Filter
Top Products
7-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for
each network device. If you use a subnet mask in this field, all IP addresses within the specified
subnet mask are permitted to access the network and are associated with the network device
definition.
When you use subnet masks, the number of unique IP addresses depends on the number of IP
addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means
you have 256 unique IP addresses.
The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP
addresses.
A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*)
as wildcards.
IP Range Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or
subnet masks for each network device. You can also exclude a subnet of IP address range from the
configured range in a scenario where that subset has already been added.
You can use a hyphen (-) to specify a range of IP address. Maximum of 40 IP addresses are allowed
in a single IP range.
You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards.
Some examples of entering IP address ranges are:
• A single range—10.77.10.1-10,,,, 192.120.10-12.10
• Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150
• Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150
Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance
implications on both the run-time and the management.
Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP
address ranges should be used only when the range cannot be described using IP address and subnet
mask.
Note AAA clients with wildcards are migrated from 4.x to 5.x.
Authentication Options
TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the
network device.
You must use this option if the network device is a Cisco device-management application, such as
Management Center for Firewalls. You should use this option when the network device is a Cisco
access server, router, or firewall.
TACACS+ Shared
Secret
Shared secret of the network device, if you enabled the TACACS+ protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
Table 7-4 Creating Network Devices and AAA Clients (continued)
Option Description