[tac_plus] tacplus timeout values

heasley heas at shrubbery.net
Sat Feb 27 16:21:24 UTC 2016


Fri, Feb 26, 2016 at 12:17:02PM -0500, Kevin.Cruse at Instinet.com:
> I am having some issues with our tacacs clients timing out quite
> frequently. We have hundreds of network devices pointing to 2 tacacs
> servers and many users complain they are prompted for a password a few
> times before getting authenticated or their session being terminated. This

Do you mean that their session is terminated *after* successful login?  after
login and some cli commands?

Are you doing tacacas authorization?  Are you doing command authorization?
Are doing command accounting?

What are the devices?  Running what o/s?  Are there known tacacs/aaa PRs
against that combination?  When login is successful, is the prompting for
the username then password slow?

> does not happen constantly all day long but seems rather random.  I also
> notice there are 'tacacs' timeout messages in our logging buffers. I have a
> suspicion the tacacs server is busy handling requests and users get backed
> up in a queue and router timeout is reached before daemon can respond. I
> run the daemon with following command:
> 
> tac_plus -C /usr/local/sbin/tacplus/tac_plus.cfg -L -p 49 -G
> 
> Ok - now you are probably asking "why does he run it in
> foreground?"...well...I cannot prove this but it seems there were some
> security changes performed on our hosts which prevented me from running it
> without the -G. I had been running the daemon with this command:
> 
> tac_plus -C /usr/local/sbin/tacplus/tac_plus.cfg -L -p 49
> 
> quite happily for sometime. We then had some maintenance work to test ldap
> failover and when i restarted the daemon it would not start unless i ran in
> foreground. i've been working with our admin team to resolve but still
> cannot figure out why one day it just stopped working ( We run it on centos
> 7 ). Anyway - im getting away from my original question. I am fielding alot
> of complaints about these timeouts and hope someone has had similar issues
> and can provide some direction. Many thanks!!!

It should not matter, but are you doing tacacs authentication through PAM
to ldap?  If so, were debug options or logging of some sort left enabled
on the PAM module?

The daemon, will fork a new process for each client connection, so one
client should not affect another, for the most part.  if the connection
queue is really long, perhaps it would delay a little.  I rather doubt
this is the problem.

Cisco allows the tacacs timeout to be increased; eg:
router(config-server-tacacs)#timeout ?
  <1-1000>  Timeout value in seconds to wait for server to reply


> $ ./tac_plus -v
> tac_plus version F4.0.4.28


More information about the tac_plus mailing list