Chapter 7 Managing Network Resources

Network Devices and AAA Clients

Table 7-4

Creating Network Devices and AAA Clients (continued)

 

 

 

Option

 

Description

 

 

Single Connect Device

Check to use a single TCP connection for all TACACS+ communication with the network device.

 

 

Choose one:

 

 

Legacy TACACS+ Single Connect Support

 

 

TACACS+ Draft Compliant Single Connect Support

 

 

If you disable this option, a new TCP connection is used for every TACACS+ request.

 

 

 

RADIUS

 

Check to use the RADIUS protocol to authenticate communication to and from the network device.

 

 

RADIUS Shared Secret

Shared secret of the network device, if you have enabled the RADIUS protocol.

 

 

A shared secret is an expected string of text, which a user must provide before the network device

 

 

authenticates a username and password. The connection is rejected until the user supplies the shared

 

 

secret.

 

 

 

CoA Port

 

Used to set up the RAIUS CoA port for session directory, for user authentication. This session

 

 

directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA

 

 

port value is filled as 1700.

 

 

Enable KeyWrap

Check to enable the shared secret keys for RADIUS KeyWrap in PEAP, EAP-FAST and EAP-TLS

 

 

authentications. Each key must be unique, and must also be distinct from the RADIUS shared key.

 

 

These shared keys are configurable for each AAA Client. The default key mode for KeyWrap is

 

 

hexadecimal string.

 

 

Key Encryption Key

Used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of

(KEK)

 

exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.

 

 

Message Authentication

Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS

Code Key (MACK)

message.

 

 

In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40

 

 

characters.

 

 

Key Input Format

Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.

 

 

Security Group Access

Appears only when you enable the Cisco Security Group Access feature. Check to use Security

 

 

Group Access functionality on the network device. If the network device is the seed device (first

 

 

device in the Security Group Access network), you must also check the RADIUS check box.

 

 

Use Device ID for

Check this check box to use the device ID for Security Group Access Identification. When you

Security Group Access

check this check box, the following field, Device ID, is disabled.

Identification

 

 

 

 

 

Device ID

 

Name that will be used for Security Group Access identification of this device. By default, you can

 

 

use the configured device name. If you want to use another name, clear the Use device name for

 

 

Security Group Access identification check box, and enter the name in the Identification field.

 

 

 

Password

 

Security Group Access authentication password.

 

 

Security Group Access

Check to display additional Security Group Access fields.

Advanced Settings

 

 

 

Other Security Group

Specifies whether all the device’s peer devices trust this device. The default is checked, which

Access devices to trust

means that the peer devices trust this device, and do not change the SGTs on packets arriving from

this device (SGA

this device.

trusted)

 

If you uncheck the check box, the peer devices repaint packets from this device with the related peer

 

 

 

 

SGT.

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

7-13

 

 

 

 

 

Page 143
Image 143
Cisco Systems OL-24201-01 manual Kek, Sgt