Configuring Authentication Servers for Logins to ACS and Connected DevicesIf you are configuring any authentication method other than Local, make sure an authentication server is set up for that method.The following is a summary of the things you need to know about setting up authentication servers.
• The ACS administrator should obtain the necessary information from each authentication server administrator, in order set up and identify those servers on ACS.For example, if LDAP authentication were to be used for logins to ACS and Kerberos for logins to serial ports, then ACS needs to have network access to an LDAP and a Kerberos authentication server. The administrator needs to perform setup on ACS for both types of authentication servers.The administrator completes the appropriate form through the Web Manger Expert > Security > Authentication to setup an authentication server for every authentication method to be used by ACS and its ports.
RADIUS, Local/RADIUS, RADIUS/Local, or RADIUS/DownLocal TACACS+, Local/TACACS+, TACACS+/Local, or TACACS+/DownLocal LDAP, LDAP/Local, or LDAPDownLocal Kerberos, Kerberos/Local, or KerberosDownLocal NIS, Local/NIS, NIS/Local, or NISDownLocal Perform the following procedure to configure a RADIUS authentication server when ACS or any of its ports are configured to use RADIUS authentication method or any of its variations (Local/RADIUS, RADIUS/Local, or RADIUS/DownLocal).The changes are stored in /etc/raddb/server on ACS.Group information retrieval from a RADIUS authentication server adds another layer of security by adding a network-based authorization. It retrieves the “group” information from the authentication server and performs an authorization through ACS. To see the configuration procedures for a RADIUS authentication server refer to the ACS Command Reference Guide, Chapter 3, Section 3.4 “Group Authorization”.Perform the following procedure to configure a TACACS+ authentication server when ACS or any of its ports are configured to use TACACS+ authentication method or any of its variations (Local/TACACS+, TACACS+/Local, or TACACS+/DownLocal).
3 To apply “Authorization” in addition to authentication to the box and ports, select the “Enable Raccess Authorization” check box.By default “Raccess Authorization” is disabled, and no additional authorization is implemented. When “Raccess Authorization” is enabled, the authorization level of users trying to access ACS or its ports using TACACS+ authentication is checked. Users with administrator privileges have administrative access, and users with regular user privileges have regular user access.
4 To specify a time out period in seconds for each authentication attempt, type a number in the “Timeout” field.If the authentication server does not respond to the client’s login attempt before the specified time period, the login attempt is cancelled. The user may retry depending on the number specified in the “Retries” field on this form.
5 To specify a number of times the user can request authentication verification from the server before sending an authentication failure message to the user, enter a number in the “Retries” field.The changes are stored in /etc/tacplus.conf on the ACS.