Configuring Tacacs+ Login Authentication - Cisco M10-RM Software Manual

Configuring and Enabling TACACS+
Command
Step 5
server ip-address
Step 6
end
Step 7
show tacacs
Step 8 copy running-config startup-config
To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname
global configuration command. To remove a server group from the configuration list, use the no aaa
group server tacacs+ group-name global configuration command. To remove the IP address of a
TACACS+ server, use the no server ip-address server group subconfiguration command.

Configuring TACACS+ Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list describes the sequence and authentication methods to be queried to authenticate an
administrator. You can designate one or more security protocols to be used for authentication, thus
ensuring a backup system for authentication in case the initial method fails. The software uses the first
method listed to authenticate users; if that method fails to respond, the software selects the next
authentication method in the method list. This process continues until there is successful communication
with a listed authentication method or until all defined methods are exhausted. If authentication fails at
any point in this cycle—meaning that the security server or local username database responds by denying
the administrator access—the authentication process stops, and no other authentication methods are
attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication:
Command
Step 1 configure terminal
Step 2 aaa new-model
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
13-26
Purpose
(Optional) Associate a particular TACACS+ server with the defined
server group. Repeat this step for each TACACS+ server in the AAA
server group.
Each server in the group must be previously defined in Step 2.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Purpose
Enter global configuration mode.
Enable AAA.
Chapter 13 Configuring RADIUS and TACACS+ Servers
OL-14209-01