Home » Cisco Manuals » Bridges & Routers » Cisco CISCO1401 » Manual Viewer

Cisco CISCO1401 Software Guide - Page 66

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

UPC - 746320202785

Add to My Manuals
Save this manual to your list of manuals

Page 66 highlights

Controlling Bridge Access with TACACS+ Chapter 5 Administering the Bridge Step 3 Command aaa authentication login {default | list-name} method1 [method2...] Step 4 Step 5 line [console | tty | vty] line-number [ending-line-number] login authentication {default | list-name} Step 6 Step 7 Step 8 end show running-config copy running-config startup-config Purpose Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. • For list-name, specify a character string to name the list you are creating. • For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Select one of these methods: • local-Use the local username database for authentication. You must enter username information into the database. Use the username password global configuration command. • tacacs+-Use TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method. Enter line configuration mode, and configure the lines to which you want to apply the authentication list. Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services AAA authorization limits the services available to a user. When AAA authorization is enabled, the bridge uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user's network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters: 5-14 Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide OL-4059-01

Section	Page
Cisco Aironet 1400 Series Wireless Bridge Software Configuration Guide	1
Contents	3
Preface	13
Audience	13
Purpose	13
Organization	13
Conventions	15
Related Publications	17
Overview	19
Features	20
Management Options	20
Network Configuration Examples	21
Point-to-Point Bridging	21
Point-to-Multipoint Bridging	22
Redundant Bridging	22
Configuring the Bridge for the First Time	25
Before You Start	26
Resetting the Bridge to Default Settings	26
Obtaining and Assigning an IP Address	27
Connecting to the Bridge Locally	27
Assigning Basic Settings	28
Default Settings on the Express Setup Page	32
Protecting Your Wireless LAN	32
Using the IP Setup Utility	32
Obtaining and Installing IPSU	33
Using IPSU to Find the Bridge’s IP Address	33
Using IPSU to Set the Bridge’s IP Address and SSID	34
Assigning an IP Address Using the CLI	35
Using a Telnet Session to Access the CLI	36
Using the Web-Browser Interface	37
Using the Web-Browser Interface for the First Time	38
Using the Management Pages in the Web-Browser Interface	38
Using Action Buttons	39
Character Restrictions in Entry Fields	40
Using Online Help	41
Using the Command-Line Interface	43
IOS Command Modes	44
Getting Help	45
Abbreviating Commands	45
Using no and default Forms of Commands	45
Understanding CLI Messages	46
Using Command History	46
Changing the Command History Buffer Size	46
Recalling Commands	47
Disabling the Command History Feature	47
Using Editing Features	47
Enabling and Disabling Editing Features	48
Editing Commands Through Keystrokes	48
Editing Command Lines that Wrap	49
Searching and Filtering Output of show and more Commands	50
Accessing the CLI	50
Opening the CLI with Telnet	50
Opening the CLI with Secure Shell	51
Administering the Bridge	53
Preventing Unauthorized Access to Your Bridge	54
Protecting Access to Privileged EXEC Commands	54
Default Password and Privilege Level Configuration	54
Setting or Changing a Static Enable Password	55
Protecting Enable and Enable Secret Passwords with Encryption	56
Configuring Username and Password Pairs	57
Configuring Multiple Privilege Levels	58
Setting the Privilege Level for a Command	58
Logging Into and Exiting a Privilege Level	59
Controlling Bridge Access with RADIUS	59
Default RADIUS Configuration	60
Configuring RADIUS Login Authentication	60
Defining AAA Server Groups	61
Configuring RADIUS Authorization for User Privileged Access and Network Services	63
Displaying the RADIUS Configuration	64
Controlling Bridge Access with TACACS+	64
Default TACACS+ Configuration	65
Configuring TACACS+ Login Authentication	65
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	66
Displaying the TACACS+ Configuration	67
Configuring the Bridge for Local Authentication and Authorization	67
Configuring the Bridge for Secure Shell	68
Understanding SSH	68
Configuring SSH	69
Managing the System Time and Date	69
Understanding the System Clock	69
Understanding Network Time Protocol	70
Configuring NTP	71
Default NTP Configuration	72
Configuring NTP Authentication	72
Configuring NTP Associations	73
Configuring NTP Broadcast Service	74
Configuring NTP Access Restrictions	75
