Table of Contents
Advertisement
Administering the WMIC
TACACS+ Operation
When an administrator attempts a simple ASCII login by authenticating to a WMIC using TACACS+,
this process occurs:
1.
2.
3.
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate administrators accessing the WMIC through the
CLI.
When the connection is established, the WMIC contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the administrator. The administrator enters a username; the
WMIC then contacts the TACACS+ daemon to obtain a password prompt. The WMIC displays the
password prompt to the administrator, the administrator enters a password, and the password is then
sent to the TACACS+ daemon.
TACACS+ allows a conversation between the daemon and the administrator until the daemon
receives enough information to authenticate the administrator. The daemon prompts for a username
and password combination, but can include other items, such as the user's mother's maiden name.
The WMIC eventually receives one of these responses from the TACACS+ daemon:
ACCEPT—The administrator is authenticated, and service can begin. If the WMIC is
–
configured to require authorization, authorization begins at this time.
REJECT—The administrator is not authenticated. The administrator can be denied access or is
–
prompted to retry the login sequence, depending on the TACACS+ daemon.
–
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the WMIC. If an ERROR response is received, the
WMIC typically tries to use an alternative method for authenticating the administrator.
CONTINUE—The administrator is prompted for additional authentication information.
–
After authentication, the administrator attempts authorization if authorization has been enabled on
the WMIC. Administrators must successfully complete TACACS+ authentication before proceeding
to TACACS+ authorization.
If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that
administrator, determining the services that the administrator can access:
Telnet, rlogin, or privileged EXEC services
–
–
Connection parameters, including the host or client IP address, access list, and administrator
timeouts
Cisco 3200 Series Wireless MIC Software Configuration Guide
Controlling WMIC Access with TACACS+
33
Hide quick links:
Advertisement
Table of Contents
