This document provides a sample configuration for authentication for HTTP admin on Access Point (AP) version 1.01.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Access Control Server (ACS) version 2.6.4 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For more information on document conventions, refer to Cisco Technical Tips Conventions.
There is no option to configure TACACS+ or RADIUS accounting or command authorization for EXEC sessions in the GUI. These options can be configured in the CLI, but are not recommended. If you configure these options, they can severely bog down the AP and ACS with accounting or authorization requests (each element of each page must be accounted or authorized for).
Complete these steps to configure the interface:
In TACACS+ (Cisco IOS), select the group box for the first undefined new service field.
In the Service field, enter Aironet.
In the Protocol field, enter Shell.
In Advanced Configuration Options, choose Advanced TACACS+ Features > Display a window for each service selected.
Click Submit.
Complete these steps to configure the user:
In Advanced TACACS+ Settings, select Shell (exec).
Select Privilege level.
In the field, enter 15.
Click Submit.
Complete these steps to configure the group:
Choose TACACS+.
Choose Aironet Shell > Custom attributes.
In the Custom Attributes field, enter aironet:admin-capability=write+ident+firmware+admin+snmp.
Click Submit.
Restart.
Complete these steps to configure the network:
Create NAS for the AP using TACACS+ as the protocol.
The key is the shared secret from the AP.
Click Submit.
Restart.
Note: If you are using a token server with a one time password, you need to configure token caching in order to avoid being continually prompted for level 1 and level 15 passwords. Complete these steps to configure token caching:
Enter group configuration for the group to which your admin users belong.
Choose Token Card Settings.
Select Duration.
Choose a duration that balances your needs for security and convenience.
If your typical admin session lasts five minutes or less, then a duration value of five minutes is best. If your session runs longer than five minutes, you are prompted again for your password at five minute intervals. Note that the Session option does not work without accounting enabled. Also, note that token caching is in effect for all users in the group, and for all of the group's sessions with all devices (not just EXEC sessions to the AP).
Complete these steps:
Choose Setup > Security > User Information > Add New User.
Add a new user with full administrative capabilities (all capability settings checked).
Click Back. You are returned to the Security Setup page.
Click User Manager. The User Manager Setup page appears.
Enable User Manager.
Click OK.
Complete these steps:
Choose Setup > Security > Authentication Server.
Enter the TACACS+ server IP address.
Select the TACACS server type.
In the field, enter port 49.
In the field, enter shared secret.
Choose the User Authentication box.
Complete these steps to configure the AP for IOS:
Choose Security > Server Manager.
Choose a configured TACACS+ Server, or configure a new one.
Click Apply.
Choose the TACACS+ server's IP in the Admin Authentication (TACACS+) drop-down.
Click Apply.
Choose Security > Admin Access.
Create a local user with read-write access (if you have not done so already).
Click Apply.
Choose Authentication Server Only or Authentication Server (if not found in Local List).
Click Apply.
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
16-Nov-2005 |
Initial Release |