7.Click Add Entry under AAA Clients to add any AAA clients to this particular NDG. You can configure all NADs as a single AAA client by using IP address wild cards (*.*.*.*). In Figure 7-17we have done this and used the RADIUS key cisco123. Note that authentication is done using RADIUS (IOS/PIX6.0). There are other options available, depending on what is being defined as a NAD. Click Submit and then Apply.

Figure 7-17 AAA client setup

Note: The use of wild cards (*.*.*.*) is designed to help with scalability issues. For example, if your network has over 100 switches, defining each one as a separate NAD is very time consuming. By using *.*.*.*, all devices that are configured to point to the ACS as the RADIUS Server and have the same RADIUS key will exchange information with the ACS. This can provide a security vulnerability, however, if someone knows the RADIUS Server IP address and RADIUS key. A better option may be to define NDGs based on subnet information, such as 192.168.10.*, which will retain some scalability and security.

234Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 251 Page 253
Page 252
Image 252
IBM Tivoli and Cisco manual AAA client setup
Page 251 Page 253
Top Page Image Contents