Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentWide Area Virtualization Engine 274

231

232

233

234

235

236

237

238

239

240

1-26

Cisco Wide Area Application Services Configuration Guide

OL-26579-01

Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting

Configuring Administrative Login Authentication and Authorization

WAE# configure

WAE(config)# no authentication login windows-domain enable primary

Step 3 Disable LDAP signing on the WAE:

WAE(config)# no smb-conf section "global" name "ldap ssl" value "yes"

Enabling Administrative Login Authentication and Authorization Schemes for

WAAS Devices

This section describes how to centrally enable the various administrative login authentication and

authorization schemes (the authentication configuration) for a WAAS device or device group.

Caution Make sure that RADIUS, TACACS+, or Windows domain authentication is configured and operating

correctly before disabling local authentication and authorization. If you disable local authentication and

if RADIUS, TACACS+, or Windows domain authentication is not configured correctly, or if the

RADIUS, TACACS+, or Windows domain server is not online, you may be unable to log in to the WAAS

device.

By default, a WAAS device uses the local database to authenticate and authorize administrative login

requests. The WAAS device verifies whether all authentication databases are disabled and if so, sets the

system to the default state. For information on this default state, see the “Default Administrative Login

Authentication and Authorization Configuration” section on page 1-4.

Note You must configure the TACACS+, or RADIUS, or Windows server settings for the WAAS device (or

device group) before you configure and submit these settings. See the “About TACACS+ Server

Authentication Settings” section on page 1-14, the “Configuring RADIUS Server Authentication

Settings” section on page 1-12, and the “Configuring Windows Domain Server Authentication Settings”

section on page 1-17 for information on how to configure these server settings on a WAAS device or

device group.

By default, WAAS devices fail over to the secondary method of administrative login authentication

whenever the primary administrative login authentication method fails for any reason. You change this

default login authentication failover method through the WAAS Central Manager GUI, as follows:

• To change the default for a WAAS device, choose Devices > device-name and then choose

Configure > Security > AAA > Authentication Methods from the menu. Check the Failover to

next available authentication method box in the displayed window and click Submit.

• To change the default for a device group, choose Device Groups > device-group-name and then

choose Configure > Security > AAA > Authentication Methods from the menu. Check the

Failover to next available authentication method box in the displayed window and click Submit.

After you enable the failover to next available authentication method option, the WAAS device (or the

devices in the device group) queries the next authentication method only if the administrative login

authentication server is unreachable, not if authentication fails for some other reason. The authentication

server could be unreachable due to an incorrect key in the RADIUS or TACACS+ settings on the WAAS

device.