Filter
Top Products
3-10
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
Configuring AAA Clients
The Authenticate Using list always contains:
–
TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is the standard choice
when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco
device-management application, such as Management Center for Firewalls, you must use this
option.
–
RADIUS (Cisco Airespace)—RADIUS using Cisco Airespace VSAs. Select this option if the
network device is a Cisco Airespace WLAN device supporting authentication via RADIUS.
–
RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select this option if the
network device is a Cisco Aironet Access Point used by users who authenticate with the
Lightweight and Efficient Application Protocol (LEAP) or the Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS) protocol, provided that these protocols are
enabled on the Global Authentication Setup page in the System Configuration section.
When an authentication request from a RADIUS (Cisco Aironet) AAA client arrives, ACS first
attempts authentication by using LEAP; if this fails, ACS fails over to EAP-TLS. If LEAP is
not enabled on the Global Authentication Setup page, ACS immediately attempts EAP-TLS
authentication. If neither LEAP nor EAP-TLS is enabled on the Global Authentication Setup,
any authentication attempt received from a Cisco Aironet RADIUS client fails. For more
information about enabling LEAP or EAP-TLS, see Global Authentication Setup, page 9-19.
Using this option enables ACS to send the wireless network device a different session-timeout
value for user sessions than ACS sends to wired end-user clients.
Note If all authentication requests from a particular Cisco Aironet Access Point are PEAP or
EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot
support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.
–
RADIUS (Cisco BBSM)—RADIUS using Cisco Broadband Services Manager (BBSM)
Vendor Specific Attributes (VSAs). Select this option if the network device is a Cisco BBSM
network device supporting authentication via RADIUS.
–
RADIUS (CiscoIOS/PIX 6.0)—RADIUS using Cisco IOS/PIX 6.0 VSAs. This option enables
you to pack commands sent to a Cisco IOS or Project Information Exchange (PIX)S 6.0 AAA
client. The commands are defined in the Group Setup section. Select this option for RADIUS
environments in which key TACACS+ functions are required to support Cisco IOS and PIX
equipment.
–
RADIUS (Cisco VPN 3000/ASA/PIX7.x+)—RADIUS using Cisco VPN 3000 concentrator,
ASA device, and PIX 7.x device VSAs. Select this option if the network device is a Cisco VPN
3000 series concentrator, an ASA, or PIX 7.x+ device supporting authentication via RADIUS.
–
RADIUS (Cisco VPN 5000)—RADIUS using Cisco VPN 5000 VSAs. Select this option if the
network device is a Cisco VPN 5000 series Concentrator.
–
RADIUS (IETF)—IETF-standard RADIUS, using no VSAs. Select this option if the AAA
client represents RADIUS-enabled devices from more than one manufacturer and you want to
use standard IETF RADIUS attributes. If the AAA client represents a Cisco Aironet Access
Point used only by users who authenticate with PEAP or EAP-TLS, this is also the protocol to
select.
–
RADIUS (Ascend)—RADIUS using Ascend RADIUS VSAs. Select this option if the network
device is an Ascend network device that supports authentication via RADIUS.
–
RADIUS (Juniper)—RADIUS using Juniper RADIUS VSAs. Select this option if the network
device is a Juniper network device that supports authentication via RADIUS.