Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

View all the pages

Add page 141 to Favourites

image text

Enable zoom

7-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
The first page of the Create Network Device process appears if you are creating a new network device.
The Network Device Properties page for the selected device appears if you are duplicating or editing a
network device.
Step 3Modify the fields as required. For field descriptions, see Configuring Network Device and AAA Clients,
page 7-11.
Step 4Click Submit.
Your new network device configuration is saved. The Network Devices page appears, with your new
network device configuration listed.
Related Topics
Viewing and Performing Bulk Operations for Network Devices, page 7-6
Configuring Network Device and AAA Clients, page 7-11
Configuring Network Device and AAA Clients
To display this page, choose Network Resources > Network Devices and AAA Clients, then click
Create.
Table 7-4 Creating Network Devices and AAA Clients
Option Description
General
Name Name of the network device. If you are duplicating a network device, you must enter a unique name
as a minimum configuration; all other fields are optional.
Description Description of the network device.
Network Device Groups1
Location Click Select to display the Network Device Groups selection box. Click the radio button next to the
Location network device group you want to associate with the network device.
See Creating, Duplicating, and Editing Network Device Groups, page 7-2 for information about
creating network device groups.
Device Type Click Select to display the Network Device Groups selection box. Click the radio button next to the
Device Type network device group you want to associate with the network device.
See Creating, Duplicating, and Editing Network Device Groups, page 7-2 for information about
creating network device groups.
IP Address
The IP addresses and subnet masks associated with the network device. Select to enter a single IP address or to define a range.
Single IP Address Choose to enter a single IP address.

Add page 142 to Favourites

image text

Enable zoom

7-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for
each network device. If you use a subnet mask in this field, all IP addresses within the specified
subnet mask are permitted to access the network and are associated with the network device
definition.
When you use subnet masks, the number of unique IP addresses depends on the number of IP
addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means
you have 256 unique IP addresses.
The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP
addresses.
A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*)
as wildcards.
IP Range Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or
subnet masks for each network device. You can also exclude a subnet of IP address range from the
configured range in a scenario where that subset has already been added.
You can use a hyphen (-) to specify a range of IP address. Maximum of 40 IP addresses are allowed
in a single IP range.
You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards.
Some examples of entering IP address ranges are:
A single range—10.77.10.1-10,,,, 192.120.10-12.10
Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150
Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150
Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance
implications on both the run-time and the management.
Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP
address ranges should be used only when the range cannot be described using IP address and subnet
mask.
NoteAAA clients with wildcards are migrated from 4.x to 5.x.
Authentication Options
TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the
network device.
You must use this option if the network device is a Cisco device-management application, such as
Management Center for Firewalls. You should use this option when the network device is a Cisco
access server, router, or firewall.
TACACS+ Shared
SecretShared secret of the network device, if you enabled the TACACS+ protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
Table 7-4 Creating Network Devices and AAA Clients (continued)
Option Description

Add page 143 to Favourites

image text

Enable zoom

7-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device.
Choose one:
Legacy TACACS+ Single Connect Support
TACACS+ Draft Compliant Single Connect Support
If you disable this option, a new TCP connection is used for every TACACS+ request.
RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network device.
RADIUS Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session
directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA
port value is filled as 1700.
Enable KeyWrap Check to enable the shared secret keys for RADIUS KeyWrap in PEAP, EAP-FAST and EAP-TLS
authentications. Each key must be unique, and must also be distinct from the RADIUS shared key.
These shared keys are configurable for each AAA Client. The default key mode for KeyWrap is
hexadecimal string.
Key Encryption Key
(KEK)Used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of
exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters.
Message Authentication
Code Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS
message.
In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40
characters.
Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.
Security Group Access Appears only when you enable the Cisco Security Group Access feature. Check to use Security
Group Access functionality on the network device. If the network device is the seed device (first
device in the Security Group Access network), you must also check the RADIUS check box.
Use Device ID for
Security Group Access
IdentificationCheck this check box to use the device ID for Security Group Access Identification. When you
check this check box, the following field, Device ID, is disabled.
Device ID Name that will be used for Security Group Access identification of this device. By default, you can
use the configured device name. If you want to use another name, clear the Use device name for
Security Group Access identification check box, and enter the name in the Identification field.
Password Security Group Access authentication password.
Security Group Access
Advanced SettingsCheck to display additional Security Group Access fields.
Other Security Group
Access devices to trust
this device (SGA
trusted)Specifies whether all the device’s peer devices trust this device. The default is checked, which
means that the peer devices trust this device, and do not change the SGTs on packets arriving from
this device.
If you uncheck the check box, the peer devices repaint packets from this device with the related peer
SGT.
Table 7-4 Creating Network Devices and AAA Clients (continued)
Option Description

