Instant now allows you to configure a TACACS+ Server as the authentication server to support authentication and accounting privileges for management users. TACACS+ server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. In Instant, the users can create several TACACS+ server profiles, out of which one or two of the servers can be specified to authenticate management users.
TACACS+ supports the following types of authentication for management users in Instant:
| ASCII |
| PAP |
| CHAP |
| ARAP |
| MSCHAP |
|
The TACACS+ server cannot be attributed to any SSID or wired profile in general as the authentication server and is configured only for management users. |
You can also enable TACACS+ accounting when the TACACS+ server is used for authentication.
To configure a TACACS+ authentication server:
1. | Navigate to | > . The window is displayed.
2. | To create a new server, click | . A window for configuring server details for the new server is displayed. The following figure shows the parameters to configure for a new authentication server configuration:
Figure 1 New Authentication Server Window
To create a TACACS+ server profile, specify the attributes described in the following table:
Parameter |
Description |
IP address |
Enter the IP address of the TACACS+ server. |
Enter the TCP IP port used by the server. The default port number is 49. | |
Enter the secret key of your choice to authenticate communication between the TACACS+ client and server. | |
Re-enter the secret key you have specified as the Shared Key. | |
Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests. The default value is 20 seconds. | |
Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3. |
To configure a TACACS+ server:
(Instant AP)(config)# wlan tacacs-server <profile-name>
(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>
(Instant AP)(TACACS Server <profile-name>)# port <port>
(Instant AP)(TACACS Server <profile-name>)# key <key>
(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>
(Instant AP)(TACACS Server <profile-name>)# retry-count <number>
(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>
(Instant AP)(TACACS Server <profile-name>)# end
You can configure authentication parameters for admin users to enable access to the Virtual Controller management user interface in the Instant UI or CLI.
1. | Click the Instant main window. The window is displayed. | link at top right corner of the
2. | Click the Admin tab. The tab details are displayed. The following figure shows the contents of the tab: |
Figure 2 Admin Tab: Management Authentication Parameters
3. | Under Local, select any of the following options from the Authentication drop-down list: |
| Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. |
| Authentication Server— Specify one or two authentication servers to authenticate clients. If two servers are configured, users can use them in primary or backup mode or load balancing mode. To enable load balancing, select from the drop-down list. For more information on load balancing, see Dynamic Load Balancing between Two Authentication Servers. |
You may also specify a RADIUS Server as one of the authentication servers along with a TACACS+ server. If a TACACS+ server is selected, you can select the TACACS accounting checkbox for reporting management commands.
|
The option is available only when a TACACS+ server is specified as one of the authentication servers. |
| Authentication server w/ fallback to internal— Select this option to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout). To complete this configuration, perform the following step: |
a. | To enable load balancing, select | from the drop-down list.
b. | Specify a Username and Password. |
c. | Retype the password to confirm. |
4. | Click | .
To configure an admin user:
(Instant AP)(config)# mgmt-user <username> [password]
(Instant AP)(config)# end
(Instant AP)# commit apply
To configure RADIUS or TACACS+ authentication parameters:
(Instant AP)(config)# mgmt-auth-server <authentication_server1>
(Instant AP)(config)# mgmt-auth-server <authentication_server2>
(Instant AP)(config)# mgmt-auth-server-load-balancing
(Instant AP)(config)# mgmt-auth-server-local-backup
(Instant AP)(config)# end
(Instant AP)# commit apply
To configure management authentication settings:
(Instant AP)(config)# mgmt-auth-server <server1>
(Instant AP)(config)# mgmt-auth-server <server2>
(Instant AP)(config)# mgmt-auth-server-load-balancing
(Instant AP)(config)# mgmt-auth-server-local-backup
(Instant AP)(config)# end
(Instant AP)# commit apply