Troubleshooting guide
1-14
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Note If you configure a RADIUS key on the WAAS device (the RADIUS client), make sure that you
configure an identical key on the external RADIUS server. Do not use the following characters:
space, backwards single quote (`), double quote ("), pipe (|), or question mark (?).
Step 6 In the Server Name field, enter an IP address or hostname of the RADIUS server. Five different hosts
are allowed.
Step 7 In the Server Port field, enter a UDP port number on which the RADIUS server is listening. You must
specify at least one port. Five different ports are allowed.
Step 8 Click Submit to save the settings.
You can now enable RADIUS as an administrative login authentication and authorization method for this
WAAS device or device group, as described in the “Enabling Administrative Login Authentication and
Authorization Schemes for WAAS Devices” section on page 1-26.
To configure RADIUS settings from the CLI, you can use the radius-server global configuration
command.
About TACACS+ Server Authentication Settings
TACACS+ controls access to network devices by exchanging network access server (NAS) information
between a network device and a centralized database to determine the identity of a user or an entity.
TACACS+ is an enhanced version of TACACS, a UDP-based access-control protocol specified by
RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+
server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and
challenge-response authentication. TACACS+ authentication usually occurs when an administrator first
logs in to the WAAS device to configure the WAE for monitoring, configuring, or troubleshooting.
When a user requests restricted services, TACACS+ encrypts the user password information using the
MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the
packet type being sent (for example, an authentication packet), the packet sequence number, the
encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to
the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services,
while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use
any or all of the three services.
When the TACACS+ server receives a packet, it does the following:
• Authenticates the user information and notifies the client that the login authentication has either
succeeded or failed.
• Notifies the client that authentication will continue and that the client must provide additional
information. This challenge-response process can continue through multiple iterations until login
authentication either succeeds or fails.
You can configure a TACACS+ key on the client and server. If you configure a key on a WAAS device,
it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers
use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key,
packets are not encrypted.