Add page 144 to Favourites

image text

Enable zoom

7-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
Displaying Network Device Properties
Choose Network Resources > Network Devices and AAA Clients, then click a device name or check
the check box next to a device name, and click Edit or Duplicate.
The Network Devices and AAA Clients Properties page appears, displaying the information described
in Ta b l e 7 - 5: Download peer
authorization policy
every: Weeks Days
Hours Minutes Seconds Specifies the expiry time for the peer authorization policy. ACS returns this information to the
device in the response to a peer policy request. The default is 1 day.
Download SGACL lists
every: Weeks Days
Hours Minutes SecondsSpecifies the expiry time for SGACL lists. ACS returns this information to the device in the
response to a request for SGACL lists. The default is 1 day.
Download environment
data every: Weeks Days
Hours Minutes SecondsSpecifies the expiry time for environment data. ACS returns this information to the device in the
response to a request for environment data. The default is 1 day.
Re-authentication
every: Weeks Days
Hours Minutes SecondsSpecifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns
this information to the authenticator. The default is 1 day.
1. The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating,
Duplicating, and Editing Network Device Groups, page 7-2 for information on how to define network device groups. If you have defined additional
network device groups, they appear in alphabetical order in the Network Device Groups page and in the Network Resources drawer in the left navigation
pane.
Table 7-4 Creating Network Devices and AAA Clients (continued)
Option Description
Table 7-5 Network Devices and AAA Clients Properties Page
Option Description
Name Name of the network device. If you are duplicating a network device, you must enter a unique name
as a minimum configuration; all other fields are optional.
Description Description of the network device.
Network Device Groups1
Location: Select Click Select to display the Network Device Groups selection box. Click the radio button next to the
network device group you want to associate with the network device. See Creating, Duplicating, and
Editing Network Device Groups, page 7-2 for information about creating network device groups.
Device Type: Select Click Select to display the Network Device Groups selection box. Click the radio button next to the
device type network device group that you want to associate with the network device. See Creating,
Duplicating, and Editing Network Device Groups, page 7-2 for information about creating network
device groups.
IP Address
The IP addresses and subnet masks associated with the network device. Select to enter a single IP address or to define a range.
Single IP Address Choose to enter a single IP address.

Add page 145 to Favourites

image text

Enable zoom

7-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
IP Range(s) By
MaskChoose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each
network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask
are permitted to access the network and are associated with the network device definition.
When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses
available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256
unique IP addresses.
The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP
addresses.
A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*) as
wildcards.
IP Range Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or
subnet masks for each network device. You can also exclude a subnet of IP address range from the
configured range in a scenario where that subset has already been added.
You can use a hyphen (-) to specify a range of IP address. You can also add IP addresses with wildcards.
You can use asterisks (*) as wildcards.
Some examples of entering IP address ranges are:
A single range—10.77.10.1-10,,,, 192.120.10-12.10
Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150
Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150
Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance implications
on both the run-time and the management.
Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP
address ranges should be used only when the range cannot be described using IP address and subnet
mask.
Authentication Options
TACACS+Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the
network device.
You must use this option if the network device is a Cisco device-management application, such as
Management Center for Firewalls. You should use this option when the network device is a Cisco
access server, router, or firewall.
TACACS+ Shared
SecretShared secret of the network device, if you enabled the TACACS+ protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
Single Connect
DeviceCheck to use a single TCP connection for all TACACS+ communication with the network device.
Choose one:
Legacy TACACS+ Single Connect Support
TACACS+ Draft Compliant Single Connect Support
If you disable this option, a new TCP connection is used for every TACACS+ request.
RADIUSCheck to use the RADIUS protocol to authenticate communication to and from the network device.
Table 7-5 Network Devices and AAA Clients Properties Page (continued)
Option Description

