AAA Server not Reachable and Command Output Takes Looooong!!!

Hello fellow networkers!!!
I'd like your input in the following situation I am experiencing. When testing authentication failover (AAA fails, local authentication is used), there seems to be a crazy delay in seeing command output. Here's the configuration:

SW1#sh run | i username|aaa|tacacs
username Admin-15 privilege 15 secret 5 **********
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
tacacs-server host 192.168.1.200 key *******
tacacs-server directed-request

The server is disconnected from the network, so it is no longer reachable. In this case, I am able to login with the local user Admin-15 but:

SW1#sh ip int b | ex unas
Interface              IP-Address      OK? Method Status                Protocol 
Vlan50                192.18.1.1         YES NVRAM  up                    up   

The below command took about 20 seconds before displaying its output. There is not login delay command, plus I am already logged in but I cannot understand why local authentication causes such a long delay in command output display.

Any ideas?

Thanks in advance

Comments

  • aaa authorization config-commands
    aaa authorization exec default group tacacs+ local 
    aaa authorization commands 1 default group tacacs+ if-authenticated 
    aaa authorization commands 15 default group tacacs+ if-authenticated 

     

    if you remove those commands the switch will not check against tacacs server for authorization. right now even tho it is disconnected your switch still consult tacacs server to see if you have the privilege to run the commands or not.

     

    if you don't want to remove them go to conf t mode then run your commands from there.

     

     

  • What is the meaning of 'if-authenticated' keyword in AAA statements?

Sign In or Register to comment.