Chapter 7 Managing Network Resources

Network Devices and AAA Clients

Table 7-5

Network Devices and AAA Clients Properties Page (continued)

 

 

 

 

 

Option

 

Description

 

 

 

 

 

IP Range(s) By

 

Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each

 

Mask

 

network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask

 

 

 

are permitted to access the network and are associated with the network device definition.

 

 

 

When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses

 

 

 

available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256

 

 

 

unique IP addresses.

 

 

 

The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP

 

 

 

addresses.

 

 

 

A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*) as

 

 

 

wildcards.

 

 

 

 

 

IP Range

 

Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or

 

 

 

subnet masks for each network device. You can also exclude a subnet of IP address range from the

 

 

 

configured range in a scenario where that subset has already been added.

 

 

 

You can use a hyphen (-) to specify a range of IP address. You can also add IP addresses with wildcards.

 

 

 

You can use asterisks (*) as wildcards.

 

 

 

Some examples of entering IP address ranges are:

 

 

 

A single range—10.77.10.1-10,,,, 192.120.10-12.10

 

 

 

Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150

 

 

 

Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150

 

 

 

Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance implications

 

 

 

on both the run-time and the management.

 

 

 

Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP

 

 

 

address ranges should be used only when the range cannot be described using IP address and subnet

 

 

 

mask.

 

 

 

 

 

 

 

Authentication Options

 

 

 

 

 

 

 

 

 

TACACS+

 

Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the

 

 

 

network device.

 

 

 

You must use this option if the network device is a Cisco device-management application, such as

 

 

 

Management Center for Firewalls. You should use this option when the network device is a Cisco

 

 

 

access server, router, or firewall.

 

 

 

 

TACACS+ Shared

Shared secret of the network device, if you enabled the TACACS+ protocol.

 

Secret

 

A shared secret is an expected string of text, which a user must provide before the network device

 

 

 

 

 

 

authenticates a username and password. The connection is rejected until the user supplies the shared

 

 

 

secret.

 

 

 

 

 

Single Connect

 

Check to use a single TCP connection for all TACACS+ communication with the network device.

 

Device

 

Choose one:

 

 

 

Legacy TACACS+ Single Connect Support

 

 

 

TACACS+ Draft Compliant Single Connect Support

 

 

 

If you disable this option, a new TCP connection is used for every TACACS+ request.

 

 

 

 

 

RADIUS

 

Check to use the RADIUS protocol to authenticate communication to and from the network device.

 

 

 

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-24201-01

 

 

 

7-15

 

 

 

 

 

 

Page 144 Page 146
Page 145
Image 145
Cisco Systems OL-24201-01 manual Tacacs+
Page 144 Page 146
Top Page Image Contents