Cisco Systems 3.3

4-13

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 4 Network Configuration

AAA Client Configuration

For correct operation, the key must be identical on the AAA client and

Cisco Secure ACS. Keys are case sensitive. Because shared secrets are not

synchronized, it is easy to make mistakes when entering them on network

devices and Cisco Secure ACS. If the shared secret does not match,

Cisco Secure ACS discards all packets from the network device.

Note If the AAA client represents multiple network devices, the key must

be identical on all network devices represented by the AAA client.

•Network Device Group—The name of the NDG to which this AAA client

should belong. To make the AAA client independent of NDGs, use the Not

Assigned selection.

Note This option does not appear if you have not configured Cisco Secure

ACS to use NDGs. To enable NDGs, click Interface Configuration,

click Advanced Options, and then select the Network Device

Groups check box.

•Authenticate Using—The AAA protocol to be used for communications

with the AAA client. The Authenticate Using list includes Cisco IOS

TACACS+ and several vendor-specific implementations of RADIUS. If you

have configured user-defined RADIUS vendors and VSAs, those

vendor-specific RADIUS implementations appear on the list also. For

information about creating user-defined RADIUS VSAs, see Custom

RADIUS Vendors and VSAs, page 9-28.

The Authenticate Using list always contains the following selections:

–

TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is

the standard choice when using Cisco Systems access servers, routers,

and firewalls. If the AAA client is a Cisco device-management

application, such as Management Center for Firewalls, you must use this

option.

–

RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select

this option if the network device is a Cisco Aironet Access Point used by

users authenticating with LEAP or EAP-TLS, provided that these

protocols are enabled on the Global Authentication Setup page in the

System Configuration section.