User Manual User guide

ManualsBrandsRockwell Automation ManualsEquipment1783-WAPxxx Stratix 5100 Wireless Access Point

431

432

433

434

435

436

437

438

439

440

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014 433

Configuring RADIUS and TACACS+ Servers Chapter 14

TACACS+ lets a conversation to be held between the daemon and the

administrator until the daemon receives enough information to

authenticate the administrator. The daemon prompts for a username and

password combination, but can include other items, such as the user’s

mother’s maiden name.

4. The access point eventually receives one of these responses from the

TACAC S+ daemon.

After authentication, the administrator undergoes an additional

authorization phase if authorization has been enabled on the access point.

Administrators must first successfully complete TACACS+

authentication before proceeding to TACACS+ authorization.

5. If TACACS+ authorization is required, the TACACS+ daemon is again

contacted, and it returns an ACCEPT or REJECT authorization

response. If an ACCEPT response is returned, the response contains data

in the form of attributes that direct the EXEC or NETWORK session for

that administrator, determining the services that the administrator can

access:

• Telnet, rlogin, or privileged EXEC services

• Connection parameters, including the host or client IP address, access

list, and administrator timeouts

Configuring TACACS+

To configure your access point to support TACACS+, you must identify the host

or hosts maintaining the TACACS+ daemon and define the method lists for

TACACS+ authentication. You can optionally define method lists for

TACACS+ authorization and accounting.

A method list defines the sequence and methods to be used to authenticate, to

authorize, or to keep accounts on an administrator. You can use method lists to

designate one or more security protocols to be used, thus ensuring a back-up

system if the initial method fails.

The software uses the first method listed to authenticate, to authorize, or to keep

accounts on administrators; if that method does not respond, the software selects

the next method in the list. This process continues until there is successful

communication with a listed method or the method list is exhausted.

Response Description

ACCEPT The administrator is authenticated and service can begin. If the access point is configured

to require authorization, authorization begins at this time.

REJECT The administrator is not authenticated. The administrator can be denied access or is

prompted to retry the login sequence, depending on the TACACS+ daemon.

ERROR An error occurred at some time during authentication with the daemon or in the network

connection between the daemon and the access point. If an ERROR response is received,

the access point typically tries to use an alternative method for authenticating the

administrator.

CONTINUE The administrator is prompted for additional authentication information.