Cisco Access points DOSing TACACS+ servers


Strike First Strike Hard
CSCeb52431 Bug Details 
Headline  IOS Access Point bombards TACACS+ server with requests 
Product  ap350, ap1100, ap1200 
Component  aaa    
Severity  3  Severity 
First Found-in Version  12.2(8)JA, 12.2(15)JA   
First Fixed-in Version    None


When using the web GUI to manage an IOS access point
(AP350, AP1100, AP1200, etc.), and when using TACACS+ to authenticate
the HTTP accesses, the AP will send dozens or hundreds of
authentication requests to the TACACS+ server for each web
page accessed.


If the TACACS+ server is able to keep up with the extreme
authentication load, then authentication will succeed. If the
TACACS+ server (or network path to the server) is not able to
keep up with the load, then authentication requests may intermittently

Another impact is that, if one-time password (OTP) authentication
is being used, authentication will tend to fail. This is because
access to the single web page will generate many separate authentication
requests to the TACACS+ server, but only the first will pass
authentication (as the password can only be used once.)

Root cause:

The IOS HTTP/AAA implementation requires that each separate HTTP
connection be independently authenticated. The wireless IOS GUI
involves many dozens of separate files being referenced within a
single web page (e.g. Javascript and GIF). Thus, loading a single
page in the wireless IOS GUI can result in dozens and dozens of
separate authentication/authorization requests hitting the TACACS+

Workaround (all IOS versions):

For HTTP authentication, it is recommended to use RADIUS or local
authentication. The RADIUS server will still be subjected to the
multiple authentication requests, but RADIUS is more scalable than
TACACS+ and so this should provide a less adverse performance impact.

If you must use TACACS+, and have a Cisco ACS server, then use the
"single-connection" tacacs-server keyword. This spares the ACS
server most of the TCP connection setup / teardown overhead and
should reduce the load on the server somewhat.


Strike First Strike Hard
junglizm said:
Time to check the Aironets. :(
I'm a big Cisco guy for Routing switching and PIX. But Jung, keep your eye on Aruba Networks for wireless. Aironet is some great stuff, but not as scaleable. Aruba has a whole other approach. To coin a phrase they're "Mad scaleable" "mad secure".

I'm working on a Solo consulting project that involves Aruba. The most recent on e involves 664 AP's strewn across a university campus in Mass. Their competition gave them a design of almost 3000 AP's.

High security + Central management (GUI + CMD line) + Rogue AP Detection/Destruction = WoooHooo!!!


We were using Radius on almost all of our APs (at least the ones I'm concerned with.), I thought I remembered us using TACACs though. Hmm, I guess it wasn't a production thing.

Thanks for the heads up on Aruba, I'll look into that.