Configuring And Enabling Tacacs; Understanding Tacacs - Cisco CISCO1401 - 1401 Router - EN Software Manual

Configuring and Enabling TACACS+

Configuring and Enabling TACACS+
This section contains this configuration information:
•
•
•
•

Understanding TACACS+

TACACS+ is a security application that provides centralized validation of users attempting to gain access
to your bridge. Unlike RADIUS, TACACS+ does not authenticate non-root bridges associated to the root
bridge.
TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX
or Windows NT workstation. You should have access to and should configure a TACACS+ server before
configuring TACACS+ features on your bridge.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
TACACS+, administered through the AAA security services, can provide these services:
•
•
•
The TACACS+ protocol provides authentication between the bridge and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the bridge and the TACACS+ daemon
are encrypted.
You need a system running the TACACS+ daemon software to use TACACS+ on your bridge.
Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide
11-16
Understanding TACACS+, page 11-16
TACACS+ Operation, page 11-17
Configuring TACACS+, page 11-17
Displaying the TACACS+ Configuration, page 11-22
Authentication—Provides complete control of authentication of administrators through login and
password dialog, challenge and response, and messaging support.
The authentication facility can conduct a dialog with the administrator (for example, after a
username and password are provided, to challenge a user with several questions, such as home
address, mother's maiden name, service type, and social security number). The TACACS+
authentication service can also send messages to administrator screens. For example, a message
could notify administrators that their passwords must be changed because of the company's
password aging policy.
Authorization—Provides fine-grained control over administrator capabilities for the duration of the
administrator's session, including but not limited to setting autocommands, access control, session
duration, or protocol support. You can also enforce restrictions on the commands that an
administrator can execute with the TACACS+ authorization feature.
Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track administrator activity
for a security audit or to provide information for user billing. Accounting records include
administrator identities, start and stop times, executed commands (such as PPP), number of packets,
and number of bytes.
Chapter 11 Configuring RADIUS and TACACS+ Servers
OL-4059-01