in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 04-12-2017 11:06 AM by krishnar. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next
  • 03-31-2017 11:54 AM

    AAA Server not Reachable and Command Output Takes Looooong!!!

    Hello fellow networkers!!!
    I'd like your input in the following situation I am experiencing. When testing authentication failover (AAA fails, local authentication is used), there seems to be a crazy delay in seeing command output. Here's the configuration:

    SW1#sh run | i username|aaa|tacacs
    username Admin-15 privilege 15 secret 5 **********
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa session-id common
    tacacs-server host 192.168.1.200 key *******
    tacacs-server directed-request

    The server is disconnected from the network, so it is no longer reachable. In this case, I am able to login with the local user Admin-15 but:

    SW1#sh ip int b | ex unas
    Interface              IP-Address      OK? Method Status                Protocol 
    Vlan50                192.18.1.1         YES NVRAM  up                    up   

    The below command took about 20 seconds before displaying its output. There is not login delay command, plus I am already logged in but I cannot understand why local authentication causes such a long delay in command output display.

    Any ideas?

    Thanks in advance

    • Post Points: 20
  • 03-31-2017 6:08 PM In reply to

    Re: AAA Server not Reachable and Command Output Takes Looooong!!!

    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local 
    aaa authorization commands 1 default group tacacs+ if-authenticated 
    aaa authorization commands 15 default group tacacs+ if-authenticated 

     

    if you remove those commands the switch will not check against tacacs server for authorization. right now even tho it is disconnected your switch still consult tacacs server to see if you have the privilege to run the commands or not.

     

    if you don't want to remove them go to conf t mode then run your commands from there.

     

     

    • Post Points: 20
  • 04-12-2017 11:06 AM In reply to

    Re: AAA Server not Reachable and Command Output Takes Looooong!!!

    What is the meaning of 'if-authenticated' keyword in AAA statements?

    Regards,

    Krishna

    • Post Points: 5
Page 1 of 1 (3 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved