Cisco 3.3 User Manual

Page 129

Advertising
background image

4-13

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 4 Network Configuration

AAA Client Configuration

For correct operation, the key must be identical on the AAA client and
Cisco Secure ACS. Keys are case sensitive. Because shared secrets are not
synchronized, it is easy to make mistakes when entering them on network
devices and Cisco Secure ACS. If the shared secret does not match,
Cisco Secure ACS discards all packets from the network device.

Note

If the AAA client represents multiple network devices, the key must
be identical on all network devices represented by the AAA client.

Network Device Group—The name of the NDG to which this AAA client
should belong. To make the AAA client independent of NDGs, use the Not
Assigned selection.

Note

This option does not appear if you have not configured Cisco Secure
ACS to use NDGs. To enable NDGs, click Interface Configuration,
click Advanced Options, and then select the Network Device
Groups
check box.

Authenticate Using—The AAA protocol to be used for communications
with the AAA client. The Authenticate Using list includes Cisco IOS
TACACS+ and several vendor-specific implementations of RADIUS. If you
have configured user-defined RADIUS vendors and VSAs, those
vendor-specific RADIUS implementations appear on the list also. For
information about creating user-defined RADIUS VSAs, see

Custom

RADIUS Vendors and VSAs, page 9-28

.

The Authenticate Using list always contains the following selections:

TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is
the standard choice when using Cisco Systems access servers, routers,
and firewalls. If the AAA client is a Cisco device-management
application, such as Management Center for Firewalls, you must use this
option.

RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select
this option if the network device is a Cisco Aironet Access Point used by
users authenticating with LEAP or EAP-TLS, provided that these
protocols are enabled on the Global Authentication Setup page in the
System Configuration section.

Advertising