[nsp] TACACS / ACE Server timeouts

Streiner, Justin streiner at stargate.net
Mon Jul 21 19:43:41 EDT 2003


We use TACACS to authenticate admin sessions into many network devices.
The authentication is provided by an ACE server with SecurID hardware
tokens for single-use password capabilities.  If for some reason the ACE
server is down, the router will fall back to locally configured passwords.
>From time to time, a login session attempt to a device that authenticates
this way will time out and fall back to the local password.  Subsequent
authentication requests such as the start of a new login session or
enabling on an existing session will be authenticated by the ACE server
normally.

I'm beginning to suspect it's something with the ACE server itself, as
this happens on all sorts of different routers running different versions
of code.  It even happens on the router that sits directly upstream of the
ACE server ;-)  The link to the server is very lightly used and the
resources on the server from what I can see are well within reasonable
limits.

It seems to happen more during the day, however the devices on the network
are not overloaded CPU or link-wise.  IP-level response times from the
machine are consistently good with no packet loss, however I don't have a
good way to measure application-level response time (e.g. a TACACS
authentication cycle) at the moment.

Has anyone run into this problem if you're operating a similar setup?

I realize that this may get beyond the scope of *cisco*-nsp - I'm just
trying to make sure there isn't something on the network that may be
causing the issue.

Thanks
jms


More information about the cisco-nsp mailing list