Chapter 7 Managing Network Resources

Network Devices and AAA Clients

Table 7-5

Network Devices and AAA Clients Properties Page (continued)

 

 

 

Option

 

Description

 

 

 

RADIUS Shared

 

Shared secret of the network device, if you have enabled the RADIUS protocol.

Secret

 

A shared secret is an expected string of text, which a user must provide before the network device

 

 

 

 

authenticates a username and password. The connection is rejected until the user supplies the shared

 

 

secret.

 

 

 

CoA Port

 

Used to set up the RAIUS CoA port for session directory, for user authentication. This session

 

 

directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA

 

 

port value is filled as 1700.

 

 

Enable KeyWrap

Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS

 

 

authentications. Each key must be unique and be distinct from the RADIUS shared key. You can

 

 

configure these shared keys for each AAA Client.

 

 

Key Encryption Key

Used to encrypt the Pairwise Master Key (PMK). In ASCII mode, enter a key with 16 characters. In

(KEK)

 

hexadecimal mode, enter a key with 32 characters.

 

 

 

Message

 

Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message.

Authentication Code

In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40

Key (MACK)

 

characters.

 

 

 

 

Key Input Format

Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.

 

 

 

Security Group

 

Appears only when you enable the Cisco Security Group Access feature. Check to use Security Group

Access

 

Access functionality on the network device. If the network device is the seed device (first device in the

 

 

Security Group Access network), you must also check the RADIUS check box.

 

 

 

Identification

 

Name that will be used for Security Group Access identification of this device. By default, you can use

 

 

the configured device name. If you want to use another name, clear the Use device name for Security

 

 

Group Access identification check box, and enter the name in the Identification field.

 

 

 

Password

 

Security Group Access authentication password.

 

 

 

Security Group

 

Check to display additional Security Group Access fields.

Access Advanced

 

Settings

 

 

 

 

 

Other Security

 

Specifies whether all the device’s peer devices trust this device. The default is checked, which means

Group Access

 

that the peer devices trust this device, and do not change the SGTs on packets arriving from this device.

devices to trust this

If you uncheck the check box, the peer devices repaint packets from this device with the related peer

device

 

 

SGT.

 

 

 

 

 

Download peer

 

Specifies the expiry time for the peer authorization policy. ACS returns this information to the device

authorization policy

in the response to a peer policy request. The default is 1 day.

every: Weeks Days

 

Hours Minutes

 

 

Seconds

 

 

 

 

Download SGACL

Specifies the expiry time for SGACL lists. ACS returns this information to the device in the response

lists every: Weeks

to a request for SGACL lists. The default is 1 day.

Days Hours Minutes

 

Seconds

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

7-16

OL-24201-01

Page 145 Page 147
Page 146
Image 146
Cisco Systems OL-24201-01 manual Security Group, Access Advanced Settings
Page 145 Page 147
Top Page Image Contents