|Applies To||RSA ACE/Server 5.1 (no longer supported as of 7-14-2006)|
RSA ACE/Server 5.2
UNIX (AIX, HP-UX, Solaris)
|Issue||TACACS+ enable causes delay in authentication|
When authentication is pointed to the primary and the primary is sending TACACS API requests to the replica machines, user can have TACACS+ enable requests that take too long for accepts, causing an authentication failure.
Error: "Error in Authentication" in RSA ACE/Server
Nothing in RSA ACE/Server logs
Initial SecurID protected connection works successfully when authentication by TACACS+, but enable mode via TACACS+ is failing
|Cause||A legacy TACACS+ check is enabled by default to compare the user attempting to connect to enable mode with admin rights on the ACE/Server. This is creating a slowdown in the authentication and is causing a failure in the authentication from a timeout. This is not the TACACS_TIMEOUT however.|
|Resolution||The Sdtacplus.arg file must be modified to eliminate the check. The admin check option is enabled by default. To skip the admin check, modify the sdtacplus.arg file and uncomment the following option:|
NOTE: When this option is uncommented, you will need to remove any preceding spaces on that line or the option will not be recognized. Also, stop and start your TACACS+ daemon for the new change to take effect.
|Legacy Article ID||a16357|