Filter
Top Products
234 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
7. Click Add Entry under AAA Clients to add any AAA clients to this particular
NDG. You can configure all NADs as a single AAA client by using IP address
wild cards (*.*.*.*). In Figure 7-17 we have done this and used the RADIUS
key cisco123. Note that authentication is done using RADIUS (IOS/PIX6.0).
There are other options available, depending on what is being defined as a
NAD. Click Submit and then Apply.
Figure 7-17 AAA client setup
Note: The use of wild cards (*.*.*.*) is designed to help with scalability
issues. For example, if your network has over 100 switches, defining each
one as a separate NAD is very time consuming. By using *.*.*.*, all devices
that are configured to point to the ACS as the RADIUS Server and have the
same RADIUS key will exchange information with the ACS. This can
provide a security vulnerability, however, if someone knows the RADIUS
Server IP address and RADIUS key. A better option may be to define
NDGs based on subnet information, such as 192.168.10.*, which will retain
some scalability and security.