Configuring Tacacs+ On The Acs - Cisco 2100 Series Configuration Manual

Chapter 5 Configuring Security Solutions
•
TACACS+ uses Transmission Control Protocol (TCP) for its transport, unlike RADIUS which uses User
Datagram Protocol (UDP). It maintains a database and listens on TCP port 49 for incoming requests. The
controller, which requires access control, acts as the client and requests AAA services from the server.
The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and
a shared secret key configured on both devices.
You can configure up to three TACACS+ authentication, authorization, and accounting servers each. For
example, you may want to have one central TACACS+ authentication server but several TACACS+
authorization servers in different regions. If you configure multiple servers of the same type and the first
one fails or becomes unreachable, the controller automatically tries the second one and then the third
one if necessary.
If multiple TACACS+ servers are configured for redundancy, the user database must be identical in all
Note
the servers for the backup to work properly.
You must configure TACACS+ on both your CiscoSecure Access Control Server (ACS) and your
controller. You can configure the controller through either the GUI or the CLI.

Configuring TACACS+ on the ACS

Follow these steps to configure TACACS+ on the ACS.
TACACS+ is supported on CiscoSecure ACS version 3.2 and greater. The instructions and illustrations
Note
in this section pertain to ACS version 4.1 and may vary for other versions. Refer to the CiscoSecure ACS
documentation for the version you are running.
Click Network Configuration on the ACS main page.
Step 1
OL-17037-01
Security menu (or designated as security commands in the case of the CLI). If users are not
authorized for a particular role (such as WLAN), they can still access that menu option in read-only
mode (or the associated CLI show commands). If the TACACS+ authorization server becomes
unreachable or unable to authorize, users are unable to log into the controller.
If users attempt to make changes on a controller GUI page that are not permitted for their
Note
assigned role, a message appears indicating that they do not have sufficient privilege. If users
enter a controller CLI command that is not permitted for their assigned role, a message may
appear indicating that the command was successfully executed although it was not. In this
case, the following additional message appears to inform users that they lack sufficient
privileges to successfully execute the command: "Insufficient Privilege! Cannot execute
command!"
Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the TACACS+ accounting server logs the changed
attributes, the user ID of the person who made the change, the remote host where the user is logged
in, the date and time when the command was executed, the authorization level of the user, and a
description of the action performed and the values provided. If the TACACS+ accounting server
becomes unreachable, users are able to continue their sessions uninterrupted.
Cisco Wireless LAN Controller Configuration Guide
Configuring TACACS+
5-19