Cisco Cisco Clean Access 3.5
6-7
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 6 User Management: Auth Servers
Configure an Authentication Provider
10.
NAS-Identifier – The NAS-Identifier value to be sent with all RADIUS authentication packets.
Either a NAS-Identifier or a NAS-IP-Address must be specified to send the packets.
Either a NAS-Identifier or a NAS-IP-Address must be specified to send the packets.
11.
NAS-IP-Address – The NAS-IP-Address value to be sent with all RADIUS authentication packets.
Either a NAS-IP-Address or a NAS-Identifier must be specified to sent the packets.
Either a NAS-IP-Address or a NAS-Identifier must be specified to sent the packets.
12.
NAS-Port – The NAS-Port value to be sent with all RADIUS authentication packets.
13.
NAS-Port-Type –The NAS-Port-Type value to be sent with all RADIUS authentication packets.
14.
Enable Failover – This enables sending a second authentication packet to a RADIUS failover peer
IP if the primary RADIUS authentication server’s response times out.
IP if the primary RADIUS authentication server’s response times out.
15.
Failover Peer IP – The IP address of the failover RADIUS authentication server.
16.
Allow Badly Formed RADIUS Packets – This enables the RADIUS authentication client to ignore
errors in badly-formed RADIUS authentication responses as long as the responses contain a success
or failure code. This may be required for compatibility with older RADIUS servers.
errors in badly-formed RADIUS authentication responses as long as the responses contain a success
or failure code. This may be required for compatibility with older RADIUS servers.
Caution
This enable should only be used if authentication/authorization is not functioning due to
malformed packets. Allowing badly-formed RADIUS packets can make it easier for man-in-the middle,
packet spoofing, and Denial of Service (DoS) attacks to succeed. Hence, enabling the CAM to accept
badly formed RADIUS packets creates potential vulnerabilities. However, certain RADIUS server
products (commercial and otherwise) sometimes send malformed packets during the
authentication/authorization process. Enabling this feature may be necessary in such cases to allow the
CAM to process such badly formed packets, thereby enabling authentication/authorization to work.
malformed packets. Allowing badly-formed RADIUS packets can make it easier for man-in-the middle,
packet spoofing, and Denial of Service (DoS) attacks to succeed. Hence, enabling the CAM to accept
badly formed RADIUS packets creates potential vulnerabilities. However, certain RADIUS server
products (commercial and otherwise) sometimes send malformed packets during the
authentication/authorization process. Enabling this feature may be necessary in such cases to allow the
CAM to process such badly formed packets, thereby enabling authentication/authorization to work.
17.
Description —Enter an optional description of this auth server for reference.
18.
Click Add Server.