January 24, 2005
Entire Train - 12.2JA, 12.2(15)XR and 12.3JA
When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.
If the TACACS+ server is able to keep up with the extreme authentication load, then authentication will succeed. If the TACACS+ server, or network path to the server, is not able to keep up with the load, then authentication requests may intermittently fail.
Another impact is that, if one-time password (OTP) authentication is being used, authentication will tend to fail. This is because access to the single web page will generate many separate authentication requests to the TACACS+ server, but only the first will pass authentication, as the password can only be used once.
All IOS versions:
For HTTP authentication, it is recommended to use local authentication.
If an external AAA server must be used, the RADIUS protocol is recommended. The RADIUS server will still be subjected to the multiple authentication requests, but RADIUS is more scalable than TACACS+ and so should provide a less adverse performance impact.
If you must use TACACS+, and have a Cisco ACS server, then use the single-connection tacacs-server keyword. This spares the ACS server most of the TCP connection setup / teardown overhead and should reduce the load on the server.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
IOS Access Point bombards TACACS+ server with requests
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.