7
  1. Log into a Cisco IOS device with TACACS Authorization enabled
  2. Do a command that causes the device to lose access to the TACACS server
  3. Enter a command that requires TACACS Authorization

By default, the timeout appears to be about 30 seconds before the devices comes back with "Command Authorization Failed."

I tried this command to fix...

tacacs-server timeout <seconds>

However, that only affects the authentication portion, not authorization.

How do you adjust the timeout to communicate with a TACACS server for authorization purposes?

Edit: Relevant config pasted below.

Note that I am fine with the user getting a "Command Authorization Failed" message if the TACACS server goes down. I just don't want them to have to wait 30 seconds between each command for the server to timeout.

My concern is that if someone pastes 75 lines into the router, and line 3 breaks connectivity to the TACACS server, the remaining 72 lines will be in buffer. By my understanding, even if you close the SSH session to the router it will STILL process the commands in the buffer.

Therefore what happens if the router is rejecting commands at the rate of 2 per minute (Command Authorization Failed), and you fix the problem after 5 minutes? 62 lines suddenly paste in and are immediately applied, and you just did a partial deployment of your change! How do you explain THAT to management?

Ideally, I'd like to setup a 3 second timeout for authorizations with the TACACS server. At least then the chances of the above disaster scenario are greatly reduced.

Config:

tacacs-server host xx.xx.xx.27
tacacs-server host xx.xx.xx.28
tacacs-server key xxxxx
!
aaa new-model
!
aaa group server tacacs+ ACS1 
 server xx.xx.xx.27
 server xx.xx.xx.28
!
aaa authentication login default group ACS1 line local          
!
aaa authorization config-commands
aaa authorization exec default group ACS1 local 
aaa authorization commands 15 default group ACS1 local
!
aaa accounting commands 0 default start-stop group ACS1 
aaa accounting commands 15 default start-stop group ACS1
aaa accounting connection default start-stop group ACS1
!
aaa authentication login console-authc none                 
!
Keller G
  • 1,589
  • 10
  • 18
  • Can you post the relevant parts of your config? – Ron Trunk Apr 28 '14 at 22:48
  • If the intention is to allow commands to be authorized when server is down look at the if-authenticated option. – Daniel Dib Apr 29 '14 at 04:28
  • 5
    I set this up in the lab, and it works as expected - The timeout command affects all tacacs transactions. The command authorization fails after the timeout. So I suspect something else is going on. Perhaps one of your ACS servers is taking a long time to respond? You could try turning on tacacs debugging to see where the problem is. – Ron Trunk Apr 29 '14 at 22:16
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. – Ron Maupin Jan 05 '21 at 02:10

1 Answers1

1

There is an option that overrides the default timeout to the tacacs server, depending on your software version:

tacacs-server host host-name [port integer] [timeout integer]

timeout (Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

On newer versions, where tacacs-server is truncated:

tacacs server [group name]
address ipv4 [tacacs server address]
key [password]
timeout [timeout integer]

timeout - Time to wait for this TACACS server to reply (overrides default)

Edit: I can confirm, that we've now changed our TACACS configuration to the following and it works like a charm for all 900 devices, including the timeout option. All switches and routers are running the newest safe harbor IOS.

TACACS is running on Cisco ISE redundant platform.

Layer 2/3 switches and routers, with VRF also (not including Nexus):

aaa group server tacacs+ TACACS_PLUS
server-private XX.XX.X.XXX timeout 2 key <password>
server-private XX.XX.X.XXX timeout 2 key <password>
Optional: ip vrf forwarding <vrf name>

aaa authorization config-commands

aaa authentication login default group TACACS_PLUS local
aaa authentication enable default group TACACS_PLUS enable
aaa authorization exec default group TACACS_PLUS local 

aaa authorization commands 0 default group TACACS_PLUS if-authenticated 
aaa authorization commands 1 default group TACACS_PLUS if-authenticated 
aaa authorization commands 15 default group TACACS_PLUS if-authenticated 

aaa accounting commands 0 default start-stop group TACACS_PLUS
aaa accounting commands 1 default start-stop group TACACS_PLUS
aaa accounting commands 15 default start-stop group TACACS_PLUS

Nexus 5K, 6K, 7K (tested):

feature tacacs+

tacacs-server host XX.XX.X.XXX key <password> timeout 2
tacacs-server host XX.XX.X.XXX key <password> timeout 2

aaa group server tacacs+ TACACS_PLUS
  server XX.XX.X.XXX
  server XX.XX.X.XXX
  source-interface <ex. vlan/loopback>
  !Optional: use-vrf <vrf name>

aaa authentication login default group TACACS_PLUS
aaa authorization config-commands default group TACACS_PLUS
aaa authorization commands default group TACACS_PLUS
aaa accounting default group TACACS_PLUS