Chapter 3 Network Configuration

Configuring AAA Clients

The Authenticate Using list always contains:

TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is the standard choice when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco device-management application, such as Management Center for Firewalls, you must use this option.

RADIUS (Cisco Airespace)—RADIUS using Cisco Airespace VSAs. Select this option if the network device is a Cisco Airespace WLAN device supporting authentication via RADIUS.

RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select this option if the network device is a Cisco Aironet Access Point used by users who authenticate with the Lightweight and Efficient Application Protocol (LEAP) or the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol, provided that these protocols are enabled on the Global Authentication Setup page in the System Configuration section.

When an authentication request from a RADIUS (Cisco Aironet) AAA client arrives, ACS first attempts authentication by using LEAP; if this fails, ACS fails over to EAP-TLS. If LEAP is not enabled on the Global Authentication Setup page, ACS immediately attempts EAP-TLS authentication. If neither LEAP nor EAP-TLS is enabled on the Global Authentication Setup, any authentication attempt received from a Cisco Aironet RADIUS client fails. For more information about enabling LEAP or EAP-TLS, see Global Authentication Setup, page 9-19.

Using this option enables ACS to send the wireless network device a different session-timeout value for user sessions than ACS sends to wired end-user clients.

Note If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.

RADIUS (Cisco BBSM)—RADIUS using Cisco Broadband Services Manager (BBSM) Vendor Specific Attributes (VSAs). Select this option if the network device is a Cisco BBSM network device supporting authentication via RADIUS.

RADIUS (Cisco IOS/PIX 6.0)—RADIUS using Cisco IOS/PIX 6.0 VSAs. This option enables you to pack commands sent to a Cisco IOS or Project Information Exchange (PIX)S 6.0 AAA client. The commands are defined in the Group Setup section. Select this option for RADIUS environments in which key TACACS+ functions are required to support Cisco IOS and PIX equipment.

RADIUS (Cisco VPN 3000/ASA/PIX7.x+)—RADIUS using Cisco VPN 3000 concentrator, ASA device, and PIX 7.x device VSAs. Select this option if the network device is a Cisco VPN 3000 series concentrator, an ASA, or PIX 7.x+ device supporting authentication via RADIUS.

RADIUS (Cisco VPN 5000)—RADIUS using Cisco VPN 5000 VSAs. Select this option if the network device is a Cisco VPN 5000 series Concentrator.

RADIUS (IETF)—IETF-standard RADIUS, using no VSAs. Select this option if the AAA client represents RADIUS-enabled devices from more than one manufacturer and you want to use standard IETF RADIUS attributes. If the AAA client represents a Cisco Aironet Access Point used only by users who authenticate with PEAP or EAP-TLS, this is also the protocol to select.

RADIUS (Ascend)—RADIUS using Ascend RADIUS VSAs. Select this option if the network device is an Ascend network device that supports authentication via RADIUS.

RADIUS (Juniper)—RADIUS using Juniper RADIUS VSAs. Select this option if the network device is a Juniper network device that supports authentication via RADIUS.

User Guide for Cisco Secure Access Control Server

3-10

OL-9971-01

 

 

Page 10
Image 10
Cisco Systems OL-9971-01 manual Network Configuration Configuring AAA Clients