Add page 146 to Favourites

image text

Enable zoom

7-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
RADIUS Shared
SecretShared secret of the network device, if you have enabled the RADIUS protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session
directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA
port value is filled as 1700.
Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS
authentications. Each key must be unique and be distinct from the RADIUS shared key. You can
configure these shared keys for each AAA Client.
Key Encryption Key
(KEK)Used to encrypt the Pairwise Master Key (PMK). In ASCII mode, enter a key with 16 characters. In
hexadecimal mode, enter a key with 32 characters.
Message
Authentication Code
Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message.
In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40
characters.
Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.
Security Group
AccessAppears only when you enable the Cisco Security Group Access feature. Check to use Security Group
Access functionality on the network device. If the network device is the seed device (first device in the
Security Group Access network), you must also check the RADIUS check box.
Identification Name that will be used for Security Group Access identification of this device. By default, you can use
the configured device name. If you want to use another name, clear the Use device name for Security
Group Access identification check box, and enter the name in the Identification field.
Password Security Group Access authentication password.
Security Group
Access Advanced
SettingsCheck to display additional Security Group Access fields.
Other Security
Group Access
devices to trust this
device Specifies whether all the device’s peer devices trust this device. The default is checked, which means
that the peer devices trust this device, and do not change the SGTs on packets arriving from this device.
If you uncheck the check box, the peer devices repaint packets from this device with the related peer
SGT.
Download peer
authorization policy
every: Weeks Days
Hours Minutes
Seconds Specifies the expiry time for the peer authorization policy. ACS returns this information to the device
in the response to a peer policy request. The default is 1 day.
Download SGACL
lists every: Weeks
Days Hours Minutes
Seconds Specifies the expiry time for SGACL lists. ACS returns this information to the device in the response
to a request for SGACL lists. The default is 1 day.
Table 7-5 Network Devices and AAA Clients Properties Page (continued)
Option Description

Add page 147 to Favourites

image text

Enable zoom

7-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Configuring a Default Network Device
Related Topics:
Viewing and Performing Bulk Operations for Network Devices, page 7-6
Creating, Duplicating, and Editing Network Device Groups, page 7-2
Deleting Network Devices
To delete a network device:
Step 1Choose Network Resources > Network Devices and AAA Clients.
The Network Devices page appears, with a list of your configured network devices.
Step 2Check one or more check boxes next to the network devices you want to delete.
Step 3Click Delete.
The following message appears:
Are you sure you want to delete the selected item/items?
Step 4Click OK.
The Network Devices page appears, without the deleted network devices listed. The network device is
removed from the device repository.
Configuring a Default Network Device
While processing requests, ACS searches the network device repository for a network device whose IP
address matches the IP address presented in the request. If the search does not yield a match, ACS uses
the default network device definition for RADIUS or TACACS+ requests.
The default network device defines the shared secret to be used and also provides NDG definitions for
RADIUS or TACACS+ requests that use the default network device definition. Download
environment data
every: Weeks Days
Hours Minutes
Seconds Specifies the expiry time for environment data. ACS returns this information to the device in the
response to a request for environment data. The default is 1 day.
Re-authentication
every: Weeks Days
Hours Minutes
SecondsSpecifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns
this information to the authenticator. The default is 1 day.
1. The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating,
Duplicating, and Editing Network Device Groups, page 7-2 for information on how to define network device groups. If you have defined additional
network device groups, they appear in the Network Device Groups page and in the Network Resources drawer in the left navigation pane, in alphabetical
order.
Table 7-5 Network Devices and AAA Clients Properties Page (continued)
Option Description

Add page 148 to Favourites

image text

Enable zoom

7-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Configuring a Default Network Device
Choose Network Resources > Default Network Device to configure the default network device. The
Default Network Device page appears, displaying the information described in Ta b l e 7 - 6.
Table 7-6 Default Network Device Page
Option Description
Default Network Device
The default device definition can optionally be used in cases where no specific device definition is found that matches a
device IP address.
Default Network Device Status Choose Enabled from the drop-down list box to move the default network device to the
active state.
Network Device Groups
Location Click Select to display the Network Device Groups selection box. Click the radio button
next to the Location network device group you want to associate with the network device.
See Creating, Duplicating, and Editing Network Device Groups, page 7-2 for information
about creating network device groups.
Device Type Click Select to display the Network Device Groups selection box. Click the radio button
next to the Device Type network device group you want to associate with the network
device.
See Creating, Duplicating, and Editing Network Device Groups, page 7-2 for information
about creating network device groups.
Authentication Options
TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from
the network device.
You must use this option if the network device is a Cisco device-management application,
such as Management Center for Firewalls. You should use this option when the network
device is a Cisco access server, router, or firewall.
Shared Secret Shared secret of the network device, if you enabled the TACACS+ protocol.
A shared secret is an expected string of text, which a user must provide before the network
device authenticates a username and password. The connection is rejected until the user
supplies the shared secret.
Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network
device. Choose one:
Legacy TACACS+ Single Connect Support
TACACS+ Draft Compliant Single Connect Support
If you disable this option, ACS uses a new TCP connection for every TACACS+ request.
RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network
device.
Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol.
A shared secret is an expected string of text, which a user must provide before the network
device authenticates a username and password. The connection is rejected until the user
supplies the shared secret.
CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This
session directory can be launched from Monitoring and Troubleshooting Viewer page. By
default, the CoA port value is filled as 1700.

