Cisco Systems CSACS3415K9 Manual De Usuario
7-12
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 7 Managing Network Resources
Network Devices and AAA Clients
IP Range(s) By Mask
Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for
each network device. If you use a subnet mask in this field, all IP addresses within the specified
subnet mask are permitted to access the network and are associated with the network device
definition.
each network device. If you use a subnet mask in this field, all IP addresses within the specified
subnet mask are permitted to access the network and are associated with the network device
definition.
When you use subnet masks, the number of unique IP addresses depends on the number of IP
addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means
you have 256 unique IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6
value is 128.
addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means
you have 256 unique IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6
value is 128.
The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP
addresses.
addresses.
A mask is needed only for wildcards, if you want an IP address range. You cannot use an asterisk
(*) as a wildcard.
(*) as a wildcard.
IP Range
Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or
subnet masks for each network device. You can also exclude a subnet of IP address range from the
configured range in a scenario where that subset has already been added.
subnet masks for each network device. You can also exclude a subnet of IP address range from the
configured range in a scenario where that subset has already been added.
You can use a hyphen (-) to specify a range of IP addresses. A maximum of 40 IP addresses are
allowed in a single IP range.
allowed in a single IP range.
You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards.
Some examples of entering IP address ranges are:
•
A single range—10.77.10.1-10,,,, 192.120.10-12.10
•
Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150
•
Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150
Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance
implications on both the run-time and the management.
implications on both the run-time and the management.
Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP
address ranges should be used only when the range cannot be described using IP address and subnet
mask.
address ranges should be used only when the range cannot be described using IP address and subnet
mask.
Note
AAA clients with wildcards are migrated from 4.x to 5.x.
Note
ACS 5.4 does not support the IPv6 range.
Authentication Options
TACACS+
Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the
network device.
network device.
You must use this option if the network device is a Cisco device-management application, such as
Management Center for Firewalls. You should use this option when the network device is a Cisco
access server, router, or firewall.
Management Center for Firewalls. You should use this option when the network device is a Cisco
access server, router, or firewall.
Check TACACS+ if you use IPv4 or IPv6 IP addresses.
TACACS+ Shared
Secret
Secret
Shared secret of the network device, if you enabled the TACACS+ protocol.
A shared secret is an expected string of text, which a user must provide before the network device
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
authenticates a username and password. The connection is rejected until the user supplies the shared
secret.
Table 7-4
Creating Network Devices and AAA Clients (continued)
Option
Description