You are here: Authentication and User Management > Managing Users > Configuring Administrator Credentials for the Virtual Controller Management User Interface
Previous TopicNext Topic

Configuring Authentication Parameters for Management Users

Instant now allows you to configure a TACACS+ Server as the authentication server to support authentication and accounting privileges for management users. TACACS+ server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. In Instant, the users can create several TACACS+ server profiles, out of which one or two of the servers can be specified to authenticate management users.

TACACS+ supports the following types of authentication for management users in Instant:

ASCII
PAP
CHAP
ARAP
MSCHAP

 

The TACACS+ server cannot be attributed to any SSID or wired profile in general as the authentication server and is configured only for management users.

You can also enable TACACS+ accounting when the TACACS+ server is used for authentication.

Configuring a TACACS+ Server Profile for Management User Authentication

To configure a TACACS+ authentication server:

In the Instant UI

1. Navigate to Security>Authentication Servers. The Security window is displayed.
2. To create a new server, click New. A window for configuring server details for the new server is displayed. The following figure shows the parameters to configure for a new authentication server configuration:

Figure 1  New Authentication Server Window

To create a TACACS+ server profile, specify the attributes described in the following table:

Table 1: TACACS+ Server Configuration Parameters

Parameter

Description

IP address

Enter the IP address of the TACACS+ server.

Auth Port Enter the TCP IP port used by the server. The default port number is 49.
Shared Key Enter the secret key of your choice to authenticate communication between the TACACS+ client and server.
Retype Key Re-enter the secret key you have specified as the Shared Key.
Timeout Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests. The default value is 20 seconds.
Retry Count

Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.

In the CLI

To configure a TACACS+ server:

(Instant AP)(config)# wlan tacacs-server <profile-name>

(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>

(Instant AP)(TACACS Server <profile-name>)# port <port>

(Instant AP)(TACACS Server <profile-name>)# key <key>

(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>

(Instant AP)(TACACS Server <profile-name>)# retry-count <number>

(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>

(Instant AP)(TACACS Server <profile-name>)# end

Configuring Administrator Credentials for the Virtual Controller Interface

You can configure authentication parameters for admin users to enable access to the Virtual Controller management user interface in the Instant UI or CLI.

In the Instant UI

1. Click the System link at top right corner of the Instant main window. The System window is displayed.
2. Click the Admin tab. The Admin tab details are displayed. The following figure shows the contents of the Admin tab:

Figure 2   Admin Tab: Management Authentication Parameters

3. Under Local, select any of the following options from the Authentication drop-down list:
Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface.
Authentication Server— Specify one or two authentication servers to authenticate clients. If two servers are configured, users can use them in primary or backup mode or load balancing mode. To enable load balancing, select Enabled from the Load balancing drop-down list. For more information on load balancing, see Dynamic Load Balancing between Two Authentication Servers.

You may also specify a RADIUS Server as one of the authentication servers along with a TACACS+ server. If a TACACS+ server is selected, you can select the TACACS accounting checkbox for reporting management commands.

 

The TACACS accounting option is available only when a TACACS+ server is specified as one of the authentication servers.

Authentication server w/ fallback to internal— Select this option to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout). To complete this configuration, perform the following step:
a. To enable load balancing, select Enabled from the Load balancing drop-down list.
b. Specify a Username and Password.
c. Retype the password to confirm.
4. Click OK.

In the CLI

To configure an admin user:

(Instant AP)(config)# mgmt-user <username> [password]

(Instant AP)(config)# end

(Instant AP)# commit apply

To configure RADIUS or TACACS+ authentication parameters:

(Instant AP)(config)# mgmt-auth-server <authentication_server1>

(Instant AP)(config)# mgmt-auth-server <authentication_server2>

(Instant AP)(config)# mgmt-auth-server-load-balancing

(Instant AP)(config)# mgmt-auth-server-local-backup

(Instant AP)(config)# end

(Instant AP)# commit apply

To configure management authentication settings:

(Instant AP)(config)# mgmt-auth-server <server1>

(Instant AP)(config)# mgmt-auth-server <server2>

(Instant AP)(config)# mgmt-auth-server-load-balancing

(Instant AP)(config)# mgmt-auth-server-local-backup

(Instant AP)(config)# end

(Instant AP)# commit apply