In this post we will see how to configure TACACS on a WLC. (I am using ACS 5.2 as TACACS server & WLC is 7.0.116.0 which is in CCIE v2.0 exam).
As you can see TACACS server can be added for Authentication, Accounting & Authorization (Authorization option not there for RADIUS).You can add up to 3 TACACS servers (oppose to 17 RADIUS servers) for redundancy.
Here is the WLC configuration via GUI (shown for Authentication & Authorization).
Here are the corresponding CLI commands to configure a TACACS for Auth, Authr & Acct purposes.
(WLC3) >config tacacs ? acct Configures a TACACS+ Accounting Server. athr Configures a TACACS+ Authorization Server. auth Configures a TACACS+ Authentication Server. (WLC3) >config tacacs athr ? add Configures a TACACS+ Authorization Server. delete Deletes a TACACS+ Server. disable Disables a TACACS+ Server. enable Enables a TACACS+ Server. server-timeout Changes the default retransmission timeout for the server (WLC3) >config tacacs auth ? add Configures a TACACS+ Authentication Server. delete Deletes a TACACS+ Server. disable Disables a TACACS+ Server. enable Enables a TACACS+ Server. server-timeout Changes the default retransmission timeout for the server (WLC3) >config tacacs acct ? add Configures a TACACS+ Accounting Server. delete Deletes a TACACS+ Server. disable Disables a TACACS+ Server. enable Enables a TACACS+ Server. server-timeout Changes the default retransmission timeout for the server ********** Here is basic configuration for Accounting ********** (WLC3) >config tacacs acct add 1 192.168.100.2 49 ascii cisco (WLC3) >config tacacs acct server-timeout 1 10 <- default 5s (WLC3) >config tacacs acct enable 1 (WLC3) >show tacacs summary Authentication Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 192.168.100.2 49 Enabled 10 Authorization Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 192.168.100.2 49 Enabled 10 Accounting Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 192.168.100.2 49 Enabled 10
Then on ACS you have to add WLC as AAA device as show in the below.
Related Posts
1. Configuring Local EAP on WLC
2. Configuring EAP-TLC on WLC
3. Configuring EAP-TLS on ACS
4. Configuring RADIUS on WLC
5. WLC Admin Access via RADIUS
6. WLC Admin Access via TACACS
mrn-cciew 
thanks Bhai…….it is usefull for me
A humble input: you forgot to add tacacs to your priority order, it won’t work because the default is local and radius. hope this helps 🙂
Thanks Jeff highlight
Rasika