13-28
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling TACACS+
The aaa authorization exec tacacs+ local command sets these authorization parameters:
Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACAC S+.
Use the local database if authentication was not performed by using TACACS+.
Note Authorization is bypassed for authenticated administrators who log in through the CLI even if
authorization has been configured.
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for
privileged EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
You also need to configure your TACACS server with user credentials, and also configure the TACACS
server to return an authorization profile for the authenticated user. The profile can be as extensive as shell
privilege level 15, with no restriction of commands; or be more specific and target only a set of
commands or a lower privilege level.
Starting TACACS+ Accounting
The AAA accounting feature tracks the services that administrators are accessing and the amount of
network resources that they are consuming. When AAA accounting is enabled, the access point reports
administrator activity to the TACACS+ security server in the form of accounting records. Each
accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
This data can then be analyzed for network management, client billing, or auditing.
Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco
IOS privilege level and for network services:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa authorization network tacacs+ Configure the access point for administrator TACACS+ authorization for
all network-related service requests.
Step3 aaa authorization exec tacacs+ Configure the access point for administrator TACACS+ authorization to
determine if the administrator has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step4 end Return to privileged EXEC mode.
Step5 show running-config Verify your entries.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa accounting network start-stop
tacacs+
Enable TACACS+ accounting for all network-related service requests.