Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1200AP setup to authenticate user logins to ACS

What is the best way to setup a 1200AP to authenticate to an ACS server for administration? It looks like in 12.0T it supports this funtion and can authenticate using TACACS or RADIUS. I can get the 1200AP to forward the requests to the ACS server but continually get CS password invalid on the ACS server. The user account I am trying is a local uer DB entry. Assuming that I get this to work how does the 1200AP know what level of security the user has? Any help appreciated.

Thanks

3 REPLIES
Cisco Employee

Re: 1200AP setup to authenticate user logins to ACS

Only RADIUS can be used for administrator authentication..TACACS is there for future enhancements...

For admin user authentication against ACS radius, you need to have following

1)12.0T image on AP1200..as only that image supports that.

2)configure radius server ip address on "authenticaton server" page and check on "user authentication"

3)configure the user in ACS and also include the attribute in the cisco av-pair list for that user as

aironet:admin-capability=write+ident+admin+firmware

Once you have that authentication and authorization will work fine.

Cisco Employee

Re: 1200AP setup to authenticate user logins to ACS

For TACACS support for admin user authentication, pl. follow feature request bug CSCdz48507 on cco bug toolkit.

Cisco Employee

Re: 1200AP setup to authenticate user logins to ACS

make sure you are running 12.0 on AP 350 .

For the admin user you need to define the Cisco AV pair Attributes .

Following procedure will help you

a) On acs select the interface configuration and go to the advance option ,

selct "per-user Tacacs/ radius attribute " click on submit .

b)On ACS , Select network configuration ,

1)

check if you have configuration >> Radio ( IOS /PIX available ) on the ACS

if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute

2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )

Enable [026/009/001] "cisco av-pair" option , again make sure that you enable

at user and group level

click on submit

3) Add a user ( User setup >> ADD/EDIT )

to restrict administrator access control

1) enable and configure cisco 09\001 cisco av-pair

2) example

aironet:admin-capability=write+ident+admin+firmware

179
Views
15
Helpful
3
Replies