Guest

Preview Tool

Cisco Bug: CSCvu06641 - tacacs+ single connection packet flow

Last Modified

Sep 10, 2020

Products (63)

  • Cisco IOS
  • Cisco Catalyst 9300-48UXM-A Switch
  • Cisco Catalyst 9300-48U-A Switch
  • Cisco Catalyst 9300-48P-A Switch
  • Cisco Catalyst 9300L Switch Stack
  • Cisco Catalyst 9300L-48P-4G-E Switch
  • Cisco Catalyst 9300L-48P-4X-A Switch
  • Cisco Catalyst 9300-48T-A Switch
  • Cisco Catalyst 9800-40 Wireless Controller
  • Cisco Catalyst C9500-16X-E Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

16.12.1

Description (partial)

Symptom:
the single connection flag is not set on first authentication packet sent by the switch , AAA server response set this flag , but the switch never set the flag to establish the single connection as per :
draft-ietf-opsawg-tacacs-08


for Command authorization we see new connections (new TCP 3 way handshake) 

but accounting and shell authorization work with the same existing connection (no 3 way handshake)

Conditions:
switch and AAA server are configured for single connection 

switch configuration :
tacacs server ISE-TEST
 address ipv4  x.x.x.x
 key 7 <removed>
 timeout 1
 single-connection
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.