[167838] in North American Network Operators' Group
Re: The state of TACACS+
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Mon Dec 30 19:29:58 2013
In-Reply-To: <2BFFCCA1-9110-47C2-A8EF-C3D81802016E@kjsl.org>
Date: Mon, 30 Dec 2013 18:28:44 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Javier Henderson <javier@kjsl.org>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Dec 30, 2013 at 6:05 PM, Javier Henderson <javier@kjsl.org> wrote:
>
> Are you talking about Cisco routers? The default timeout value for TACACS=
+
> is five seconds, so I=92m not sure where you=92re coming up with thirty
> seconds, unless you have seven servers listed on the router and the first
> six are dead/unreachable.
>
Even 5 seconds extra for each command may hinder operators, to the extent
it would be intolerable; shell commands should run almost
instantaneously.... this is not a GUI, with an hourglass. Real-time
responsiveness in a shell is crucial --- which remote auth should not
change. Sometimes operators paste a buffer with a fair number of
commands, not expecting a second delay between each command --- a
repeated delay, may also break a pasted sequence.
It is very possible for two of three auth servers to be unreachable, in
case of a network break, but that isn't necessary. The "response
timeout" might be 5 seconds, but in reality, there are cases where you
would wait longer, and that is tragic, since there are some obvious
alternative approaches that would have had results that would be more
'friendly' to the interactive user.
(Like remembering which server is working for a while, or remembering
that all servers are down -- for a while, and having a 50ms timeout,
with all servers queried in parallel, instead of a 5 seconds timeout)
-jav
>
--
-JH