Creating an Access Group and Assigning a Basic IP Access List	76
Disabling NTP Services on a Specific Interface	77
Configuring the Source IP Address for NTP Packets	77
Displaying the NTP Configuration	78
Configuring Time and Date Manually	78
Setting the System Clock	79
Displaying the Time and Date Configuration	79
Configuring the Time Zone	80
Configuring Summer Time (Daylight Saving Time)	81
Configuring a System Name and Prompt	83
Default System Name and Prompt Configuration	83
Configuring a System Name	83
Understanding DNS	84
Default DNS Configuration	84
Setting Up DNS	84
Displaying the DNS Configuration	85
Creating a Banner	85
Default Banner Configuration	86
Configuring a Message-of-the-Day Login Banner	86
Configuring a Login Banner	87
Configuring Radio Settings	89
Disabling and Enabling the Radio Interface	90
Configuring the Role in Radio Network	90
Configuring the Radio Distance Setting	91
Configuring Radio Data Rates	91
Configuring Radio Transmit Power	92
Configuring Radio Channel Settings	93
Disabling and Enabling Aironet Extensions	94
Configuring the Ethernet Encapsulation Transformation Method	94
Configuring the Beacon Period	94
Configuring RTS Threshold and Retries	95
Configuring the Maximum Data Retries	95
Configuring the Fragmentation Threshold	96
Configuring Packet Concatenation	96
Performing a Carrier Busy Test	97
Configuring SSIDs	99
Understanding SSIDs	100
Configuring the SSID	100
Default SSID Configuration	100
Creating an SSID	101
Configuring Spanning Tree Protocol	103
Understanding Spanning Tree Protocol	104
STP Overview	104
Bridge Protocol Data Units	105
Election of the Spanning-Tree Root	106
Spanning-Tree Timers	106
Creating the Spanning-Tree Topology	106
Spanning-Tree Interface States	107
Blocking State	108
Listening State	109
Learning State	109
Forwarding State	109
Disabled State	109
Configuring STP Features	110
Default STP Configuration	110
Configuring STP Settings	110
STP Configuration Examples	111
Root Bridge Without VLANs	111
Non-Root Bridge Without VLANs	112
Root Bridge with VLANs	113
Non-Root Bridge with VLANs	114
Displaying Spanning-Tree Status	116
Configuring WEP and WEP Features	117
Understanding WEP	118
Configuring WEP and WEP Features	118
Creating WEP Keys	118
Enabling and Disabling WEP and Enabling TKIP and MIC	119
Configuring Authentication Types	121
Understanding Authentication Types	122
Open Authentication to the Bridge	122
Shared Key Authentication to the Bridge	122
EAP Authentication to the Network	123
Configuring Authentication Types	125
Default Authentication Settings	125
Assigning Authentication Types to an SSID	125
Configuring Authentication Holdoffs, Timeouts, and Intervals	127
Setting Up a Non-Root Bridge as a LEAP Client	128
Matching Authentication Types on Root and Non-Root Bridges	129
Configuring RADIUS and TACACS+ Servers	131
Configuring and Enabling RADIUS	132
Understanding RADIUS	132
RADIUS Operation	133
Configuring RADIUS	134
Default RADIUS Configuration	134
Identifying the RADIUS Server Host	134
Configuring RADIUS Login Authentication	137
Defining AAA Server Groups	139
Configuring RADIUS Authorization for User Privileged Access and Network Services	141
Starting RADIUS Accounting	142
Configuring Settings for All RADIUS Servers	143
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	143
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	144
Displaying the RADIUS Configuration	145
Configuring and Enabling TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	147
Configuring TACACS+	147
Default TACACS+ Configuration	148
Identifying the TACACS+ Server Host and Setting the Authentication Key	148
Configuring TACACS+ Login Authentication	149
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	150
Starting TACACS+ Accounting	151
Displaying the TACACS+ Configuration	152
Configuring VLANs	153
Understanding VLANs	154
Related Documents	155
Incorporating Wireless Bridges into VLANs	156
Configuring VLANs	156
Configuring a VLAN	156
Viewing VLANs Configured on the Bridge	159
Configuring QoS	161
Understanding QoS for Wireless LANs	162
QoS for Wireless LANs Versus QoS on Wired LANs	162
Impact of QoS on a Wireless LAN	162
Precedence of QoS Settings	163
Configuring QoS	163
Configuration Guidelines	163
Configuring QoS Using the Web-Browser Interface	164
Adjusting Radio Traffic Class Definitions	168
CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links	169
QoS Configuration Examples	170
Giving Priority to Voice Traffic	170
Giving Priority to Video Traffic	172
Configuring Filters	173
Understanding Filters	174
Configuring Filters Using the CLI	174
Configuring Filters Using the Web-Browser Interface	174
Configuring and Enabling MAC Address Filters	175
Creating a MAC Address Filter	176
