WTF ... IS WTF!?
We are a collective of people who believe in freedom of speech, the rights of individuals, and free pancakes! We share our lives, struggles, frustrations, successes, joys, and prescribe to our own special brand of humor and insanity. If you are looking for a great place to hang out, make new friends, find new nemeses, and just be yourself, WTF.com is your new home.

Cisco Access points DOSing TACACS+ servers

MaxPower

You're my number two
Staff
16,824
3,338
487
#1
Code:
CSCeb52431 Bug Details 
   
 
Headline  IOS Access Point bombards TACACS+ server with requests 
Product  ap350, ap1100, ap1200 
Component  aaa    
Severity  3  Severity 
First Found-in Version  12.2(8)JA, 12.2(15)JA   
First Fixed-in Version    None
Symptom:

When using the web GUI to manage an IOS access point
(AP350, AP1100, AP1200, etc.), and when using TACACS+ to authenticate
the HTTP accesses, the AP will send dozens or hundreds of
authentication requests to the TACACS+ server for each web
page accessed.

Impact:

If the TACACS+ server is able to keep up with the extreme
authentication load, then authentication will succeed. If the
TACACS+ server (or network path to the server) is not able to
keep up with the load, then authentication requests may intermittently
fail.

Another impact is that, if one-time password (OTP) authentication
is being used, authentication will tend to fail. This is because
access to the single web page will generate many separate authentication
requests to the TACACS+ server, but only the first will pass
authentication (as the password can only be used once.)

Root cause:

The IOS HTTP/AAA implementation requires that each separate HTTP
connection be independently authenticated. The wireless IOS GUI
involves many dozens of separate files being referenced within a
single web page (e.g. Javascript and GIF). Thus, loading a single
page in the wireless IOS GUI can result in dozens and dozens of
separate authentication/authorization requests hitting the TACACS+
server.

Workaround (all IOS versions):

For HTTP authentication, it is recommended to use RADIUS or local
authentication. The RADIUS server will still be subjected to the
multiple authentication requests, but RADIUS is more scalable than
TACACS+ and so this should provide a less adverse performance impact.

If you must use TACACS+, and have a Cisco ACS server, then use the
"single-connection" tacacs-server keyword. This spares the ACS
server most of the TCP connection setup / teardown overhead and
should reduce the load on the server somewhat.
 

MaxPower

You're my number two
Staff
16,824
3,338
487
#3
junglizm said:
Time to check the Aironets. :(
I'm a big Cisco guy for Routing switching and PIX. But Jung, keep your eye on Aruba Networks for wireless. Aironet is some great stuff, but not as scaleable. Aruba has a whole other approach. To coin a phrase they're "Mad scaleable" "mad secure".

http://www.arubanetworks.com

I'm working on a Solo consulting project that involves Aruba. The most recent on e involves 664 AP's strewn across a university campus in Mass. Their competition gave them a design of almost 3000 AP's.

High security + Central management (GUI + CMD line) + Rogue AP Detection/Destruction = WoooHooo!!!
 

Jung

???
Premium
13,970
1,391
487
#4
We were using Radius on almost all of our APs (at least the ones I'm concerned with.), I thought I remembered us using TACACs though. Hmm, I guess it wasn't a production thing.

Thanks for the heads up on Aruba, I'll look into that.