000020383 - TACACS+ enable causes delay in authentication

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020383
Applies ToRSA ACE/Server 5.1 (no longer supported as of 7-14-2006)
RSA ACE/Server 5.2
UNIX (AIX, HP-UX, Solaris)
TACACS+
IssueTACACS+ enable causes delay in authentication
When authentication is pointed to the primary and the primary is sending TACACS API requests to the replica machines, user can have TACACS+ enable requests that take too long for accepts, causing an authentication failure.
Error: "Error in Authentication" in RSA ACE/Server
Nothing in RSA ACE/Server logs
Initial SecurID protected connection works successfully when authentication by TACACS+, but enable mode via TACACS+ is failing
CauseA legacy TACACS+ check is enabled by default to compare the user attempting to connect to enable mode with admin rights on the ACE/Server. This is creating a slowdown in the authentication and is causing a failure in the authentication from a timeout. This is not the TACACS_TIMEOUT however.
ResolutionThe Sdtacplus.arg file must be modified to eliminate the check. The admin check option is enabled by default. To skip the admin check, modify the sdtacplus.arg file and uncomment the following option:

-E0

NOTE: When this option is uncommented, you will need to remove any preceding spaces on that line or the option will not be recognized. Also, stop and start your TACACS+ daemon for the new change to take effect.
Legacy Article IDa16357

Attachments

    Outcomes