Configuring and Enabling IP Filters	177
Creating an IP Filter	179
Configuring and Enabling Ethertype Filters	180
Creating an Ethertype Filter	181
Configuring CDP	183
Understanding CDP	184
Configuring CDP	184
Default CDP Configuration	184
Configuring the CDP Characteristics	185
Disabling and Enabling CDP	185
Disabling and Enabling CDP on an Interface	186
Monitoring and Maintaining CDP	187
Configuring SNMP	191
Understanding SNMP	192
SNMP Versions	192
SNMP Manager Functions	193
SNMP Agent Functions	193
SNMP Community Strings	193
Using SNMP to Access MIB Variables	194
Configuring SNMP	194
Default SNMP Configuration	195
Enabling the SNMP Agent	195
Configuring Community Strings	195
Configuring Trap Managers and Enabling Traps	197
Setting the Agent Contact and Location Information	199
Using the snmp-server view Command	199
SNMP Examples	199
Displaying SNMP Status	200
Managing Firmware and Configurations	201
Working with the Flash File System	202
Displaying Available File Systems	202
Setting the Default File System	203
Displaying Information About Files on a File System	203
Changing Directories and Displaying the Working Directory	204
Creating and Removing Directories	204
Copying Files	205
Deleting Files	205
Creating, Displaying, and Extracting tar Files	206
Creating a tar File	206
Displaying the Contents of a tar File	207
Extracting a tar File	207
Displaying the Contents of a File	208
Working with Configuration Files	208
Guidelines for Creating and Using Configuration Files	209
Configuration File Types and Location	209
Creating a Configuration File by Using a Text Editor	210
Copying Configuration Files by Using TFTP	210
Preparing to Download or Upload a Configuration File by Using TFTP	210
Downloading the Configuration File by Using TFTP	211
Uploading the Configuration File by Using TFTP	211
Copying Configuration Files by Using FTP	212
Preparing to Download or Upload a Configuration File by Using FTP	213
Downloading a Configuration File by Using FTP	213
Uploading a Configuration File by Using FTP	214
Copying Configuration Files by Using RCP	215
Preparing to Download or Upload a Configuration File by Using RCP	216
Downloading a Configuration File by Using RCP	216
Uploading a Configuration File by Using RCP	217
Clearing Configuration Information	218
Deleting a Stored Configuration File	218
Working with Software Images	219
Image Location on the Bridge	219
tar File Format of Images on a Server or Cisco.com	219
Copying Image Files by Using TFTP	220
Preparing to Download or Upload an Image File by Using TFTP	220
Downloading an Image File by Using TFTP	221
Uploading an Image File by Using TFTP	222
Copying Image Files by Using FTP	223
Preparing to Download or Upload an Image File by Using FTP	223
Downloading an Image File by Using FTP	224
Uploading an Image File by Using FTP	226
Copying Image Files by Using RCP	227
Preparing to Download or Upload an Image File by Using RCP	227
Downloading an Image File by Using RCP	229
Uploading an Image File by Using RCP	231
Reloading the Image Using the Web Browser Interface	232
Browser HTTP Interface	232
Browser TFTP Interface	232
Reloading the Image Using the Power Injector MODE button	233
Configuring System Message Logging	235
Understanding System Message Logging	236
Configuring System Message Logging	236
System Log Message Format	236
Default System Message Logging Configuration	237
Disabling and Enabling Message Logging	238
Setting the Message Display Destination Device	239
Enabling and Disabling Timestamps on Log Messages	240
Enabling and Disabling Sequence Numbers in Log Messages	240
Defining the Message Severity Level	241
Limiting Syslog Messages Sent to the History Table and to SNMP	242
Setting a Logging Rate Limit	243
Configuring UNIX Syslog Servers	244
Logging Messages to a UNIX Syslog Daemon	244
Configuring the UNIX System Logging Facility	244
Displaying the Logging Configuration	246
Troubleshooting	247
Checking the Bridge LEDs	248
Bridge Normal Mode LED Indications	249
Power Injector LEDs	250
Checking Power	252
Checking Basic Configuration Settings	253
SSID	253
Security Settings	253
Antenna Alignment	254
Resetting to the Default Configuration	254
Using the MODE Button	254
Using the Web Browser Interface	255
Reloading the Bridge Image	255
Using the MODE button	255
Web Browser Interface	256
Browser HTTP Interface	256
Browser TFTP Interface	257
Obtaining the Bridge Image File	257
Obtaining the TFTP Server Software	258
Channels and Antenna Settings	259
Channels	260
IEEE 802.11a (5-GHz Band)	260
Maximum Power Levels	260
5.8-GHz Band	260
Protocol Filters	261
Supported MIBs	267
MIB List	267
Using FTP to Access the MIB Files	268
Error and Event Messages	269
Glossary	273

