Home » Cisco Manuals » Bridges & Routers » Cisco CISCO1401 » Manual Viewer

Cisco CISCO1401 Software Guide - Page 147

TACACS+ Operation, Configuring TACACS

UPC - 746320202785

Add to My Manuals
Save this manual to your list of manuals

Page 147 highlights

Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to a bridge using TACACS+, this process occurs: 1. When the connection is established, the bridge contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the bridge then contacts the TACACS+ daemon to obtain a password prompt. The bridge displays the password prompt to the administrator, the administrator enters a password, and the password is then sent to the TACACS+ daemon. TACACS+ allows a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user's mother's maiden name. 2. The bridge eventually receives one of these responses from the TACACS+ daemon: - ACCEPT-The administrator is authenticated and service can begin. If the bridge is configured to require authorization, authorization begins at this time. - REJECT-The administrator is not authenticated. The administrator can be denied access or is prompted to retry the login sequence, depending on the TACACS+ daemon. - ERROR-An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the bridge. If an ERROR response is received, the bridge typically tries to use an alternative method for authenticating the administrator. - CONTINUE-The administrator is prompted for additional authentication information. After authentication, the administrator undergoes an additional authorization phase if authorization has been enabled on the bridge. Administrators must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization. 3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that direct the EXEC or NETWORK session for that administrator, determining the services that the administrator can access: - Telnet, rlogin, or privileged EXEC services - Connection parameters, including the host or client IP address, access list, and administrator timeouts Configuring TACACS+ This section describes how to configure your bridge to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on an administrator. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on administrators; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. OL-4059-01 Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide 11-17

