Cisco Systems OL-9971-01

3-9

User Guide for Cisco Secure Access Control Server

OL-9971-01

Chapter3 Network Configuration Configuring AAA Clients

–

Number—You can specify a number, for example, 10.3.157.98.

–

NumericRange—You can specify the low and high numbers of the range in the octet, separated

by a hyphen (-), for example, 10.3.157.10-50.

–

Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example,

10.3.157.*.

ACSallows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk

(*), for example 172.16-31.*.*.

•Shared Secret—Theshared secret key of the AAA client. Maximum length for the AAA client key

is 32 characters.

Forcorrect operation, the key must be identical on the AAA client and ACS. Keys are case sensitive.

If the shared secret does not match, ACS discards all packets from the network device.

•Network Device Group—Thename of the NDG to which this AAA client should belong. To make

the AAA client independent of NDGs, use the Not Assigned selection.

Note This option does not appear if you havenot configured ACS to use NDGs. To enable NDGs,

choose Interface Configuration > Advanced Options. Then, check the Network Device

Groups check box.

•RADIUS KeyWrap—The shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.

Each keymust be unique, and must also be distinct from the RADIUS shared key. These shared keys

are configurable for each AAA Client, as well as for each NDG. The NDG key configuration

overrides the AAA Client configuration.

–

Key Encryption Key(KEK)—This is used for encryption of the Pairwise Master Key (PMK).

In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key

length of 32 characters.

–

Message Authentication Code Key (MACK)—This is used for the keyed hashed message

authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a

key length of exactly 20 characters; in hexadecimal mode, enter a keylength of 40 characters.

Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.

–

Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the

default is ASCII).

Note You must enable the Key Wrap feature in the NAP Authentication Settings page to

implement these shared keys in EAP-TLS authentication.

•Authenticate Using—The AAA protocol to use for communications with the AAA client. The

Authenticate Using list includes Cisco IOS TACACS+and several vendor-specificimplementations

ofRADIUS. If you have configured user-defined RADIUS vendors and VSAs, those vendor-specific

RADIUS implementations appear on the list also. For information about creating user-defined

RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-19.