Cisco NX-OS: Round-trip delays for GNMI calls due to authentication/authorization/accounting (AAA)

[swagner-de]

Problem Statement

If TACACS or other AAA configurations are used to authenticate human operators, a network-operator login triggers an authentication request to the TACACS/AAA server. The auth response is cached for 5 minutes as per verbal communication (unknown how authorization and accounting are handled for GNMI calls). If AAA servers are located in another geographical location, this entails heavy round-trip delays on each operation and adds a runtime dependency to the AAA servers.
Proposed Solution

We suggest implementing a bypass feature for specific local users to avoid triggering TACACS authentication requests for GNMI calls. This would reduce unnecessary latency, improve performance, and eliminate the dependency on remote AAA servers when processing GNMI operations.

Vendor Acknowledgement

Cisco has acknowledged this issue under ID: CSCwm61018 and plans to implement a AAA bypass for specific local users feature in release 10.6.3 (April 2026) or, worst case, in 10.7.1 (August 2026).

Workarounds

Disable AAA or use a TACACS user and accept degraded availability and performance as GNMI calls will be subject to authentication requests on each operation.