Specifications
3-262
Cisco Wide Area Application Services Command Reference
OL-11817-01
Chapter 3 CLI Commands
(config) authentication
To configure TACACS+, use the authentication and tacacs commands. To enable TACACS+, use the
tacacs enable command. For more information on TACACS+ authentication, see the
“(config)
tacacs”command.
The authentication login radius and authentication configuration radius commands use a remote
RADIUS server to determine the level of user access.
By default, the local method is enabled, with TACACS+ and RADIUS both disabled for login and
configuration. Whenever TACACS+ and RADIUS are disabled, local is automatically enabled.
TACACS+, RADIUS, and local methods can be enabled at the same time.
The primary option specifies the first method to attempt for both login and configuration; the secondary
option specifies the method to use if the primary method fails. The tertiary option specifies the method
to use if both primary and secondary methods fail. The quaternary option specifies the method to use
if the primary, secondary, and tertiary methods fail. If all methods of an authentication login or
authentication configuration command are configured as primary, or all as secondary or tertiary, local
is attempted first, then TACACS+, and then RADIUS.
Enforcing Authentication with the Primary Method
The authentication fail-over server-unreachable global configuration command allows you to specify
that failover to the secondary authentication method should occur only if the primary authentication
server is unreachable. This feature ensures that users gain access to the WAAS device using the local
database only when remote authentication servers (TACACS+ or RADIUS) are unreachable. For
example, when a TACACS+ server is enabled for authentication with user authentication failover
configured and the user tries to log in to the WAAS device using an account defined in the local database,
login fails. Login succeeds only when the TACACS+ server is unreachable.
Login Authentication and Authorization Through the Local Database
Local authentication and authorization uses locally configured login and passwords to authenticate
administrative login attempts. The login and passwords are local to each WAAS device and are not
mapped to individual usernames.
By default, local login authentication is enabled first. You can disable local login authentication only
after enabling one or more of the other administrative login authentication methods. However, when
local login authentication is disabled, if you disable all other administrative login authentication
methods, local login authentication is reenabled automatically.
Specifying RADIUS Authentication and Authorization Settings
To configure RADIUS authentication on a WAAS device, you must first configure a set of RADIUS
authentication server settings on the WAAS device by using the radius-server global configuration
command. (See the
“(config) radius-server” command.)
Use the authentication login radius global configuration command to enable RADIUS authentication
for normal login mode.
Use the authentication configuration radius global configuration command to enable RADIUS
authorization.
To disable RADIUS authentication and authorization on a WAAS device, use the no form of the
authentication global configuration command (for example, use the no authentication login radius
enable command to disable RADIUS authentication).
Specifying TACACS+ Authentication and Authorization Settings
To configure TACACS+ authentication on WAAS devices, you must configure a set of TACACS+
authentication settings on the WAAS device by using the tacacs global configuration command. (See the
“(config) tacacs” command.)