TACACs authentication is set to use fixed username and passworld.  Once password is entered an MFA is sent to confirm access on the user's device.  When launching NCM, since username and password is same, many users are getting in without MFA approval.  

MFA is failing to work using TACACs authentication logging into NCM portal.  

Smarts NCM 10.1.x

The followin was noticed in the following in the logs:

<Date & Time> ERROR [com.powerup.configmgr.server.security.impl.axltacacs.TACACS_ASCII] (http-nio-8881-exec-4) Error during state transition
com.theorem.tacacs.ClientReceiveException: Read timed out
       at com.theorem.tacacs.TACACSClient.send(TACACSClient.java:550) ~[tacclient-1.12.jar:1.12]
       at com.theorem.tacacs.TACACSClient.authenticationContinue(TACACSClient.java:442) ~[tacclient-1.12.jar:1.12]


<Date & Time> DEBUG [com.powerup.configmgr.server.security.login.CompositeLoginModule$1] (http-nio-8881-exec-1) Getting user details from persistence for - e40001658-t1


<Date & Time> ERROR [com.powerup.configmgr.server.security.impl.axltacacs.TACACS_ASCII] (http-nio-8881-exec-1) Error during state transition
com.theorem.tacacs.ClientReceiveException: Incomplete packet header read - bytes read -1, expecting 12
       at com.theorem.tacacs.TACACSClient.send(TACACSClient.java:550) ~[tacclient-1.12.jar:1.12]
       at com.theorem.tacacs.TACACSClient.authenticationContinue(TACACSClient.java:442) ~[tacclient-1.12.jar:1.12]
       at com.powerup.configmgr.server.security.impl.TACACSAuthenticationStateHandler.supplyPassword(TACACSAuthenticationStateHandler.java:168) ~[services-10.1.11.0.jar:?]

This error indicates a network communication problem between NCM Application Server and the primary TACACS+ server. The application tries to read the 12-byte header of the TACACS+ response packet from the server. However, the read operation on the network socket returns -1. In Java I/O, a return value of -1 signifies that the end of the stream has been reached, which means the remote server has closed the connection.

The network connection between the application and the TACACS+ server might be slow, congested, or unreliable.

The response from the server could be getting delayed or dropped entirely.

Following is a workaround to the delay:

1. Open \$VOYENCE_HOME/ncmcore/webapps/ncm-webapp/WEB-INF/classes/system-config.xml. Here, the timeout is mentioned as 10 seconds. You can increase the timeout as per your server. 

<configItem>
      <configType>config.security.tacacs-auth</configType>
      <name>tacacs.timeout</name>
      <editable>true</editable>
      <defaultValue>10</defaultValue>
      <!-- Second unit -->
    </configItem>

2. Open \$VOYENCE_HOME/ncmcore/webapps/ncm-webapp/WEB-INF/classes/tacacs-auth.conf. Change the timeout value here as well.

tacacs.timeout=10

3. Open \$VOYENCE_HOME/cm/daemon/conf/security.conf. Change the tacacs.timeout parameter value as well

tacacs.timeout=10

Then restart vcmaster:

systemctl restart vcmaster