[167836] in North American Network Operators' Group
Re: The state of TACACS+
daemon@ATHENA.MIT.EDU (Javier Henderson)
Mon Dec 30 19:05:22 2013
From: Javier Henderson <javier@kjsl.org>
In-Reply-To: <CAAAwwbXt69e=TqYif=jXLPcOMPBwG_Fu5R3TDhZ-8LXS7Rwt5Q@mail.gmail.com>
Date: Mon, 30 Dec 2013 19:05:04 -0500
To: Jimmy Hess <mysidia@gmail.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 30, 2013, at 6:42 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> How do you feel about having to wait 30 seconds between every command =
you enter to troubleshoot, to fail to the second server, if the TACACS =
or RADIUS system is nonresponsive, because the dumb router can't =
remember which TACACS servers are up and which ones are down, and =
always tries the first one in the list first? At least RADIUS has =
the concept of a "dead timer" :)
Are you talking about Cisco routers? The default timeout value for =
TACACS+ is five seconds, so I=92m not sure where you=92re coming up with =
thirty seconds, unless you have seven servers listed on the router and =
the first six are dead/unreachable.
-jav
