Tacacs+ operation – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

432

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 14

Configuring RADIUS and TACACS+ Servers

Authentication

Provides complete control of authentication of administrators through login and
password dialog box, challenge and response, and messaging support.

The authentication facility can conduct a dialog with the administrator (for
example, after a username and password are provided, to challenge a user with
several questions, such as home address, mother’s maiden name, service type, and
social security number). The TACACS+ authentication service can also send
messages to administrator screens. For example, a message could notify
administrators that their passwords must be changed because of the company’s
password aging policy.

Authorization

Provides fine-grained control over administrator capabilities for the duration of
the administrator’s session, including but not limited to setting auto-commands,
access control, session duration, or protocol support. You can also enforce
restrictions on the commands that an administrator can execute with the
TACACS+ authorization feature.

Accounting

Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track
administrator activity for a security audit or to provide information for user
billing. Accounting records include administrator identities, start and stop times,
executed commands (such as PPP), number of packets, and number of bytes.

The TACACS+ protocol provides authentication between the access point and
the TACACS+ daemon, and it maintains confidentiality because all protocol
exchanges between the access point and the TACACS+ daemon are encrypted.

You need a system running the TACACS+ daemon software to use TACACS+
on your access point.

TACACS+ Operation

When an administrator attempts a simple ASCII login by authenticating to an
access point by using TACACS+, this process occurs:

1. When the connection is established, the access point contacts the

TACACS+ daemon to obtain a username prompt, then it is displayed to
the administrator.

2. The administrator enters a username, and the access point then contacts

the TACACS+ daemon to obtain a password prompt.

3. The password prompt to the administrator appears, the administrator

enters a password, and the password is sent to the TACACS+ daemon.