RbaOnResponse logs excessive authorization calls to TACACS server.
Article ID: CTX219074
Updated On:
Description
When the user gets authenticated through TACAS and after authentication when User hits the command " Show run " and this command gets authorized through the TACACS server, its giving huge "show run command" output logs every time when the user hits this command which is consuming memory on the TACACS server. 
Resolution
Solution:
We need to turn off RbaOnResponse on the Netscaler which will not authorized each and every command inside show run command logs while sending to the TACACS+ Server.
RbaOnResponse :
The appliance responses are authorized instead of the command request and this causes the appliance to send authorization requests to the TACACS+ server for each line of configuration that is displayed on the appliance.
rbaOnResponse
-Enable or disable Role-Based Authentication (RBA) on responses.
-Possible values: ENABLED, DISABLED
-Default value: ENABLED
Steps from GUI:
+ Expand the System node of the Navigation pane on the appliance.
+Select the Settings node.
+Click the Change global system settings link in the Settings page.
+Clear the RBA on response option, as shown in the following screenshot.
+ Click OK.
Steps from CLI:
> set system parameter rbaOnResponse DISABLED
Screenshot:
We need to turn off RbaOnResponse on the Netscaler which will not authorized each and every command inside show run command logs while sending to the TACACS+ Server.
RbaOnResponse :
The appliance responses are authorized instead of the command request and this causes the appliance to send authorization requests to the TACACS+ server for each line of configuration that is displayed on the appliance.
rbaOnResponse
-Enable or disable Role-Based Authentication (RBA) on responses.
-Possible values: ENABLED, DISABLED
-Default value: ENABLED
Steps from GUI:
+ Expand the System node of the Navigation pane on the appliance.
+Select the Settings node.
+Click the Change global system settings link in the Settings page.
+Clear the RBA on response option, as shown in the following screenshot.
+ Click OK.
Steps from CLI:
> set system parameter rbaOnResponse DISABLED
Screenshot:
Problem Cause
- While Configuring the Cisco ACS for TACACS+ Authentication and Authorization Using Aritcle https://support.citrix.com/article/CTX113820
- In the NetScaler Configuration we add the TACACS server IP and authentication and authorization is done through TACACS server.
- When any user will execute the 'show run' command after getting authentication from TACACS server , we see the huge logs getting generated for each and every command on TACACS server which runs under show run output.
Screenshot: 
Cause:
When each and every command gets executed while running show run command on NetScaler , plenty of other show run commands also get executed and we are able to find huge logs on the TACACS server logs which consumes huge memory while logging the commands.
- Slow output is observed if, rbaOnResponse is enabled. This is because, if rbaOnResponse is enabled, each entity of the output/response of the command is sent to the external auth server for authorization, and if it is authorized, we display the output on CLI else it moves to the next entity. The slowness is introduced due to the latency of the external authentication server.
Issue/Introduction
NetScaler is sending huge output logs to TACACS server while running Show Run command from PuTTY which contains all the Show command log Output.
Was this article helpful?
Yes
No
Powered by