Match case Limit results 1 per page

5-14

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 5

Administering the Bridge

Controlling Bridge Access with TACACS+

To disable AAA, use the

no aaa new-model

global configuration command. To disable AAA

authentication, use the

no aaa authentication login

{

default

list-name

}

method1

[

method2...

] global

configuration command. To either disable TACACS+ authentication for logins or to return to the default

value, use the

no login authentication

{

default

list-name

} line configuration command.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network

Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the

bridge uses information retrieved from the user’s profile, which is located either in the local user

database or on the security server, to configure the user’s session. The user is granted access to a

requested service only if the information in the user profile allows it.

You can use the

aaa authorization

global configuration command with the

tacacs+

keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The

aaa authorization exec tacacs+ local

command sets these authorization parameters:

Step 3

aaa authentication login

{

default

list-name

}

method1

[

method2...

]

Create a login authentication method list.

•

To create a default list that is used when a named list is

not

specified

in the

command, use the

default

keyword

followed by the methods that are to be used in default situations. The

default method list is automatically applied to all interfaces.

•

For

list-name

, specify

a character string to name the list you are

creating.

•

For

method1...

, specify the actual method the authentication

algorithm tries. The additional methods of authentication are used

only if the previous method returns an error, not if it fails.

Select one of these methods:

•

local

—Use the local username database for authentication. You must

enter username information into the database. Use the

username

password

global configuration command.

•

tacacs+

—Use TACACS+ authentication. You must configure the

TACACS+ server before you can use this authentication method.

Step 4

line

[

console

tty

vty

]

line-number

[

ending-line-number

]

Enter line configuration mode, and configure the lines to which you want

to apply the authentication list.

Step 5

{

default

list-name

}

Apply the authentication list to a line or set of lines.

•

If you specify

default

, use the default list created with the

aaa

authentication login

command.

•

For

list-name

, specify the list created with the

aaa authentication

command.

Step 6

end

Return to privileged EXEC mode.

Step 7

show running-config

Verify your entries.

Step 8

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Command

Purpose