Support User Manuals

Cisco Systems OL-9971-01 Network Card User Manual

Open as PDF

of 30

3-9

User Guide for Cisco Secure Access Control Server

OL-9971-01

Chapter 3 Network Configuration

Configuring AAA Clients

–

Number—You can specify a number, for example, 10.3.157.98.

–

Numeric Range—Youcan specifythe low andhigh numbersof therange in the octet,separated

by a hyphen (-), for example, 10.3.157.10-50.

–

Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example,

10.3.157.*.

ACS allows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk

(*), for example 172.16-31.*.*.

• Shared Secret—The shared secret key of the AAA client. Maximum length for the AAA client key

is 32 characters.

For correct operation, the key must be identical on the AAA client and ACS. Keys are case sensitive.

If the shared secret does not match, ACS discards all packets from the network device.

• Network Device Group—The name of the NDG to which this AAA client should belong. To make

the AAA client independent of NDGs, use the Not Assigned selection.

Note This option does not appear if you have not configured ACS to use NDGs. To enable NDGs,

choose Interface Configuration > Advanced Options. Then, check the Network Device

Groups check box.

• RADIUS Key Wrap—The shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.

Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys

are configurable for each AAA Client, as well as for each NDG. The NDG key configuration

overrides the AAA Client configuration.

–

Key Encryption Key (KEK)—This is used for encryption of the Pairwise Master Key (PMK).

In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key

length of 32 characters.

–

Message Authentication Code Key (MACK)—This is used for the keyed hashed message

authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a

key length of exactly 20 characters; in hexadecimal mode, enter a key length of 40 characters.

Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.

–

Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the

default is ASCII).

Note You must enable the Key Wrap feature in the NAP Authentication Settings page to

implement these shared keys in EAP-TLS authentication.

• Authenticate Using—The AAA protocol to use for communications with the AAA client. The

Authenticate Using list includes Cisco IOS TACACS+ and several vendor-specific implementations

of RADIUS. If you have configured user-defined RADIUSvendors and VSAs,those vendor-specific

RADIUS implementations appear on the list also. For information about creating user-defined

RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-19.

previous next