Cisco Systems OL-9971-01 manual Adding AAA Clients, Before You Begin

Page 11

Chapter 3 Network Configuration

Configuring AAA Clients

RADIUS (Nortel)—RADIUS using Nortel RADIUS VSAs. Select this option if the network device is a Nortel network device that supports authentication via RADIUS.

RADIUS (iPass)—RADIUS for AAA clients using iPass RADIUS. Select this option if the network device is an iPass network device supporting authentication via RADIUS. The iPass RADIUS is identical to IETF RADIUS.

Single Connect TACACS+ AAA Client (Record stop in accounting on failure)—If you select TACACS+ (Cisco IOS) from the Authenticate Using list, you can use this option to specify that ACS use a single TCP connection for all TACACS+ communication with the AAA client, rather than a new one for every TACACS+ request. In single connection mode, multiple requests from a network device are multiplexed over a single TCP session. By default, this check box is unchecked.

Note If TCP connections between ACS and the AAA client are unreliable, do not use this feature.

Log Update/Watchdog Packets from this AAA Client—Enables logging of update or watchdog packets. Watchdog packets are interim packets that are sent periodically during a session. They provide you with an approximate session length if the AAA client fails and, therefore, no stop packet is received to mark the end of the session. By default, this check box is unchecked.

Log RADIUS Tunneling Packets from this AAA Client—Enables logging of RADIUS tunneling accounting packets. Packets are recorded in the RADIUS Accounting reports of Reports and Activity. By default, this check box is unchecked.

Replace RADIUS Port info with Username from this AAA Client—Enables use of username, rather than port number, for session-state tracking. This option is useful when the AAA client cannot provide unique port values, such as a gateway GPRS support node (GGSN). For example, if you use the ACS IP pools server and the AAA client does not provide a unique port for each user, ACS assumes that a reused port number indicates that the previous user session has ended and ACS may reassign the IP address that was previously assigned to the session with the non-unique port number. By default, this check box is unchecked.

Note If this option is enabled, ACS cannot determine the number of user sessions for each user. Each session uses the same session identifier, the username; therefore, the Max Sessions feature is ineffective for users accessing the network through the AAA client with this feature enabled.

Match Framed-IP-Address with user IP address for accounting packets from this AAA Client—Select this option when the AAA client uses Cisco SSL WebVPN. This action ensures that ACS assigns different IP addresses to two different users when they log in via a Cisco SSL WebVPN client. By default, this check box is unchecked.

Adding AAA Clients

You can use this procedure to add AAA client configurations.

Before You Begin

For ACS to provide AAA services to AAA clients, you must ensure that gateway devices between AAA clients and ACS allow communication over the ports needed to support the applicable AAA protocol (RADIUS or TACACS+). For information about ports that AAA protocols use, see AAA Protocols—TACACS+ and RADIUS, page 1-3 .

User Guide for Cisco Secure Access Control Server

 

OL-9971-01

3-11

 

 

 

Page 10 Page 12
Image 11
Page 10 Page 12
Contents About Network Configuration Network ConfigurationAAA Servers in Distributed Systems About ACS in Distributed SystemsProxy in Distributed Systems Default Distributed System SettingsProxy Feature An Example Fallback on Failed ConnectionCharacter String Remote Use of Accounting PacketsNetwork Device Search Criteria Other Features Enabled by System DistributionNetwork Device Searches Searching for Network Devices AAA Client Configuration Options Configuring AAA ClientsNetwork Configuration Configuring AAA Clients Network Configuration Configuring AAA Clients Before You Begin Adding AAA ClientsEditing AAA Clients Follow the steps for Adding AAA Clients, Configuring a Default AAA ClientDeleting AAA Clients Configuring AAA ServersAAA Server Configuration Options Adding AAA Servers Editing AAA Servers Deleting AAA Servers Configuring Remote Agents ACS Solution Engine OnlyAbout Remote Agents Remote Agent Configuration OptionsAdding a Remote Agent Editing a Remote Agent Configuration Deleting a Remote Agent Configuration Configuring Network Device Groups Adding a Network Device Group Reassigning AAA Clients or AAA Servers to an NDG Assigning an Unassigned AAA Client or AAA Server to an NDGNDG properties are changed Editing a Network Device GroupDeleting a Network Device Group Configuring Proxy Distribution TablesAdding a New Proxy Distribution Table Entry About the Proxy Distribution TableNetwork Configuration Configuring Proxy Distribution Tables Deleting a Proxy Distribution Table Entry Editing a Proxy Distribution Table Entry
Top Page Image Contents