Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
5
Replies

Configuring TACACS+ on AP

c.fuller
Level 1
Level 1

‎01-27-2005 06:46 AM - edited ‎07-04-2021 10:23 AM

I would like to configure TACACS+ on my Aironet 1231 (IOS based) APs. However, I already have the AP listed in the ACS using radius authentication for the mobile clients. It also using a unique secret key that is configured on the ACS, WLSE and AP which I believe is necessary for WDS services. I am trying to figure out how to configure TACACS+ for the AP and still allow the radius/wds functionality work. Should I configure the AP in the ACS to authenticate using tacacs+ or radius? Any help is appreciated.

Labels:
0 Helpful
5 Replies 5

paddyxdoyle
Level 6
Level 6

‎01-27-2005 09:27 AM

You can have the ACS accept RADIUS and TACACS from the same client by having two instances of the client listed in the ACS, however they will have to have different names and you will be able to use a different secret key to your RADIUS one.

HTH

Paddy

0 Helpful

c.fuller
Level 1
Level 1
In response to paddyxdoyle

‎01-27-2005 02:02 PM

Thanks for the information. I got most of it working. At this point tacacs+ is working for telnet, however I still can not access the AP

via the web using my TACACS+ account. Let me

rephrase that, I can access the AP but it looks

like a permissions issue. All screens are blank.

Any thoughts on what I need to do so I can use

the tacacs+ account to access the AP via the GUI?

Thanks for the info.

Chuck

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to c.fuller

‎01-28-2005 05:34 AM

I think its to do with priviledge levels.

I got it to work in the past with a bit of tinkering

I'll try and look into it this aftenoon.

PD

0 Helpful

rrrobinson
Level 1
Level 1

‎01-28-2005 09:02 AM

There was just a field notice regarding this:

Title: Cisco Field Notice: IOS Access Point Bombards

TACACS+ Server with Requests

URL:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/products_field_notice09186a00803bb459.shtml

Posted: January 24, 2005

Summary: When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.

0 Helpful

gwcrook
Level 1
Level 1

‎01-31-2005 03:39 AM

We had to select permit unknown services in a user group to get the HTTP authorization working for members of the group. I can not remember where I read about doing this but it worked for us. We use ACS 3.3. Below is an excerpt from the ACS manual.

Configuring the Unknown Service Setting for a User

If you want TACACS+ AAA clients to permit unknown services, you can select the Default (Undefined) Services check box under Checking this option will PERMIT all UNKNOWN Services.

To configure the Unknown Service setting for a user, follow these steps:

--------------------------------------------------------------------------------

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN Services.

Step 3 To allow TACACS+ AAA clients to permit unknown services for this user, select the Default (Undefined) Services check box.

Step 4 Do one of the following:

•If you are finished configuring the user account options, click Submit to record the options.

•To continue to specify the user account options, perform other procedures in this chapter, as applicable.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card