About Administrative Login Authentication and Authorization
In the Cisco WAAS network, administrative login authentication and authorization are used to control login requests from administrators who want to access a WAAS device for configuring, monitoring, or troubleshooting purposes.
Login authentication is the process by which Cisco WAAS devices verify whether an administrator who is attempting to log in to the device has a valid username and password. An administrator who is logging in must have a user account registered with the device. User account information serves to authorize a user for administrative login and configuration privileges. The user account information is stored in an authentication, authorization and accounting (AAA) database, and the WAAS devices must be configured to access the particular authentication server (or servers) where the AAA database is located. When a user attempts to log in to a device, the device compares the person’s username, password, and privilege level to the user account information that is stored in the database.
The Cisco WAAS software provides the following AAA support for users who have external access servers, for example, RADIUS or TACACS+ servers, and for users who require a local access database with AAA features:
-
Authentication (or login authentication) is the action of determining who a user is. It checks the username and password.
-
Authorization (or configuration) is the action of determining what a user is allowed to do. It permits or denies privileges for authenticated users in the network. Generally, authentication precedes authorization. Both authentication and authorization are required for a user login.
-
Accounting is the action of keeping track of administrative user activities for system accounting purposes. In the WAAS software, AAA accounting through TACACS+ is supported. For more information, see Configuring AAA Accounting for Cisco WAAS Devices.
![]() Note |
An administrator can log in to the Cisco WAAS Central Manager device through the console port or the Cisco WAAS Central Manager GUI. An administrator can also log in to a Cisco WAAS device that is functioning as a data center or branch WAE through the console port. |
When the system administrator logs in to a Cisco WAAS device before authentication and authorization have been configured, the administrator can access the Cisco WAAS device by using the predefined superuser account (the predefined username is admin and the predefined password is default). When you log in to a Cisco WAAS device using this predefined superuser account, you are granted access to all the Cisco WAAS services and entities in the Cisco WAAS system.
![]() Note |
Each Cisco WAAS device must have one administrator account with the username admin. You cannot change the username of the predefined superuser account. The predefined superuser account must have the username admin. |
All AAA interfaces support IPv6 configurations.
After you have initially configured your Cisco WAAS devices, we strongly recommend that you immediately change the password for the predefined superuser account (the predefined username is admin, the password is default, and the privilege level is superuser, privilege level 15) on each Cisco WAAS device.
For instructions on using the Cisco WAAS Central Manager GUI to change the password for a predefined superuser account, see Changing the Password for Your Own Account in the chapter "Creating and Managing Administrative Groups."
The following figure shows how an administrator can log in to a WAE through the console port or the Cisco WAAS Central Manager GUIs. When the Cisco WAAS device receives an administrative login request, the WAE can check its local database or a remote third-party database (TACACS+, RADIUS, or Windows domain database) to verify the username with the password and to determine the access privileges of the administrator.

1 |
FTP/SFTP client |
6 |
Windows domain server |
2 |
Cisco WAAS Central Manager GUI |
7 |
Console or Telnet clients |
3 |
Third-party AAA servers |
8 |
SSH client |
4 |
RADIUS server |
9 |
WAE that contains a local database and the default primary authentication database |
5 |
TACACS+ server |
10 |
Administrative login requests |
The user account information is stored in an AAA database, and the Cisco WAAS devices must be configured to access the particular authentication server (or servers) that contains the AAA database. You can configure any combination of these authentication and authorization methods to control administrative login access to a Cisco WAAS device:
-
Local authentication and authorization
-
RADIUS
-
TACACS+
-
Windows domain authentication
![]() Note |
Even if you configure authentication using an external authentication server, you must create a role-based user or user group account in the Cisco WAAS Central Manager, as described in the chapter "Creating and Managing Administrator User Accounts and Groups." |
For more information on the default AAA configuration, see Default Administrative Login Authentication and Authorization Configuration. For more information on configuring AAA, see Configuring Administrative Login Authentication and Authorization.
Default Administrative Login Authentication and Authorization Configuration
By default, a Cisco WAAS device uses the local database to obtain login authentication and authorization privileges for administrative users.
The following table lists the default configuration for administrative login authentication and authorization.
Feature |
Default Value |
||
---|---|---|---|
Administrative login authentication |
Enabled |
||
Administrative configuration authorization |
Enabled |
||
Authentication server failover because the authentication server is unreachable |
Disabled |
||
TACACS+ port |
Port 49 |
||
TACACS+ login authentication (console and Telnet) |
Disabled |
||
TACACS+ login authorization (console and Telnet) |
Disabled |
||
TACACS+ key |
None specified |
||
TACACS+ server timeout |
5 seconds |
||
TACACS+ retransmit attempts |
2 times |
||
RADIUS login authentication (console and Telnet) |
Disabled |
||
RADIUS login authorization (console and Telnet) |
Disabled |
||
RADIUS server IP address |
None specified |
||
RADIUS server UDP authorization port |
Port 1645 |
||
RADIUS key |
None specified |
||
RADIUS server timeout |
5 seconds |
||
RADIUS retransmit attempts |
2 times |
||
Windows domain login authentication |
Disabled |
||
Windows domain login authorization |
Disabled |
||
Windows domain password server |
None specified |
||
Windows domain realm (Kerberos realm used for authentication when Kerberos authentication is used).
|
Null string |
||
Hostname or IP address of the Windows Internet Naming Service (WIN) server for Windows domain |
None specified |
||
Window domain administrative group |
There are no predefined administrative groups. |
||
Windows domain NETBIOS name |
None specified |
||
Kerberos authentication |
Disabled |
||
Kerberos server hostname or IP address (host that is running the Key Distribution Center (KDC) for the given Kerberos realm |
None specified |
||
Kerberos server port number (port number on the KDC server) |
Port 88 |
||
Kerberos local realm (default realm for WAAS) |
kerberos-realm: null string |
||
Kerberos realm (maps a hostname or DNS domain name to a Kerberos realm) |
Null string |
![]() Note |
If you configure a RADIUS or TACACS+ key on a Cisco WAAS device (the RADIUS and or TACACS+ client), make sure that you configure an identical key on the external RADIUS or TACACS+ server. |
Change these defaults through the Cisco WAAS Central Manager GUI, as described in Configuring Administrative Login Authentication and Authorization.
Multiple Windows domain utilities are included in the Cisco WAAS software to assist with Windows domain authentication configuration. You can access these utilities through the Cisco WAAS CLI by running the windows-domain diagnostics EXEC command.