User's Manual

ManualsBrandsCisco Systems ManualsWelding SystemCisco Systems IOS Software 0L-11350-01

301

302

303

304

305

306

307

308

309

310

13-26

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter 13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling TACACS+

To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname

global configuration command. To remove a server group from the configuration list, use the no aaa

group server tacacs+ group-name global configuration command. To remove the IP address of a

TACACS+ server, use the no server ip-address server group subconfiguration command.

Configuring TACACS+ Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that

list to various interfaces. The method list defines the types of authentication to be performed and the

sequence in which they are performed; it must be applied to a specific interface before any of the defined

authentication methods are performed. The only exception is the default method list (which, by

coincidence, is named default). The default method list is automatically applied to all interfaces except

those that have a named method list explicitly defined. A defined method list overrides the default

method list.

A method list describes the sequence and authentication methods to be queried to authenticate an

administrator. You can designate one or more security protocols to be used for authentication, thus

ensuring a backup system for authentication in case the initial method fails. The software uses the first

method listed to authenticate users; if that method fails to respond, the software selects the next

authentication method in the method list. This process continues until there is successful communication

with a listed authentication method or until all defined methods are exhausted. If authentication fails at

any point in this cycle—meaning that the security server or local username database responds by denying

the administrator access—the authentication process stops, and no other authentication methods are

attempted.

Beginning in privileged EXEC mode, follow these steps to configure login authentication:

Step 5

server ip-address (Optional) Associate a particular TACACS+ server with the defined

server group. Repeat this step for each TACACS+ server in the AAA

server group.

Each server in the group must be previously defined in Step 2.

Step 6

end Return to privileged EXEC mode.

Step 7

show tacacs Verify your entries.

Step 8

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

aaa new-model Enable AAA.