5-18
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 5 Configuring Security Solutions
Configuring TACACS+
Configuring TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a client/server protocol that
provides centralized security for users attempting to gain management access to a controller. It serves as
a backend database similar to local and RADIUS. However, local and RADIUS provide only
authentication support and limited authorization support while TACACS+ provides three services:
• Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to
the TACACS+ server. The authentication and authorization services are tied to one another. For
example, if authentication is performed using the local or RADIUS database, then authorization
would use the permissions associated with the user in the local or RADIUS database (which are
read-only, read-write, and lobby-admin) and not use TACACS+. Similarly, when authentication is
performed using TACACS+, authorization is tied to TACACS+.
Note When multiple databases are configured, you can use the controller GUI or CLI to specify
the sequence in which the backend databases should be tried.
• Authorization—The process of determining the actions that users are allowed to take on the
controller based on their level of access.
For TACACS+, authorization is based on privilege (or role) rather than specific actions. The
available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN,
CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional
role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to
which users are assigned are configured on the TACACS+ server. Users can be authorized for one
or more roles. The minimum authorization is MONITOR only, and the maximum is ALL, which
authorizes the user to execute the functionality associated with all seven menu options. For example,
a user who is assigned the role of SECURITY can make changes to any items appearing on the
64 Tunnel-Type
65 Tunnel-Medium-Type
81 Tunnel-Group-ID
Table 5-7 Accounting-Status-Type Attribute Values
Attribute ID Description
1Start
2Stop
3 Interim-Update
7 Accounting-On
8 Accounting-Off
9-14 Reserved for Tunneling Accounting
15 Reserved for Failed
Table 5-6 Accounting Attributes for Accounting Requests (continued)
Attribute ID Description
To Next Page
Loading...
Need help?
General
