AAA, NAC, Guest Access & BYOD

 View Only
last person joined: 19 hours ago 

Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, IntroSpect

How ClearPass handles TACACS Single-Connection?

By esupport Unpublished


How ClearPass handles TACACS Single-Connection?


What is Single Connection?
The single-connection keyword specifies a single connection. Rather than have the router/switch open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router/switch and the server. 


How ClearPass handles Single Connection?
In ClearPass, TACACS single connection is decided based on the flag set by the NAS in its TACACS+ request towards CPPM. It is not configurable in CPPM. 

The single-connection flag:

If a NAS sets the single connection bit to 1, this indicates that it supports multiplexing TACACS+ sessions over a single tcp connection. The flag need only be examined on the first two packets for any given connection since the single-connect status of a connection, once established, should not be changed. The connection must instead be closed and a new connection opened, if required.


TACACS+ capture to show Single Connect flag enabled:

Below TACACS+ Capture shows Single Connect flag 0x04 enabled on TACACS+ Authentication request from NAS:


No.        Time                Source                Destination           Protocol              Info

   4     0.051613         TACACS+  Q: Authentication


    Major version: TACACS+

    Minor version: 1

    Type: Authentication (1)

    Sequence number: 1

    Flags: 0x04 (Encrypted payload, Single connection)

        .... ...0 = Unencrypted: Not set

        .... .1.. = Single Connection: Set

    Session ID: 1263368817

    Packet length: 35


How long ClearPass keep the connection active?

ClearPass keeps the connection active based on "TACACS Connection Idle Timeout" configured in Administration » Server Manager » Server Configuration » Cluster-Wide Parameters » TACACS)

Default TACACS Connection Idle Timeout is 900 seconds (15 minutes) and allowed values of one minute to 2 days (60 to 172800 seconds)