XR yet they did such a terrible
job of implementing SSH in IOS-XR.  

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Wednesday, March 18, 2009 5:34 PM
To: Schmidt, Daniel
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] single connection

Thu, May 29, 2008 at 03:32:18PM -0600, Dan Schmidt:
> Thanks for kindly for your reply.
> 
> The symptoms are that, if multiple sessions are opened - one right
after
> the other, exactly every other session fails to contact the tacacs
> server (defaults to local authentication) spitting out that debug
> message.  Perhaps it is a bug on the 7600's, as the 6500's in that
city
> are completely fine.  (And 3750's, ect.)
> 
> Single-connection was implemented in CiscoSecure Release 1.0.1 - is it
> fully supported in tac_plus?  
> 
> Obviously, the work around is to disable single connection, but that
> creates more connections to the tacacs server. 

I FINALLY researched this extensively.  The problem is that, except for
IOS-XR, single-connection does not work, period.  And, Cisco told me
that
they would not fix it.

Note that the tac_plus daemon does not support it anyway; I'd just
jammed
basic debugging code into it.  I don't know if I'll add it in the
future.