User's Manual
3-45
Cisco 3200 Series Wireless MIC Software Configuration Guide
OL-7734-02
Chapter 3 Administering the WMIC
Controlling WMIC Access with TACACS+
Understanding TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain access
to your bridge. Unlike RADIUS, TACACS+ does not authenticate non-root bridges associated to the root
bridge.
TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX
or Windows NT workstation. You should have access to and should configure a TACACS+ server before
configuring TACACS+ features on your WMIC.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
TACACS+, administered through the AAA security services, can provide these services:
• Authentication—Provides complete control of authentication of administrators through login and
password dialog, challenge and response, and messaging support.
The authentication facility can conduct a dialog with the administrator (for example, after a
username and password are provided, to challenge a user with several questions, such as home
address, mother’s maiden name, service type, and social security number). The TACACS+
authentication service can also send messages to administrator screens. For example, a message
could notify administrators that their passwords must be changed because of the company’s
password aging policy.
• Authorization—Provides fine-grained control over administrator capabilities for the duration of the
administrator’s session, including but not limited to setting autocommands, access control, session
duration, or protocol support. You can also enforce restrictions on the commands that an
administrator can execute with the TACACS+ authorization feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track administrator activity
for a security audit or to provide information for user billing. Accounting records include
administrator identities, start and stop times, executed commands (such as PPP), number of packets,
and number of bytes.
The TACACS+ protocol provides authentication between the WMIC and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the WMIC and the TACACS+ daemon
are encrypted.
You need a system running the TACACS+ daemon software to use TACACS+ on your WMIC.
TACACS+ Operation
When an administrator attempts a simple ASCII login by authenticating to a WMIC using TACACS+,
this process occurs:
1. When the connection is established, the WMIC contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the administrator. The administrator enters a username, and the
WMIC then contacts the TACACS+ daemon to obtain a password prompt. The WMIC displays the
password prompt to the administrator, the administrator enters a password, and the password is then
sent to the TACACS+ daemon.