User's Manual
3-46
Cisco 3200 Series Wireless MIC Software Configuration Guide
OL-7734-02
Chapter 3 Administering the WMIC
Controlling WMIC Access with TACACS+
TACACS+ allows a conversation to be held between the daemon and the administrator until the
daemon receives enough information to authenticate the administrator. The daemon prompts for a
username and password combination, but can include other items, such as the user’s mother’s
maiden name.
2. The WMIC eventually receives one of these responses from the TACACS+ daemon:
–
ACCEPT—The administrator is authenticated and service can begin. If the WMIC is configured
to require authorization, authorization begins at this time.
–
REJECT—The administrator is not authenticated. The administrator can be denied access or is
prompted to retry the login sequence, depending on the TACACS+ daemon.
–
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the WMIC. If an ERROR response is received, the
WMIC typically tries to use an alternative method for authenticating the administrator.
–
CONTINUE—The administrator is prompted for additional authentication information.
After authentication, the administrator undergoes an additional authorization phase if authorization
has been enabled on the WMIC. Administrators must first successfully complete TACACS+
authentication before proceeding to TACACS+ authorization.
3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that
administrator, determining the services that the administrator can access:
–
Telnet, rlogin, or privileged EXEC services
–
Connection parameters, including the host or client IP address, access list, and administrator
timeouts
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate administrators accessing the WMIC through the
CLI.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default).
The default method list is automatically applied to all interfaces except those that have a named method
list explicitly defined. A defined method list overrides the default method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed authentication method