Section	Page
Cisco Aironet 1400 Series Wireless Bridge Software Configuration Guide	1
Contents	3
Preface	13
Audience	13
Purpose	13
Organization	13
Conventions	15
Related Publications	17
Overview	19
Features	20
Management Options	20
Network Configuration Examples	21
Point-to-Point Bridging	21
Point-to-Multipoint Bridging	22
Redundant Bridging	22
Configuring the Bridge for the First Time	25
Before You Start	26
Resetting the Bridge to Default Settings	26
Obtaining and Assigning an IP Address	27
Connecting to the Bridge Locally	27
Assigning Basic Settings	28
Default Settings on the Express Setup Page	32
Protecting Your Wireless LAN	32
Using the IP Setup Utility	32
Obtaining and Installing IPSU	33
Using IPSU to Find the Bridge’s IP Address	33
Using IPSU to Set the Bridge’s IP Address and SSID	34
Assigning an IP Address Using the CLI	35
Using a Telnet Session to Access the CLI	36
Using the Web-Browser Interface	37
Using the Web-Browser Interface for the First Time	38
Using the Management Pages in the Web-Browser Interface	38
Using Action Buttons	39
Character Restrictions in Entry Fields	40
Using Online Help	41
Using the Command-Line Interface	43
IOS Command Modes	44
Getting Help	45
Abbreviating Commands	45
Using no and default Forms of Commands	45
Understanding CLI Messages	46
Using Command History	46
Changing the Command History Buffer Size	46
Recalling Commands	47
Disabling the Command History Feature	47
Using Editing Features	47
Enabling and Disabling Editing Features	48
Editing Commands Through Keystrokes	48
Editing Command Lines that Wrap	49
Searching and Filtering Output of show and more Commands	50
Accessing the CLI	50
Opening the CLI with Telnet	50
Opening the CLI with Secure Shell	51
Administering the Bridge	53
Preventing Unauthorized Access to Your Bridge	54
Protecting Access to Privileged EXEC Commands	54
Default Password and Privilege Level Configuration	54
Setting or Changing a Static Enable Password	55
Protecting Enable and Enable Secret Passwords with Encryption	56
Configuring Username and Password Pairs	57
Configuring Multiple Privilege Levels	58
Setting the Privilege Level for a Command	58
Logging Into and Exiting a Privilege Level	59
Controlling Bridge Access with RADIUS	59
Default RADIUS Configuration	60
Configuring RADIUS Login Authentication	60
Defining AAA Server Groups	61
Configuring RADIUS Authorization for User Privileged Access and Network Services	63
Displaying the RADIUS Configuration	64
Controlling Bridge Access with TACACS+	64
Default TACACS+ Configuration	65
Configuring TACACS+ Login Authentication	65
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	66
Displaying the TACACS+ Configuration	67
Configuring the Bridge for Local Authentication and Authorization	67
Configuring the Bridge for Secure Shell	68
Understanding SSH	68
Configuring SSH	69
Managing the System Time and Date	69
Understanding the System Clock	69
Understanding Network Time Protocol	70
Configuring NTP	71
Default NTP Configuration	72
Configuring NTP Authentication	72
Configuring NTP Associations	73
Configuring NTP Broadcast Service	74
Configuring NTP Access Restrictions	75
Creating an Access Group and Assigning a Basic IP Access List	76
Disabling NTP Services on a Specific Interface	77
Configuring the Source IP Address for NTP Packets	77
Displaying the NTP Configuration	78
Configuring Time and Date Manually	78
Setting the System Clock	79
Displaying the Time and Date Configuration	79
Configuring the Time Zone	80
Configuring Summer Time (Daylight Saving Time)	81
Configuring a System Name and Prompt	83
Default System Name and Prompt Configuration	83
Configuring a System Name	83
Understanding DNS	84
Default DNS Configuration	84
Setting Up DNS	84
Displaying the DNS Configuration	85
Creating a Banner	85
Default Banner Configuration	86
Configuring a Message-of-the-Day Login Banner	86
Configuring a Login Banner	87
Configuring Radio Settings	89
Disabling and Enabling the Radio Interface	90
Configuring the Role in Radio Network	90
Configuring the Radio Distance Setting	91
Configuring Radio Data Rates	91
Configuring Radio Transmit Power	92
Configuring Radio Channel Settings	93
Disabling and Enabling Aironet Extensions	94
Configuring the Ethernet Encapsulation Transformation Method	94
Configuring the Beacon Period	94
Configuring RTS Threshold and Retries	95
Configuring the Maximum Data Retries	95
Configuring the Fragmentation Threshold	96
Configuring Packet Concatenation	96
Performing a Carrier Busy Test	97
Configuring SSIDs	99
Understanding SSIDs	100
Configuring the SSID	100
Default SSID Configuration	100
Creating an SSID	101
Configuring Spanning Tree Protocol	103
Understanding Spanning Tree Protocol	104
STP Overview	104
Bridge Protocol Data Units	105
Election of the Spanning-Tree Root	106
Spanning-Tree Timers	106
Creating the Spanning-Tree Topology	106
Spanning-Tree Interface States	107
Blocking State	108
Listening State	109
Learning State	109
Forwarding State	109
Disabled State	109
Configuring STP Features	110
Default STP Configuration	110
Configuring STP Settings	110
STP Configuration Examples	111
Root Bridge Without VLANs	111
Non-Root Bridge Without VLANs	112
Root Bridge with VLANs	113
Non-Root Bridge with VLANs	114
Displaying Spanning-Tree Status	116
Configuring WEP and WEP Features	117
Understanding WEP	118
Configuring WEP and WEP Features	118
Creating WEP Keys	118
Enabling and Disabling WEP and Enabling TKIP and MIC	119
Configuring Authentication Types	121
Understanding Authentication Types	122
Open Authentication to the Bridge	122
Shared Key Authentication to the Bridge	122
EAP Authentication to the Network	123
Configuring Authentication Types	125
Default Authentication Settings	125
Assigning Authentication Types to an SSID	125
Configuring Authentication Holdoffs, Timeouts, and Intervals	127
Setting Up a Non-Root Bridge as a LEAP Client	128
Matching Authentication Types on Root and Non-Root Bridges	129
Configuring RADIUS and TACACS+ Servers	131
Configuring and Enabling RADIUS	132
Understanding RADIUS	132
RADIUS Operation	133
Configuring RADIUS	134
Default RADIUS Configuration	134
Identifying the RADIUS Server Host	134
Configuring RADIUS Login Authentication	137
Defining AAA Server Groups	139
Configuring RADIUS Authorization for User Privileged Access and Network Services	141
