[nsp] TACACS

[Hans Spaans]

On Thu, Sep 11, 2003 at 03:05:10PM -0700, Mark D. Nagel wrote:
> 
> We encountered this problem when running a script that uses telnet to 
> grab router and switch configurations every half hour where any 
> differences are then checked in and reported via filewatcher 
> (filewatcher is a tool we wrote that monitors system files for changes; 
> the combined effect is similar to using RANCID).  The user we have 
> defined for these logins is restricted to very specific commands using 
> ACS.  With the 80 or so devices we had, this translates to about 4000 
> sessions per day.  I never got the full details nor did I get a bug ID, 
> but before fixing the server authorization would fail in general after 
> about 6.5 days, preventing anyone from running any commands.  The 
> solution until we got a patch was to restart CSTacacs.  The patch fixed 
> the problem permanently.  TAC said the bug had to do with a registry 
> handle leak on Win2K Server.  Apparently only us and one other customer 
> ever ran into it, so I'm guessing not too many people run this sort of 
> automated configuration download in this environment.

We do ;-) But you can do you config management much more efficient. We
daily check all devices for configurations and when the devices tell
use by sending a syslog message to the loghosts. This means we're
about five minutes out of sync with the devices in the network when
it's busy.

Another question, do you have one ACS-machine or multiple? And you
don't edit the devicelist much I understand? We add, remove or change
devices on an almost daily basis so CSTacacs is also restart with
that.

But thanks for the info and hopefully we don't are going to experience
it.

-- 
Hans