hit counter script

Tacacs+ Operation; Configuring Tacacs - Cisco CISCO1401 - 1401 Router - EN Software Manual

Wireless bridge
Table of Contents

Advertisement

Chapter 11
Configuring RADIUS and TACACS+ Servers

TACACS+ Operation

When an administrator attempts a simple ASCII login by authenticating to a bridge using TACACS+,
this process occurs:
1.
2.
3.

Configuring TACACS+

This section describes how to configure your bridge to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on an administrator. You can use method lists to designate one or more security protocols to be used,
thus ensuring a backup system if the initial method fails. The software uses the first method listed to
authenticate, to authorize, or to keep accounts on administrators; if that method does not respond, the
software selects the next method in the list. This process continues until there is successful
communication with a listed method or the method list is exhausted.
OL-4059-01
When the connection is established, the bridge contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the administrator. The administrator enters a username, and the
bridge then contacts the TACACS+ daemon to obtain a password prompt. The bridge displays the
password prompt to the administrator, the administrator enters a password, and the password is then
sent to the TACACS+ daemon.
TACACS+ allows a conversation to be held between the daemon and the administrator until the
daemon receives enough information to authenticate the administrator. The daemon prompts for a
username and password combination, but can include other items, such as the user's mother's
maiden name.
The bridge eventually receives one of these responses from the TACACS+ daemon:
ACCEPT—The administrator is authenticated and service can begin. If the bridge is configured
to require authorization, authorization begins at this time.
REJECT—The administrator is not authenticated. The administrator can be denied access or is
prompted to retry the login sequence, depending on the TACACS+ daemon.
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the bridge. If an ERROR response is received, the
bridge typically tries to use an alternative method for authenticating the administrator.
CONTINUE—The administrator is prompted for additional authentication information.
After authentication, the administrator undergoes an additional authorization phase if authorization
has been enabled on the bridge. Administrators must first successfully complete TACACS+
authentication before proceeding to TACACS+ authorization.
If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that
administrator, determining the services that the administrator can access:
Telnet, rlogin, or privileged EXEC services
Connection parameters, including the host or client IP address, access list, and administrator
timeouts
Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide
Configuring and Enabling TACACS+
11-17

Advertisement

Table of Contents
loading

This manual is also suitable for:

Cisco1417 - 1417 router - enAironet 1400 series

Table of Contents