Cisco CISCO1401 Software Guide - Page 146
Configuring and Enabling TACACS+, Understanding TACACS+
UPC - 746320202785
View all Cisco CISCO1401 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 146 highlights
Configuring and Enabling TACACS+ Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 11-16 • TACACS+ Operation, page 11-17 • Configuring TACACS+, page 11-17 • Displaying the TACACS+ Configuration, page 11-22 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your bridge. Unlike RADIUS, TACACS+ does not authenticate non-root bridges associated to the root bridge. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You should have access to and should configure a TACACS+ server before configuring TACACS+ features on your bridge. TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service-authentication, authorization, and accounting-independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. TACACS+, administered through the AAA security services, can provide these services: • Authentication-Provides complete control of authentication of administrators through login and password dialog, challenge and response, and messaging support. The authentication facility can conduct a dialog with the administrator (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother's maiden name, service type, and social security number). The TACACS+ authentication service can also send messages to administrator screens. For example, a message could notify administrators that their passwords must be changed because of the company's password aging policy. • Authorization-Provides fine-grained control over administrator capabilities for the duration of the administrator's session, including but not limited to setting autocommands, access control, session duration, or protocol support. You can also enforce restrictions on the commands that an administrator can execute with the TACACS+ authorization feature. • Accounting-Collects and sends information used for billing, auditing, and reporting to the TACACS+ daemon. Network managers can use the accounting facility to track administrator activity for a security audit or to provide information for user billing. Accounting records include administrator identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. The TACACS+ protocol provides authentication between the bridge and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the bridge and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your bridge. 11-16 Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide OL-4059-01