Support User Manuals

Cisco Systems OL-29225-01 Film Camera User Manual

Open as PDF

of 514

13-25

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-30644-01

Chapter 13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling TACACS+

This section contains this configuration information:

• Default TACACS+ Configuration, page 13-25

• Identifying the TACACS+ Server Host and Setting the Authentication Key, page 13-25

• Configuring TACACS+ Login Authentication, page 13-26

• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services,

page 13-27

• Starting TACACS+ Accounting, page 13-28

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.

To prevent a lapse in security, you cannot configure TACACS+ through a network management

application. When enabled, TACACS+ can authenticate administrators accessing the access point

through the CLI and the web interface.

Identifying the TACACS+ Server Host and Setting the Authentication Key

You can configure the access point to use a single server or AAA server groups to group existing server

hosts for authentication. You can group servers to select a subset of the configured server hosts and use

them for a particular service. The server group is used with a global server-host list and contains the list

of IP addresses of the selected server hosts.

Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining

TACACS+ server and optionally set the encryption key:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

tacacs-server host hostname [port

integer] [timeout integer] [key string]

Identify the IP host or hosts maintaining a TACACS+ server. Enter this

command multiple times to create a list of preferred hosts. The software

searches for hosts in the order in which you specify them.

• For hostname, specify the name or IP address of the host.

• (Optional) For port integer, specify a server port number. The default

is port 49. The range is 1 to 65535.

• (Optional) For timeout integer, specify a time in seconds the access

point waits for a response from the daemon before it times out and

declares an error. The default is 5 seconds. The range is 1 to 1000

seconds.

• (Optional) For key string, specify the encryption key for encrypting

and decrypting all traffic between the access point and the TACACS+

daemon. You must configure the same key on the TACACS+ daemon

for encryption to be successful.

Step 3

aaa new-model Enable AAA.

Step 4

aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name.

This command puts the access point in a server group subconfiguration

mode.

previous next