Filter
Top Products
4-24
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
6. Configuring EAP-FAST Settings for Security Group Access.
7. Creating an Access Service for Security Group Access.
8. Creating an Endpoint Admission Control Policy.
9. Creating an Egress Policy.
10. Creating a Default Policy.
Adding Devices for Security Group Access
The RADIUS protocol requires a shared secret between the AAA client and the server. In ACS, RADIUS
requests are processed only if they arrive from a known AAA client. You must configure the AAA client
in ACS with a shared secret.
The Security Group Access device should be configured with the same shared secret. In Security Group
Access, every device must be able to act as a AAA client for new devices that join the secured network.
All the Security Group Access devices possess a Protected Access Credential (PAC) as part of the EAP
Flexible Authentication via Secured Tunnel (EAP-FAST) protocol. A PAC is used to identify the AAA
client. The RADIUS shared secret can be derived from the PAC.
To add a network device:
Step 1 Choose Network Resources > Network Devices and AAA Client and click Create. See Network
Devices and AAA Clients, page 7-5, for more information.
Step 2 Fill in the fields in the Network Devices and AAA clients pages:
• To add a device as a seed Security Group Access device, check RADIUS and Security Group
Access, or to add a device as a Security Group Access client, check Security Group Access only.
If you add the device as a RADIUS client, enter the IP Address and the RADIUS/Shared Secret.
If you add the device as a Security Group Access device, fill in the fields in the Security Group
Access section.
• You can check Advanced Settings to display advanced settings for the Security Group Access
device configuration and modify the default settings.
The location or device type can be used as a condition to configure an NDAC policy rule.
Step 3 Click Submit.
Creating Security Groups
Security Group Access uses security groups for tagging packets at ingress to allow filtering later on at
Egress. The product of the security group is the security group tag, a 4-byte string ID that is sent to the
network device.
The web interface displays the decimal and hexadecimal representation. The SGT is unique. When you
edit a security group you can modify the name, however, you cannot modify the SGT ID.
The security group names Unknown and Any are reserved. The reserved names are used in the Egress
policy matrix. The generation ID changes when the Egress policy is modified.