Mailing List Archive

aaa authorization and "authentication expired"
Hi.

I've set up command authorization using TACACS+ on some devices
(various IOS releases), and have since experienced a new type of
"error" message: "Authentication expired". I would like to find more
information of this time out, and if it's configurable (either on the
device or in some AV pair).

Reading the TACACS+ config guide and skimming the list of AVP's gives
few clues. The only promise looking AVP is the "idletime=X".
Unfortunately setting X to 0 (zero) doesn't help at all. There isn't
any commands on the device, neither under "aaa ..." nor "line vty
...", that seam to affect this timer.

Have anyone seen this before? Any clues how to increase the time out?

--
Pelle

"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: aaa authorization and "authentication expired" [ In reply to ]
Hi.

> I've set up command authorization using TACACS+ on some devices
> (various IOS releases), and have since experienced a new type of
> "error" message: "Authentication expired". I would like to find more
> information of this time out, and if it's configurable (either on the
> device or  in some AV pair).

Found the cause of this (thanks Javier for a pointer). It turns out
it's the TACACS+ server timing out the session 10 minutes after login.
Fortunately it's a configurable timer.

--
Pelle

"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/