Chapter 3 Network Configuration
Configuring AAA Clients
–Number—You can specify a number, for example, 10.3.157.98.
–Numeric Range—You can specify the low and high numbers of the range in the octet, separated by a hyphen (-), for example, 10.3.157.10-50.
–Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example, 10.3.157.*.
ACS allows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk (*), for example 172.16-31.*.*.
•Shared Secret—The shared secret key of the AAA client. Maximum length for the AAA client key is 32 characters.
For correct operation, the key must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secret does not match, ACS discards all packets from the network device.
•Network Device Group—The name of the NDG to which this AAA client should belong. To make the AAA client independent of NDGs, use the Not Assigned selection.
Note This option does not appear if you have not configured ACS to use NDGs. To enable NDGs, choose Interface Configuration > Advanced Options. Then, check the Network Device Groups check box.
•RADIUS Key Wrap—The shared secret keys for RADIUS Key Wrap in EAP-TLS authentications. Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys are configurable for each AAA Client, as well as for each NDG. The NDG key configuration overrides the AAA Client configuration.
–Key Encryption Key (KEK)—This is used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.
–Message Authentication Code Key (MACK)—This is used for the keyed hashed message authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a key length of exactly 20 characters; in hexadecimal mode, enter a key length of 40 characters.
Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.
–Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the default is ASCII).
Note You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP-TLS authentication.
•Authenticate Using—The AAA protocol to use for communications with the AAA client. The Authenticate Using list includes Cisco IOS TACACS+ and several vendor-specific implementations of RADIUS. If you have configured user-defined RADIUS vendors and VSAs, those vendor-specific RADIUS implementations appear on the list also. For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-19.
User Guide for Cisco Secure Access Control Server
