Symptom
TACACS authentication may fails for non-interactive clients like some ssh and grpc.
Errror Seen :
%SECURITY-SSHD-4-INFO_FAILURE : Failed authentication attempt by user
Conditions
TACACS is dropping requests from grpc with "invalid input" error
Further Problem Description
Authentication is failing because it is taking 2 minutes to pass.
You can see this in the TACACS debugs:
Here you can see the authentication for ID# 16631 start at 15:20:42.309, and end at 15:22:42.334.
This normally takes around 20ms.
Jan 29 15:20:42.309 ems/events 0/RSP0/CPU0 t16631 EMS-EVT: GetOper:1537 client-req-id=0, YangJson '{"Cisco-IOS-XR-ip-rib-ipv4-oper:rib": [{"vrfs": [{"vrf": [{"afs": [{"af": [{"safs": [{"saf": [{"ip-rib-route-table-names": [{"ip-rib-route-table-name": [{"routes": [{"route": [{"address":"7.0.0.1", "prefix-
Jan 29 15:20:42.309 ems/info 0/RSP0/CPU0 t16631 EMS_INFO: reqEmdCmd:285 GetOper request count 2118
Jan 29 15:20:42.309 ems/info 0/RSP0/CPU0 t16631 EMS_INFO: CheckUserCredential:79 rateLimitCount is 2
Jan 29 15:20:42.309 ems/info 0/RSP0/CPU0 t16631 EMS-INFO:ems_do_authentication_check ems_do_authentication_check
Jan 29 15:20:42.314 ems/info 0/RSP0/CPU0 t16631 EMS-INFO:ems_do_authentication_check ems_do_authentication_check: aaa_methodlist default
...
Jan 29 15:22:42.334 ems/events 0/RSP0/CPU0 t16631 EMS-EVT: GetOper:1613 client-req-id=0, chanID=122, rspChan 0xc420452008, getOperResult 0
Jan 29 15:22:42.334 ems/info 0/RSP0/CPU0 t16631 EMS-INFO:ems_do_authentication_check ems_do_authentication_check: authentication passed
Jan 29 15:22:42.334 ems/info 0/RSP0/CPU0 t16631 EMS_INFO: GetOper:1556 user authentication passed, result: True
