06-22-2018 04:36 PM - edited 02-21-2020 07:54 AM
Just wonder if this is another firmware limitation...
I need to specify the management interface of FTD as the source interface to reach AAA server. I think by default FTD is using the routing table to decide which interface to try to reach the AAA server. This is configurable on ASA but does not seem FTD supports it as of 6.2.3.2...
Does anyone know if FlexConfig can be used to accomplish this for FTD OR It is related to FXOS?
06-23-2018 08:02 PM
Hi
By default it should use management interface and you can't change it even using flexconfig.
You can check in this link about all blacklisted commands over flexconfig and aaa is one of them:
06-24-2018 08:10 AM - edited 06-24-2018 09:45 AM
Found this in the configuration guide:
For VPN authentication, the servers must be reachable over one of the regular interfaces: the Diagnostic interface or a data interface.
For regular interfaces, two routing tables are used. A management-only routing table for the Diagnostic interface as well as any other interfaces configured for management-only, and a data routing table used for data interfaces. When a route-lookup is done, the management-only routing table is checked first, and then the data routing table. The first match is chosen to reach the AAA server.
06-24-2018 04:22 PM
Yes you're right the data routing will be checked if not able to reach it through management. Usually, at least i mean personally, i always do this using management RIB.
Anyways, you can't modify the source interface. But i would recommend using the management interface to work with aaa.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide