Cisco Systems OL-9971-01 manual Network Configuration Configuring AAA Clients

Page 10

Chapter 3 Network Configuration

Configuring AAA Clients

The Authenticate Using list always contains:

TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is the standard choice when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco device-management application, such as Management Center for Firewalls, you must use this option.

RADIUS (Cisco Airespace)—RADIUS using Cisco Airespace VSAs. Select this option if the network device is a Cisco Airespace WLAN device supporting authentication via RADIUS.

RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select this option if the network device is a Cisco Aironet Access Point used by users who authenticate with the Lightweight and Efficient Application Protocol (LEAP) or the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol, provided that these protocols are enabled on the Global Authentication Setup page in the System Configuration section.

When an authentication request from a RADIUS (Cisco Aironet) AAA client arrives, ACS first attempts authentication by using LEAP; if this fails, ACS fails over to EAP-TLS. If LEAP is not enabled on the Global Authentication Setup page, ACS immediately attempts EAP-TLS authentication. If neither LEAP nor EAP-TLS is enabled on the Global Authentication Setup, any authentication attempt received from a Cisco Aironet RADIUS client fails. For more information about enabling LEAP or EAP-TLS, see Global Authentication Setup, page 9-19.

Using this option enables ACS to send the wireless network device a different session-timeout value for user sessions than ACS sends to wired end-user clients.

Note If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.

RADIUS (Cisco BBSM)—RADIUS using Cisco Broadband Services Manager (BBSM) Vendor Specific Attributes (VSAs). Select this option if the network device is a Cisco BBSM network device supporting authentication via RADIUS.

RADIUS (Cisco IOS/PIX 6.0)—RADIUS using Cisco IOS/PIX 6.0 VSAs. This option enables you to pack commands sent to a Cisco IOS or Project Information Exchange (PIX)S 6.0 AAA client. The commands are defined in the Group Setup section. Select this option for RADIUS environments in which key TACACS+ functions are required to support Cisco IOS and PIX equipment.

RADIUS (Cisco VPN 3000/ASA/PIX7.x+)—RADIUS using Cisco VPN 3000 concentrator, ASA device, and PIX 7.x device VSAs. Select this option if the network device is a Cisco VPN 3000 series concentrator, an ASA, or PIX 7.x+ device supporting authentication via RADIUS.

RADIUS (Cisco VPN 5000)—RADIUS using Cisco VPN 5000 VSAs. Select this option if the network device is a Cisco VPN 5000 series Concentrator.

RADIUS (IETF)—IETF-standard RADIUS, using no VSAs. Select this option if the AAA client represents RADIUS-enabled devices from more than one manufacturer and you want to use standard IETF RADIUS attributes. If the AAA client represents a Cisco Aironet Access Point used only by users who authenticate with PEAP or EAP-TLS, this is also the protocol to select.

RADIUS (Ascend)—RADIUS using Ascend RADIUS VSAs. Select this option if the network device is an Ascend network device that supports authentication via RADIUS.

RADIUS (Juniper)—RADIUS using Juniper RADIUS VSAs. Select this option if the network device is a Juniper network device that supports authentication via RADIUS.

User Guide for Cisco Secure Access Control Server

3-10

OL-9971-01

 

 

Page 9 Page 11
Image 10
Page 9 Page 11
Contents Network Configuration About Network ConfigurationAbout ACS in Distributed Systems AAA Servers in Distributed SystemsProxy Feature Default Distributed System SettingsProxy in Distributed Systems Fallback on Failed Connection An ExampleRemote Use of Accounting Packets Character StringNetwork Device Searches Other Features Enabled by System DistributionNetwork Device Search Criteria Searching for Network Devices Configuring AAA Clients AAA Client Configuration OptionsNetwork Configuration Configuring AAA Clients Network Configuration Configuring AAA Clients Adding AAA Clients Before You BeginEditing AAA Clients Configuring a Default AAA Client Follow the steps for Adding AAA Clients,Configuring AAA Servers Deleting AAA ClientsAAA Server Configuration Options Adding AAA Servers Editing AAA Servers Configuring Remote Agents ACS Solution Engine Only Deleting AAA ServersRemote Agent Configuration Options About Remote AgentsAdding a Remote Agent Editing a Remote Agent Configuration Deleting a Remote Agent Configuration Configuring Network Device Groups Adding a Network Device Group Assigning an Unassigned AAA Client or AAA Server to an NDG Reassigning AAA Clients or AAA Servers to an NDGEditing a Network Device Group NDG properties are changedConfiguring Proxy Distribution Tables Deleting a Network Device GroupAbout the Proxy Distribution Table Adding a New Proxy Distribution Table EntryNetwork Configuration Configuring Proxy Distribution Tables Editing a Proxy Distribution Table Entry Deleting a Proxy Distribution Table Entry
Top Page Image Contents