311
Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide
Chapter Administering the Wireless Device
Controlling Access Point Access with TACACS+
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS
Security Command Reference.
These sections describe TACACS+ configuration:
• Default TACACS+ Configuration, page 311
• Configuring TACACS+ Login Authentication, page 311
• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 313
• Displaying the TACACS+ Configuration, page 314
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate administrators who are accessing the wireless
device through the CLI.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply the
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any defined
authentication methods are performed. The only exception is the default method list (which is named
default). The default method list is automatically applied to all interfaces except those that have a named
method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You
can designate one or more security protocols for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate
users. If that method fails to respond, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed authentication method
or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the
security server or local username database responds by denying the user access—the authentication
process stops, and no other authentication methods are attempted.
To configure login authentication, follow these steps, beginning in privileged EXEC mode. This
procedure is required.
SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication login {default | list-name} method1 [method2...]
4. line [console | tty | vty] line-number [ending-line-number]
5. login authentication {default | list-name}
6. end
To Next Page
Loading...
