Техническая Инструкция для Cisco Cisco 5760 Wireless LAN Controller
tacacs server tac_acct
address ipv4 9.1.0.100
key cisco
Configure the server group
1.
aaa group server tacacs+ gtac
server name tac_acct
There are no pre-requisite until the above step.
configure authentication and authorization method lists
1.
aaa authentication login <method-list> group <srv-grp>
aaa authorization exec <method-list> group srv-grp>
aaa authorization exec default group <srv-grp> ----à workaround to get tacacs on http.
The above 3 commands and all other authentication and authorization parameters should
be using the same database, either radius/tacacs or local
be using the same database, either radius/tacacs or local
For example, if command authorization needs to enabled, it also needs to be pointing to the
same database.
same database.
For Ex:
aaa authorisation commands 15 <method-list> group <srv-grp> ——> the server group
pointing to the database (tacacs/radius or local) should be the same.
pointing to the database (tacacs/radius or local) should be the same.
configure http to use the above method lists
1.
ip http authentication aaa login-auth <method-list> ———> the method list needs to specified
explicitly here, even if the method list is “default”
explicitly here, even if the method list is “default”
ip http authentication aaa exec-auth <method-list>
** Points to Note
Do not configure any method-lists on the “line vty” config parameters. If the above steps and
the line vty have different configs, then line vty configs would take precedence.
the line vty have different configs, then line vty configs would take precedence.
●
The database should be the same across all management configuration types like ssh/telnet
and webui.
and webui.
●
Http authentication should have the method list defined explicitly.
●
Accessing the same 5760 with the 2 different profiles
The below is a access from a privilege level 1 user where limited access is given
The below is a access from a privilege level 15 user where you are given full access