Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

231

232

233

234

235

236

237

238

239

240

7-8

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 7 User Management: Configuring Authentication Servers

Adding an Authentication Provider

Note If your CAM is deployed as a member of an HA failover pair, be sure you specify the service

IP address for the HA pair to ensure the RADIUS authentication server receives the proper

RADIUS accounting packets from the CAM. Regardless of whether the HA-Primary or

HA-Standby CAM sends the accounting packets it will show up in the accounting packets

as the pair. You must also configure the RADIUS authentication server to accept

authentication packets from both the HA-Primary and HA-Secondary CAM eth0 IP

addresses to ensure that the RADIUS server accepts the packets regardless of which CAM

in the HA pair sends them. This is done in Cisco Secure ACS under AAA Clients.

Step 12 NAS-Port—The NAS-Port value to be sent with all RADIUS authentication packets.

Step 13 NAS-Port-Type—The NAS-Port-Type value to be sent with all RADIUS authentication packets.

Step 14 Enable Failover—This enables sending a second authentication packet to a RADIUS failover peer IP if

the primary RADIUS authentication server’s response times out.

Step 15 Failover Peer IP—The IP address of the failover RADIUS authentication server.

Step 16 Accept RADIUS packets with empty attributes from some old RADIUS servers—This option

enables the RADIUS authentication client to allow RADIUS authentication responses that are

malformed due to empty attributes, as long as the responses contain a success or failure code. This may

be required for compatibility with older RADIUS servers.

Step 17 For a FIPS 140-2 compliant deployment, activate the Enable IPsec checkbox to ensure you can establish

a secure IPsec tunnel for authentication traffic. See also, Add a FIPS 140-2 Compliant RADIUS Auth

Provider Using an ACS Server, page 7-8.

Step 18 Description—Enter an optional description of this auth server for reference.

Step 19 Click Add Server.

Note If you have configured a RADIUS server, the RADIUS Session Timeout for user login is automatically

enabled. The timeout duration therefore occurs on a per user basis, depending on the user profile

configured on the RADIUS server. See Session Timer, page 8-15 for more details on timers.

Add a FIPS 140-2 Compliant RADIUS Auth Provider Using an ACS Server

You can configure a FIPS 140-2 compliant external RADIUS Auth Provider type by setting up IPSec

communication between your Cisco NAC Appliance system and Cisco ACS 4.x in a Windows

environment running Windows Server 2003 or 2008. There are two primary stages to this task:

• Import Certificates in Windows

• Set Up the IPSec Tunnel

Import Certificates in Windows

Step 1 In Windows, choose Start > Run and enter mmc to open the certificates console window.

Step 2 Select File > Add/Remove Snap-in and click Add.

Step 3 Click Certificates.