Specifications
3-414
Cisco Wide Area Application Services Command Reference
OL-16451-01
Chapter 3 CLI Commands
(config) authentication login
Use the authentication configuration radius global configuration command to enable RADIUS
authorization.
To disable RADIUS authentication and authorization on a WAAS device, use the no form of the
authentication global configuration command (for example, use the no authentication login radius
enable command to disable RADIUS authentication).
Specifying TACACS+ Authentication and Authorization Settings
To configure TACACS+ authentication on WAAS devices, you must configure a set of TACACS+
authentication settings on the WAAS device by using the tacacs global configuration command. (See the
(config) tacacs command.)
Server Redundancy
Authentication servers can be specified with the tacacs host or radius-server host global configuration
commands. In the case of TACACS+ servers, the tacacs host hostname command can be used to
configure additional servers. These additional servers provide authentication redundancy and improved
throughput, especially when WAAS device load-balancing schemes distribute the requests evenly
between the servers. If the WAAS device cannot connect to any of the authentication servers, no
authentication takes place and users who have not been previously authenticated are denied access.
Specifying the Windows Domain Login Authentication
You can enable the Windows domain as an administrative login authentication and authorization method
for a device or device group. Before you enable Windows authentication, you must first configure the
Windows domain controller by using the windows-domain wins-server global configuration command.
(See the (config) windows-domain command.)
Note WAAS supports authentication by a Windows domain controller running only on Windows Server 2000
or Windows Server 2003.
Examples The following example shows how to query the secondary authentication database if the primary
authentication server is unreachable. This feature is referred to as the failover server-unreachable
feature.
WAE(config)# authentication fail-over server-unreachable
If you enable the failover server-unreachable feature on the WAAS device, only two login authentication
schemes (a primary and secondary scheme) can be configured on the WAAS device. The WAAS device
fails over from the primary authentication scheme to the secondary authentication scheme only if the
specified authentication server is unreachable.
To enable authentication privileges using the local, TACACS+, RADIUS, or Windows databases, and to
specify the order of the administrative login authentication, use the authentication login global
configuration command. In the following example, RADIUS is specified as the primary method,
TACACS+ as the secondary method, Windows as the third method, and the local database as the fourth
method. In this example, four login authentication methods are specified because the failover
server-unreachable feature is not enabled on the WAAS device.
WAE(config)# authentication login radius enable primary
WAE(config)# authentication login tacacs enable secondary
WAE(config)# authentication login windows-domain enable tertiary
WAE(config)# authentication login local enable quaternary