How ClearPass handles TACACS Single-Connection?
What is Single Connection?
The single-connection keyword specifies a single connection. Rather than have the router/switch open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router/switch and the server.
How ClearPass handles Single Connection?
In ClearPass, TACACS single connection is decided based on the flag set by the NAS in its TACACS+ request towards CPPM. It is not configurable in CPPM.
The single-connection flag:
TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04
If a NAS sets the single connection bit to 1, this indicates that it supports multiplexing TACACS+ sessions over a single tcp connection. The flag need only be examined on the first two packets for any given connection since the single-connect status of a connection, once established, should not be changed. The connection must instead be closed and a new connection opened, if required.
TACACS+ capture to show Single Connect flag enabled:
Below TACACS+ Capture shows Single Connect flag 0x04 enabled on TACACS+ Authentication request from NAS:
No. Time Source Destination Protocol Info
4 0.051613 10.201.xxx.xxx 10.201.xxx.xxx TACACS+ Q: Authentication
Major version: TACACS+
Minor version: 1
Type: Authentication (1)
Sequence number: 1
Flags: 0x04 (Encrypted payload, Single connection)
.... ...0 = Unencrypted: Not set
.... .1.. = Single Connection: Set
Session ID: 1263368817
Packet length: 35
How long ClearPass keep the connection active?
ClearPass keeps the connection active based on "TACACS Connection Idle Timeout" configured in Administration » Server Manager » Server Configuration » Cluster-Wide Parameters » TACACS)
Default TACACS Connection Idle Timeout is 900 seconds (15 minutes) and allowed values of one minute to 2 days (60 to 172800 seconds)