Chapter 7 Managing Network Resources

Network Devices and AAA Clients

Table 7-4

Creating Network Devices and AAA Clients (continued)

 

 

 

Option

 

Description

 

 

IP Range(s) By Mask

Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for

 

 

each network device. If you use a subnet mask in this field, all IP addresses within the specified

 

 

subnet mask are permitted to access the network and are associated with the network device

 

 

definition.

 

 

When you use subnet masks, the number of unique IP addresses depends on the number of IP

 

 

addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means

 

 

you have 256 unique IP addresses.

 

 

The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP

 

 

addresses.

 

 

A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*)

 

 

as wildcards.

 

 

 

IP Range

 

Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or

 

 

subnet masks for each network device. You can also exclude a subnet of IP address range from the

 

 

configured range in a scenario where that subset has already been added.

 

 

You can use a hyphen (-) to specify a range of IP address. Maximum of 40 IP addresses are allowed

 

 

in a single IP range.

 

 

You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards.

 

 

Some examples of entering IP address ranges are:

 

 

A single range—10.77.10.1-10,,,, 192.120.10-12.10

 

 

Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150

 

 

Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150

 

 

Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance

 

 

implications on both the run-time and the management.

 

 

Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP

 

 

address ranges should be used only when the range cannot be described using IP address and subnet

 

 

mask.

 

 

Note AAA clients with wildcards are migrated from 4.x to 5.x.

 

 

Authentication Options

 

 

 

 

TACACS+

 

Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the

 

 

network device.

 

 

You must use this option if the network device is a Cisco device-management application, such as

 

 

Management Center for Firewalls. You should use this option when the network device is a Cisco

 

 

access server, router, or firewall.

 

 

TACACS+ Shared

Shared secret of the network device, if you enabled the TACACS+ protocol.

Secret

 

A shared secret is an expected string of text, which a user must provide before the network device

 

 

 

 

authenticates a username and password. The connection is rejected until the user supplies the shared

 

 

secret.

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

7-12

OL-24201-01

Page 142
Image 142
Cisco Systems OL-24201-01 manual Tacacs+