Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Configuring tacacs on AP 1100

Hi, I'm trying to configuring an AP to be administrated using a tacacs server.

Via telnet I do not have problems authenticating but when I try to acces Via HTTP level 1 acces no problem but level 15 acces I can not authenticate.

Thanks a lot

This is my run

Building configuration...

Current configuration : 2363 bytes

!

! Last configuration change at 09:42:58 GMT Mon Feb 20 2006 by penalh

! NVRAM config last updated at 09:20:16 GMT Mon Feb 20 2006 by Cisco

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ew-plcprueba

!

enable secret xxx

!

username Cisco password xxx

clock timezone GMT -4

ip subnet-zero

no ip domain lookup

!

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid prueba

authentication open

guest-mode

infrastructure-ssid

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

rts threshold 2312

station-role root

ew-plcprueba#config t

Enter configuration commands, one per line. End with CNTL/Z.

ew-plcprueba(config)#no username Cisco password 7 072C285F4D06

ew-plcprueba(config)#exit

ew-plcprueba#sh run

Building configuration...

Current configuration : 2324 bytes

!

! Last configuration change at 09:43:27 GMT Mon Feb 20 2006 by penalh

! NVRAM config last updated at 09:20:16 GMT Mon Feb 20 2006 by Cisco

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ew-plcprueba

!

enable secret xxx

!

clock timezone GMT -4

ip subnet-zero

no ip domain lookup

!

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid prueba

authentication open

guest-mode

infrastructure-ssid

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

rts threshold 2312

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip addressxxx.xxx.xxx.xxx 255.255.255.0

no ip route-cache

!

ip default-gateway 167.175.xx.xx

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

/ivory/1100

ip http authentication aaa

ip radius source-interface BVI1

snmp-server community xx RO

snmp-server enable traps tty

tacacs-server host xxx.xxx.xxx.xxx single-connection

tacacs-server directed-request

tacacs-server key cisco1

radius-server authorization permit missing Service-Type

bridge 1 route ip

!

!

line con 0

line vty 0 4

transport input telnet

line vty 5 15

!

ntp server

end

2 REPLIES
Silver

Re: Configuring tacacs on AP 1100

Tacacs on AP is known to have many issue. I would suggest that you configure RADIUS servers for Access Points. This will work fine and will be very secure.

New Member

Re: Configuring tacacs on AP 1100

I managed to get this to work by creating a new user on the ACS that authenticated to the Cisco Secure Database. However, when attempting to process the login via ACE it did not like it one bit... It does'nt help if your already using Radius to authenticate CKIP

and you try to authenticate the login to... anyone have any ideas on this one...

183
Views
0
Helpful
2
Replies