Filter
Top Products
3-11
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
Configuring AAA Clients
–
RADIUS (Nortel)—RADIUS using Nortel RADIUS VSAs. Select this option if the network
device is a Nortel network device that supports authentication via RADIUS.
–
RADIUS (iPass)—RADIUS for AAA clients using iPass RADIUS. Select this option if the
network device is an iPass network device supporting authentication via RADIUS. The iPass
RADIUS is identical to IETF RADIUS.
• Single Connect TACACS+ AAA Client (Record stop in accounting on failure)—If you select
TACACS+ (Cisco IOS) from the Authenticate Using list, youcan use this option to specify that ACS
use a single TCP connection for all TACACS+ communication with the AAA client, rather than a
new one for every TACACS+ request. In single connection mode, multiple requests from a network
device are multiplexed over a single TCP session. By default, this check box is unchecked.
Note If TCP connections between ACS and the AAA client are unreliable, do not use this feature.
• Log Update/Watchdog Packets from this AAA Client—Enables logging of update or watchdog
packets. Watchdog packets are interim packets that are sent periodically during a session. They
provide you with anapproximate sessionlength ifthe AAA client fails and,therefore, nostop packet
is received to mark the end of the session. By default, this check box is unchecked.
• Log RADIUS Tunneling Packets from this AAA Client—Enables logging of RADIUS tunneling
accounting packets. Packets are recorded in the RADIUS Accounting reports of Reports and
Activity. By default, this check box is unchecked.
• Replace RADIUS Port info with Username from this AAA Client—Enables use of username,
rather than portnumber, for session-state tracking.This option is useful whenthe AAAclient cannot
provide unique port values, such as a gateway GPRS support node (GGSN). For example, if you use
the ACS IP pools server and the AAA client does not provide a unique port for each user, ACS
assumes that a reused port number indicates that the previous user session has ended and ACS may
reassign the IP address that was previously assigned to the session with thenon-unique port number.
By default, this check box is unchecked.
Note If this option is enabled, ACS cannot determine the number of user sessions for each user.
Each session uses the same session identifier, the username; therefore, the Max Sessions
feature is ineffective for users accessing the network through the AAA client with this
feature enabled.
• Match Framed-IP-Address with user IP address for accounting packets from this AAA
Client—Select this option when the AAA client uses Cisco SSL WebVPN. This action ensures that
ACS assigns different IP addresses to two different users when they log in via a Cisco SSL WebVPN
client. By default, this check box is unchecked.
Adding AAA Clients
You can use this procedure to add AAA client configurations.
Before You Begin
For ACS to provide AAA services to AAA clients, you must ensure that gateway devices between AAA
clients and ACS allow communication over the ports needed to support the applicable AAA protocol
(RADIUS or TACACS+). For information about ports that AAA protocols use, see AAA
Protocols—TACACS+ and RADIUS, page 1-3.