IBM Tivoli and Cisco manual AAA client setup

7.Click Add Entry under AAA Clients to add any AAA clients to this particular NDG. You can configure all NADs as a single AAA client by using IP address wild cards (*.*.*.*). In Figure 7-17we have done this and used the RADIUS key cisco123. Note that authentication is done using RADIUS (IOS/PIX6.0). There are other options available, depending on what is being defined as a NAD. Click Submit and then Apply.

Figure 7-17 AAA client setup

Note: The use of wild cards (*.*.*.*) is designed to help with scalability issues. For example, if your network has over 100 switches, defining each one as a separate NAD is very time consuming. By using *.*.*.*, all devices that are configured to point to the ACS as the RADIUS Server and have the same RADIUS key will exchange information with the ACS. This can provide a security vulnerability, however, if someone knows the RADIUS Server IP address and RADIUS key. A better option may be to define NDGs based on subnet information, such as 192.168.10.*, which will retain some scalability and security.

234Building a Network Access Control Solution with IBM Tivoli and Cisco Systems