Support User Manuals

Cisco Systems OL-9971-01 Network Card User Manual

Open as PDF

of 30

3-24

User Guide for Cisco Secure Access Control Server

OL-9971-01

Chapter 3 Network Configuration

Configuring Network Device Groups

Adding a Network Device Group

You can assign users or groups of users to NDGs. For more information, see:

• Setting TACACS+ Enable Password Options for a User, page 6-23

• Setting Enable Privilege Options for a User Group, page 5-13

To add an NDG:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 Under the Network Device Groups table, click Add Entry.

Tip If the Network Device Groups table does not appear, choose Interface Configuration >

Advanced Options. Then, choose Network Device Groups.

Step 3 In the Network Device Group Name box, type the name of the new NDG.

Tip The maximum name length is 24 characters. Quotation marks (“) and commas (,) are not

allowed. Spaces are allowed.

Step 4 In the Shared Secret box, enter a key for the Network Device Group. The maximum length is 32

characters.

Each device that is assigned to the Network Device Group will use the shared key that you enter here.

The key that was assigned to the device when it was added to the system is ignored. If the key entry is

null, the AAA client key is used. See AAA Client Configuration Options, page 3-8. This feature

simplifies key management for devices.

Step 5 In the RADIUS Key Wrap section, enter the shared secret keys for RADIUS Key Wrap in EAP-TLS

authentications.

Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys are

configurable for each AAA Client, as well as for each NDG. The NDG key configuration overrides the

AAA Client configuration. If the key entry is null, the AAA client key is used. See AAA Client

Configuration Options, page 3-8.

• Key Encryption Key (KEK)—This is used for encryption of the Pairwise Master Key (PMK). In

ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length

of 32 characters.

• Message Authentication Code Key (MACK)—This is used for the keyed hashed message

authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a key

length of exactly 20 characters; in hexadecimal mode, enter a key length of 40 characters.

Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.

• Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the default

is ASCII).

previous next