Security

Reply
New Contributor

ClearPass TACACS+ timeout

I'm working on an integration of CPPM with Duo for multi-factor authentication, and for the most part everything seems to be working as intended. The problem I'm running into at the moment is that there appears to be a 10 second timeout for TACACS+ authentication. The flow at the moment is that the switch accepts username and password, then sends to CPPM, which in turn sends to Duo proxy for authentication.

 

-I've set the timeout on the switch (Cisco 3560-CX) to 30 seconds, and set the timeout in Duo to 30 seconds. 

-The set timeouts work fine for RADIUS, only the TACACS+ service seems to still have this 10 second timeout. Generally 10 seconds is fine, however, if someone has their phone in their pocket it can easily be 10 seconds to pull out the phone, unlock it, open the prompt and accept, so it would be best if we could turn this up to at least 15 - 20 seconds.

-When it times out, the failure reason is recorded by CPPM as below:

Error Category:
Internal error
Error Code:
Internal error in performing authentication
 Alerts for this Request :
Tacacs serverSession failed for Host=http://localhost:8080/networkservices/webauthservice/BasicAuthentication, Reason=[post::<easy_perform>, (error=28) Timeout was reached].
Failed to authenticate user=
Guru Elite

Re: ClearPass TACACS+ timeout

New Contributor

Re: ClearPass TACACS+ timeout

Thank you for that! Looks like we need to update CPPM.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: