Chapter 3 Network Configuration

Configuring Network Device Groups

Adding a Network Device Group

You can assign users or groups of users to NDGs. For more information, see:

Setting TACACS+ Enable Password Options for a User, page 6-23

Setting Enable Privilege Options for a User Group, page 5-13

To add an NDG:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 Under the Network Device Groups table, click Add Entry.

Tip If the Network Device Groups table does not appear, choose Interface Configuration > Advanced Options. Then, choose Network Device Groups.

Step 3 In the Network Device Group Name box, type the name of the new NDG.

Tip The maximum name length is 24 characters. Quotation marks (“) and commas (,) are not allowed. Spaces are allowed.

Step 4 In the Shared Secret box, enter a key for the Network Device Group. The maximum length is 32 characters.

Each device that is assigned to the Network Device Group will use the shared key that you enter here. The key that was assigned to the device when it was added to the system is ignored. If the key entry is null, the AAA client key is used. See AAA Client Configuration Options, page 3-8. This feature simplifies key management for devices.

Step 5 In the RADIUS Key Wrap section, enter the shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.

Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys are configurable for each AAA Client, as well as for each NDG. The NDG key configuration overrides the

AAAClient configuration. If the key entry is null, the AAA client key is used. See AAA Client Configuration Options, page 3-8.

Key Encryption Key (KEK)—This is used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.

Message Authentication Code Key (MACK)—This is used for the keyed hashed message authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a key length of exactly 20 characters; in hexadecimal mode, enter a key length of 40 characters.

Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.

Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the default is ASCII).

User Guide for Cisco Secure Access Control Server

3-24

OL-9971-01

 

 

Page 24
Image 24
Cisco Systems OL-9971-01 manual Adding a Network Device Group