Cisco Systems OL-24201-01 Camera Accessories User Manual


 
7-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device.
Choose one:
Legacy TACACS+ Single Connect Support
TACACS+ Draft Compliant Single Connect Support
If you disable this option, a new TCP connection is used for every TACACS+ request.
RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network device.
RADIUS Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session
directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA
port value is filled as 1700.
Enable KeyWrap Check to enable the shared secret keys for RADIUS KeyWrap in PEAP, EAP-FAST and EAP-TLS
authentications. Each key must be unique, and must also be distinct from the RADIUS shared key.
These shared keys are configurable for each AAA Client. The default key mode for KeyWrap is
hexadecimal string.
Key Encryption Key
(KEK)
Used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of
exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.
Message Authentication
Code Key (MACK)
Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS
message.
In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40
characters.
Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.
Security Group Access Appears only when you enable the Cisco Security Group Access feature. Check to use Security
Group Access functionality on the network device. If the network device is the seed device (first
device in the Security Group Access network), you must also check the RADIUS check box.
Use Device ID for
Security Group Access
Identification
Check this check box to use the device ID for Security Group Access Identification. When you
check this check box, the following field, Device ID, is disabled.
Device ID Name that will be used for Security Group Access identification of this device. By default, you can
use the configured device name. If you want to use another name, clear the Use device name for
Security Group Access identification check box, and enter the name in the Identification field.
Password Security Group Access authentication password.
Security Group Access
Advanced Settings
Check to display additional Security Group Access fields.
Other Security Group
Access devices to trust
this device (SGA
trusted)
Specifies whether all the device’s peer devices trust this device. The default is checked, which
means that the peer devices trust this device, and do not change the SGTs on packets arriving from
this device.
If you uncheck the check box, the peer devices repaint packets from this device with the related peer
SGT.
Table 7-4 Creating Network Devices and AAA Clients (continued)
Option Description