Configuring tacacs – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

433

Configuring RADIUS and TACACS+ Servers

Chapter 14

TACACS+ lets a conversation to be held between the daemon and the
administrator until the daemon receives enough information to
authenticate the administrator. The daemon prompts for a username and
password combination, but can include other items, such as the user’s
mother’s maiden name.

4. The access point eventually receives one of these responses from the

TACACS+ daemon.

After authentication, the administrator undergoes an additional
authorization phase if authorization has been enabled on the access point.
Administrators must first successfully complete TACACS+
authentication before proceeding to TACACS+ authorization.

5. If TACACS+ authorization is required, the TACACS+ daemon is again

contacted, and it returns an ACCEPT or REJECT authorization
response. If an ACCEPT response is returned, the response contains data
in the form of attributes that direct the EXEC or NETWORK session for
that administrator, determining the services that the administrator can
access:
• Telnet, rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access

list, and administrator timeouts

Configuring TACACS+

To configure your access point to support TACACS+, you must identify the host
or hosts maintaining the TACACS+ daemon and define the method lists for
TACACS+ authentication. You can optionally define method lists for
TACACS+ authorization and accounting.

A method list defines the sequence and methods to be used to authenticate, to
authorize, or to keep accounts on an administrator. You can use method lists to
designate one or more security protocols to be used, thus ensuring a back-up
system if the initial method fails.

The software uses the first method listed to authenticate, to authorize, or to keep
accounts on administrators; if that method does not respond, the software selects
the next method in the list. This process continues until there is successful
communication with a listed method or the method list is exhausted.

Response

Description

ACCEPT

The administrator is authenticated and service can begin. If the access point is configured
to require authorization, authorization begins at this time.

REJECT

The administrator is not authenticated. The administrator can be denied access or is
prompted to retry the login sequence, depending on the TACACS+ daemon.

ERROR

An error occurred at some time during authentication with the daemon or in the network
connection between the daemon and the access point. If an ERROR response is received,
the access point typically tries to use an alternative method for authenticating the
administrator.

CONTINUE

The administrator is prompted for additional authentication information.