Configuring tacacs+ login authentication – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual
Page 435
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
435
Configuring RADIUS and TACACS+ Servers
Chapter 14
aaa group server tacacs+ group-name
5. (Optional) Associate a particular TACACS+ server with the defined
server group. Repeat this step for each TACACS+ server in the AAA
server group.
Each server in the group must be previously defined in Step 2.
server ip-address
6. Return to privileged EXEC mode.
end
7. Verify your entries.
show tacacs
8. (Optional) Save your entries in the configuration file.
copy running-config startup-config
• To remove the specified TACACS+ server name or address, use the
no
tacacs-server host hostname
global configuration command.
• To remove a server group from the configuration list, use the
no aaa
group server tacacs+ group-name
global configuration
command.
• To remove the IP address of a TACACS+ server, use the
no server
ip-address
server group subconfiguration command.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication
methods and then apply that list to various interfaces. The method list defines the
types of authentication and the sequence performed; it must be applied to a
specific interface before any of the defined authentication methods are
performed. The only exception is the default method list (by coincidence, is
named default). The default method list is automatically applied to all interfaces
except those that have a named method list explicitly defined. A defined method
list overrides the default method list.
A method list describes the sequence and authentication methods to be queried
to authenticate an administrator. You can designate one or more security
protocols to be used for authentication, thus ensuring a back-up system for
authentication in case the initial method fails. The software uses the first method
listed to authenticate users; if that method fails to respond, the software selects
the next authentication method in the method list.
This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If
authentication fails at any point in this cycle—meaning that the security server or
local username database responds by denying the administrator access—the
authentication process stops, and no other authentication methods are
attempted.