[nsp] TACACS

Mark D. Nagel mnagel at willingminds.com
Thu Sep 11 16:05:10 EDT 2003


Hans Spaans wrote:

>On Wed, Sep 10, 2003 at 05:43:26PM -0700, Mark D. Nagel wrote:
>  
>
>>You must not be doing authorization control and using automated 
>>procedures to download configuration files periodically.  We were doing 
>>this with 3.1 for about 80 devices and ACS would stop authorizing any 
>>command after just under 1 week.  Had to restart the CSTacacs service 
>>when that happened.  Took TAC a long time to track that one down, but 
>>they finally produced a patch.  Supposedly was integrated into 3.2, but 
>>not sure.
>>    
>>
>
>How do you mean that? We're doing about 2600+ (still changing devices
>to use tacacs+) with 3.1 and Ciscoworks. The only thing we where
>hitting where some limitations in 3.0 and a replication bug in 3.1. The
>pre-releases of 3.1.2 where working fine in the testlab and didn't had
>the replication bug anymore. We're now testing 3.2 and that one looks
>to handle replication better then 3.1.
>
>Hopefully you can tell me more, because the only thing 3.1 sometimes
>has is that it replicates a buggy database but we weren't able to
>reproduce that one.
>  
>

We encountered this problem when running a script that uses telnet to 
grab router and switch configurations every half hour where any 
differences are then checked in and reported via filewatcher 
(filewatcher is a tool we wrote that monitors system files for changes; 
the combined effect is similar to using RANCID).  The user we have 
defined for these logins is restricted to very specific commands using 
ACS.  With the 80 or so devices we had, this translates to about 4000 
sessions per day.  I never got the full details nor did I get a bug ID, 
but before fixing the server authorization would fail in general after 
about 6.5 days, preventing anyone from running any commands.  The 
solution until we got a patch was to restart CSTacacs.  The patch fixed 
the problem permanently.  TAC said the bug had to do with a registry 
handle leak on Win2K Server.  Apparently only us and one other customer 
ever ran into it, so I'm guessing not too many people run this sort of 
automated configuration download in this environment.

Mark

-- 
Mark D. Nagel, CCIE #3177 <mnagel at willingminds.com>
Principal Consultant, Willing Minds LLC
tel/fax: 949-623-9853, web: http://www.willingminds.com/





More information about the cisco-nsp mailing list