Starting RADIUS Accounting	142
Configuring Settings for All RADIUS Servers	143
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	143
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	144
Displaying the RADIUS Configuration	145
Configuring and Enabling TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	147
Configuring TACACS+	147
Default TACACS+ Configuration	148
Identifying the TACACS+ Server Host and Setting the Authentication Key	148
Configuring TACACS+ Login Authentication	149
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	150
Starting TACACS+ Accounting	151
Displaying the TACACS+ Configuration	152
Configuring VLANs	153
Understanding VLANs	154
Related Documents	155
Incorporating Wireless Bridges into VLANs	156
Configuring VLANs	156
Configuring a VLAN	156
Viewing VLANs Configured on the Bridge	159
Configuring QoS	161
Understanding QoS for Wireless LANs	162
QoS for Wireless LANs Versus QoS on Wired LANs	162
Impact of QoS on a Wireless LAN	162
Precedence of QoS Settings	163
Configuring QoS	163
Configuration Guidelines	163
Configuring QoS Using the Web-Browser Interface	164
Adjusting Radio Traffic Class Definitions	168
CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links	169
QoS Configuration Examples	170
Giving Priority to Voice Traffic	170
Giving Priority to Video Traffic	172
Configuring Filters	173
Understanding Filters	174
Configuring Filters Using the CLI	174
Configuring Filters Using the Web-Browser Interface	174
Configuring and Enabling MAC Address Filters	175
Creating a MAC Address Filter	176
Configuring and Enabling IP Filters	177
Creating an IP Filter	179
Configuring and Enabling Ethertype Filters	180
Creating an Ethertype Filter	181
Configuring CDP	183
Understanding CDP	184
Configuring CDP	184
Default CDP Configuration	184
Configuring the CDP Characteristics	185
Disabling and Enabling CDP	185
Disabling and Enabling CDP on an Interface	186
Monitoring and Maintaining CDP	187
Configuring SNMP	191
Understanding SNMP	192
SNMP Versions	192
SNMP Manager Functions	193
SNMP Agent Functions	193
SNMP Community Strings	193
Using SNMP to Access MIB Variables	194
Configuring SNMP	194
Default SNMP Configuration	195
Enabling the SNMP Agent	195
Configuring Community Strings	195
Configuring Trap Managers and Enabling Traps	197
Setting the Agent Contact and Location Information	199
Using the snmp-server view Command	199
SNMP Examples	199
Displaying SNMP Status	200
Managing Firmware and Configurations	201
Working with the Flash File System	202
Displaying Available File Systems	202
Setting the Default File System	203
Displaying Information About Files on a File System	203
Changing Directories and Displaying the Working Directory	204
Creating and Removing Directories	204
Copying Files	205
Deleting Files	205
Creating, Displaying, and Extracting tar Files	206
Creating a tar File	206
Displaying the Contents of a tar File	207
Extracting a tar File	207
Displaying the Contents of a File	208
Working with Configuration Files	208
Guidelines for Creating and Using Configuration Files	209
Configuration File Types and Location	209
Creating a Configuration File by Using a Text Editor	210
Copying Configuration Files by Using TFTP	210
Preparing to Download or Upload a Configuration File by Using TFTP	210
Downloading the Configuration File by Using TFTP	211
Uploading the Configuration File by Using TFTP	211
Copying Configuration Files by Using FTP	212
Preparing to Download or Upload a Configuration File by Using FTP	213
Downloading a Configuration File by Using FTP	213
Uploading a Configuration File by Using FTP	214
Copying Configuration Files by Using RCP	215
Preparing to Download or Upload a Configuration File by Using RCP	216
Downloading a Configuration File by Using RCP	216
Uploading a Configuration File by Using RCP	217
Clearing Configuration Information	218
Deleting a Stored Configuration File	218
Working with Software Images	219
Image Location on the Bridge	219
tar File Format of Images on a Server or Cisco.com	219
Copying Image Files by Using TFTP	220
Preparing to Download or Upload an Image File by Using TFTP	220
Downloading an Image File by Using TFTP	221
Uploading an Image File by Using TFTP	222
Copying Image Files by Using FTP	223
Preparing to Download or Upload an Image File by Using FTP	223
Downloading an Image File by Using FTP	224
Uploading an Image File by Using FTP	226
Copying Image Files by Using RCP	227
Preparing to Download or Upload an Image File by Using RCP	227
Downloading an Image File by Using RCP	229
Uploading an Image File by Using RCP	231
Reloading the Image Using the Web Browser Interface	232
Browser HTTP Interface	232
Browser TFTP Interface	232
Reloading the Image Using the Power Injector MODE button	233
Configuring System Message Logging	235
Understanding System Message Logging	236
Configuring System Message Logging	236
System Log Message Format	236
Default System Message Logging Configuration	237
Disabling and Enabling Message Logging	238
Setting the Message Display Destination Device	239
Enabling and Disabling Timestamps on Log Messages	240
Enabling and Disabling Sequence Numbers in Log Messages	240
Defining the Message Severity Level	241
Limiting Syslog Messages Sent to the History Table and to SNMP	242
Setting a Logging Rate Limit	243
Configuring UNIX Syslog Servers	244
Logging Messages to a UNIX Syslog Daemon	244
Configuring the UNIX System Logging Facility	244
Displaying the Logging Configuration	246
Troubleshooting	247
Checking the Bridge LEDs	248
Bridge Normal Mode LED Indications	249
Power Injector LEDs	250
Checking Power	252
Checking Basic Configuration Settings	253
SSID	253
Security Settings	253
Antenna Alignment	254
Resetting to the Default Configuration	254
Using the MODE Button	254
Using the Web Browser Interface	255
Reloading the Bridge Image	255
Using the MODE button	255
Web Browser Interface	256
Browser HTTP Interface	256
Browser TFTP Interface	257
Obtaining the Bridge Image File	257
Obtaining the TFTP Server Software	258
Channels and Antenna Settings	259
Channels	260
IEEE 802.11a (5-GHz Band)	260
Maximum Power Levels	260
5.8-GHz Band	260
Protocol Filters	261
Supported MIBs	267
MIB List	267
Using FTP to Access the MIB Files	268
Error and Event Messages	269
Glossary	273

