The state of TACACS+

Jimmy Hess mysidia at
Tue Dec 31 00:28:44 UTC 2013

On Mon, Dec 30, 2013 at 6:05 PM, Javier Henderson <javier at> wrote:

> Are you talking about Cisco routers? The default timeout value for TACACS+
> is five seconds, so I’m not sure where you’re coming up with thirty
> seconds, unless you have seven servers listed on the router and the first
> six are dead/unreachable.

Even 5 seconds extra for each command may hinder operators, to the extent
it would be intolerable;     shell commands should run almost
instantaneously....  this is not a GUI, with an hourglass.   Real-time
responsiveness in a shell is crucial --- which remote auth should not
change.   Sometimes operators paste a  buffer with a fair number of
commands,  not expecting a second delay between each command ---  a
repeated delay, may also break a pasted sequence.

It is very possible for two of three auth servers to be unreachable,  in
case of a network break, but that isn't necessary.      The "response
timeout"  might be 5 seconds,  but in reality, there are cases where you
would wait  longer,  and that is tragic,   since there are some obvious
alternative approaches that would have had results  that would be more
'friendly'  to the interactive user.

(Like remembering which server is working for a while,   or remembering
that all servers are down -- for a while,  and having a  50ms  timeout,
 with all servers queried in parallel,  instead of a 5 seconds timeout)


More information about the NANOG mailing list