Guest

Cisco Aironet 1200 Series

Field Notice: IOS Access Point Bombards TACACS+ Server with Requests


January 24, 2005


Products Affected

Entire Train - 12.2JA, 12.2(15)XR and 12.3JA

Problem Description

When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.

Background

The IOS HTTP/AAA implementation requires that each separate HTTP connection be independently authenticated. The wireless IOS GUI involves several separate files being referenced within a single web page, such as Javascript and GIF files. Therefore, loading a single page in the wireless IOS GUI can result in numerous separate authentication/authorization requests hitting the TACACS+ server.

Problem Symptoms

If the TACACS+ server is able to keep up with the extreme authentication load, then authentication will succeed. If the TACACS+ server, or network path to the server, is not able to keep up with the load, then authentication requests may intermittently fail.

Another impact is that, if one-time password (OTP) authentication is being used, authentication will tend to fail. This is because access to the single web page will generate many separate authentication requests to the TACACS+ server, but only the first will pass authentication, as the password can only be used once.

Workaround/Solution

All IOS versions:

For HTTP authentication, it is recommended to use local authentication.

If an external AAA server must be used, the RADIUS protocol is recommended. The RADIUS server will still be subjected to the multiple authentication requests, but RADIUS is more scalable than TACACS+ and so should provide a less adverse performance impact.

If you must use TACACS+, and have a Cisco ACS server, then use the single-connection tacacs-server keyword. This spares the ACS server most of the TCP connection setup / teardown overhead and should reduce the load on the server.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCeb52431 (registered customers only)

IOS Access Point bombards TACACS+ server with requests

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.