Match case Limit results 1 per page

11-17

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 11

Configuring RADIUS and TACACS+ Servers

Configuring and Enabling TACACS+

TACACS+ Operation

When an administrator attempts a simple ASCII login by authenticating to a bridge using TACACS+,

this process occurs:

When the connection is established, the bridge contacts the TACACS+ daemon to obtain a username

prompt, which is then displayed to the administrator. The administrator enters a username, and the

bridge then contacts the TACACS+ daemon to obtain a password prompt. The bridge displays the

password prompt to the administrator, the administrator enters a password, and the password is then

sent to the TACACS+ daemon.

TACACS+ allows a conversation to be held between the daemon and the administrator until the

daemon receives enough information to authenticate the administrator. The daemon prompts for a

username and password combination, but can include other items, such as the user’s mother’s

maiden name.

The bridge eventually receives one of these responses from the TACACS+ daemon:

–

ACCEPT—The administrator is authenticated and service can begin. If the bridge is configured

to require authorization, authorization begins at this time.

–

REJECT—The administrator is not authenticated. The administrator can be denied access or is

prompted to retry the login sequence, depending on the TACACS+ daemon.

–

ERROR—An error occurred at some time during authentication with the daemon or in the

network connection between the daemon and the bridge. If an ERROR response is received, the

bridge typically tries to use an alternative method for authenticating the administrator.

–

CONTINUE—The administrator is prompted for additional authentication information.

After authentication, the administrator undergoes an additional authorization phase if authorization

has been enabled on the bridge. Administrators must first successfully complete TACACS+

authentication before proceeding to TACACS+ authorization.

If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an

ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response

contains data in the form of attributes that direct the EXEC or NETWORK session for that

administrator, determining the services that the administrator can access:

–

Telnet, rlogin, or privileged EXEC services

–

Connection parameters, including the host or client IP address, access list, and administrator

timeouts

Configuring TACACS+

This section describes how to configure your bridge to support TACACS+. At a minimum, you must

identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+

authentication. You can optionally define method lists for TACACS+ authorization and accounting. A

method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts

on an administrator. You can use method lists to designate one or more security protocols to be used,

thus ensuring a backup system if the initial method fails. The software uses the first method listed to

authenticate, to authorize, or to keep accounts on administrators; if that method does not respond, the

software selects the next method in the list. This process continues until there is successful

communication with a listed method or the method list is exhausted.