Add page 149 to Favourites

image text

Enable zoom

7-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Working with External Proxy Servers
Related Topics
Network Device Groups, page 7-2
Network Devices and AAA Clients, page 7-5
Creating, Duplicating, and Editing Network Device Groups, page 7-2
Working with External Proxy Servers
ACS 5.3 can function both as a RADIUS and TACACS+ server and as a RADIUS and TACACS+ proxy
server. When it acts as a proxy server, ACS receives authentication and accounting requests from the
NAS and forwards them to the external RADIUS or TACACS+ server.
ACS accepts the results of the requests and returns them to the NAS. You must configure the external
RADIUS or TACACS+ servers in ACS to enable ACS to forward requests to them. You can define the
timeout period and the number of connection attempts.
ACS can simultaneously act as a proxy server to multiple external RADIUS or TACACS+ servers.
RADIUS proxy server can handle the looping scenario whereas TACACS+ proxy server cannot.
NoteYou can use the external RADIUS or TACACS+ servers that you configure here in access services of the
RADIUS or TACACS+ proxy service type.
This section contains the following topics:
Creating, Duplicating, and Editing External Proxy Servers, page 7-19
Deleting External Proxy Servers, page 7-21
Creating, Duplicating, and Editing External Proxy Servers
To create, duplicate, or edit an external proxy server:
Step 1Choose Network Resources > External Proxy Servers.
The External Proxy Servers page appears with a list of configured servers. Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and
EAP-TLS authentications. Each key must be unique and be distinct from the RADIUS
shared key. You can configure these shared keys for each AAA Client.
Key Encryption Key (KEK) Used to encrypt the Pairwise Master Key (PMK). In ASCII mode, enter a key with 16
characters. In hexadecimal mode, enter a key with 32 characters.
Message Authentication Code
Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the
RADIUS message.
In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key
with 40 characters.
Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal.
Table 7-6 Default Network Device Page (continued)
Option Description

Add page 150 to Favourites

image text

Enable zoom

7-20
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 7 Managing Network Resources
Working with External Proxy Servers
Step 2Do one of the following:
Click Create.
Check the check box next to the external proxy server that you want to duplicate, then click
Duplicate.
Click the external proxy server name that you want to edit, or check the check box next to the name
and click Edit.
The External Proxy Servers page appears.
Step 3Edit fields in the External Proxy Servers page as shown in Ta b l e 7 - 7.
Step 4Click Submit to save the changes.
The external Proxy Server configuration is saved. The External Proxy Server page appears with the new
configuration.
Table 7-7 External Policy Servers Page
Option Description
General
Name Name of the external RADIUS or TACACS+ server.
Description (Optional) The description of the external RADIUS or TACACS+ server.
Server Connection
Server IP Address IP address of the external RADIUS or TACACS+ server.
Shared Secret Shared secret between ACS and the external RADIUS or TACACS+ server that is used for
authenticating the external RADIUS or TACACS+ server.
A shared secret is an expected string of text that a user must provide to enable the network device to
authenticate a username and password. The connection is rejected until the user supplies the shared
secret.
Show/Hide button is available to view the Shared secret in plain text or hidden format.
Advanced Options
RADIUS Choose to create RADIUS proxy server.
TACACS+ Choose to create TACACS+ proxy server.
CiscoSecure ACS Default choice. Supports both RADIUS and TACACS+.
Authentication Port RADIUS authentication port number. The default is 1812.
Accounting Port RADIUS accounting port number. The default is 1813.
Server Timeout Number of seconds ACS waits for a response from the external RADIUS server. The default is 5
seconds. Valid values are from 1 to 999.
Connection
AttemptsNumber of times ACS attempts to connect to the external RADIUS server. The default is 3 attempts.
Valid values are from 1 to 99.
Connection Port TACACS+ connection port. The default is 49.
Network Timeout Number of seconds ACS waits for a response from the external TACACS+ server. The default is 20
seconds.

All Cisco manuals Comments (0)