Cisco Systems 0L-11350-01 Configuring and Enabling TACACS+

13-23

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling TACACS+

Configuring and Enabling TACACS+

This section contains this configuration information:

•Understanding TACACS+, page13-23

•TACACS+ Operation, page13-24

•Configuring TACACS+, page13-24

•Displaying the TACACS+ Configuration, page13-29

TACACS+ is a security application that provides centralized validation of users attempting to gain access

to your access point. Unlike RADIUS, TACACS+ does not authenticate client devices associated to the

access point.

TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX

or Windows NT workstation. You should have access to and should configure a TACACS+ server before

configuring TACACS+ features on your access point.

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.

TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each

service—authentication, authorization, and accounting—independently. Each service can be tied into its

own database to take advantage of other services available on that server or on the network, depending

on the capabilities of the daemon.

TACACS+, administered through the AAA security services, can provide these services:

•Authentication—Provides complete control of authentication of administrators through login and

password dialog, challenge and response, and messaging support.

The authentication facility can conduct a dialog with the administrator (for example, after a

username and password are provided, to challenge a user with several questions, such as home

address, mother’s maiden name, service type, and social security number). The TACACS+

authentication service can also send messages to administrator screens. For example, a message

could notify administrators that their passwords must be changed because of the company’s

password aging policy.

•Authorization—Provides fine-grained control over administrator capabilities for the duration of the

administrator’s session, including but not limited to setting autocommands, access control, session

duration, or protocol support. You can also enforce restrictions on the commands that an

administrator can execute with the TACACS+ authorization feature.

•Accounting—Collects and sends information used for billing, auditing, and reporting to the

TACACS+ daemon. Network managers can use the accounting facility to track administrator activity

for a security audit or to provide information for user billing. Accounting records include

administrator identities, start and stop times, executed commands (such as PPP), number of packets,

and number of bytes.

The TACACS+ protocol provides authentication between the access point and the TACACS+ daemon,

and it ensures confidentiality because all protocol exchanges between the access point and the TACACS+

daemon are encrypted.

You need a system running the TACACS+ daemon software to use TACACS+ on your access point.