https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404610#M953474 <P>Yes you're right the data routing will be checked if not able to reach it through management. Usually, at least i mean personally, i always do this using management RIB.</P> <P>Anyways, you can't modify the source interface. But i would recommend using the management interface to work with aaa.&nbsp;</P> Sun, 24 Jun 2018 23:22:01 GMT Francesco Molino 2018-06-24T23:22:01Z https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404278#M953471 <P>Just wonder if this is another firmware limitation...</P> <P>&nbsp;</P> <P>I need to specify the management interface of FTD as the source interface to reach AAA server. I think by default FTD is using the routing table to decide which interface to try to reach the AAA server. This is configurable on ASA but does not seem FTD supports it as of 6.2.3.2...</P> <P>&nbsp;</P> <P>Does anyone know if FlexConfig can be used to accomplish this for FTD OR It is related to FXOS?</P> Fri, 21 Feb 2020 15:54:40 GMT https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404278#M953471 SIMMN 2020-02-21T15:54:40Z https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404424#M953472 <P>Hi</P> <P>&nbsp;</P> <P>By default it should use management interface and you can't change it even using flexconfig.</P> <P>You can check in this link about all blacklisted commands over flexconfig and aaa is one of them:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 24 Jun 2018 03:02:42 GMT https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404424#M953472 Francesco Molino 2018-06-24T03:02:42Z https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404508#M953473 <P class="p">Found this in the configuration guide:</P> <P class="p">&nbsp;</P> <P class="p">For VPN authentication, the servers must be reachable over one of the regular interfaces: the Diagnostic interface or a data interface.</P> <P class="p">For regular interfaces, two routing tables are used. A management-only routing table for the Diagnostic interface as well as any other interfaces configured for management-only, and a data routing table used for data interfaces. When a route-lookup is done, the management-only routing table is checked first, and then the data routing table. The first match is chosen to reach the AAA server.</P> Sun, 24 Jun 2018 16:45:53 GMT https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404508#M953473 SIMMN 2018-06-24T16:45:53Z https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404610#M953474 <P>Yes you're right the data routing will be checked if not able to reach it through management. Usually, at least i mean personally, i always do this using management RIB.</P> <P>Anyways, you can't modify the source interface. But i would recommend using the management interface to work with aaa.&nbsp;</P> Sun, 24 Jun 2018 23:22:01 GMT https://community.cisco.com/t5/network-security/configure-source-interface-for-aaa-on-ftd-fmc/m-p/3404610#M953474 Francesco Molino 2018-06-24T23:22:01Z