Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3143
Views
15
Helpful
3
Replies

Configure Source Interface for AAA on FTD/FMC?

SIMMN
Spotlight
Spotlight

‎06-22-2018 04:36 PM - edited ‎02-21-2020 07:54 AM

Just wonder if this is another firmware limitation...

 

I need to specify the management interface of FTD as the source interface to reach AAA server. I think by default FTD is using the routing table to decide which interface to try to reach the AAA server. This is configurable on ASA but does not seem FTD supports it as of 6.2.3.2...

 

Does anyone know if FlexConfig can be used to accomplish this for FTD OR It is related to FXOS?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎06-23-2018 08:02 PM

Hi

 

By default it should use management interface and you can't change it even using flexconfig.

You can check in this link about all blacklisted commands over flexconfig and aaa is one of them:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

SIMMN
Spotlight
Spotlight
In response to Francesco Molino

‎06-24-2018 08:10 AM - edited ‎06-24-2018 09:45 AM

Found this in the configuration guide:

 

For VPN authentication, the servers must be reachable over one of the regular interfaces: the Diagnostic interface or a data interface.

For regular interfaces, two routing tables are used. A management-only routing table for the Diagnostic interface as well as any other interfaces configured for management-only, and a data routing table used for data interfaces. When a route-lookup is done, the management-only routing table is checked first, and then the data routing table. The first match is chosen to reach the AAA server.

Francesco Molino
VIP Alumni
VIP Alumni
In response to SIMMN

‎06-24-2018 04:22 PM

Yes you're right the data routing will be checked if not able to reach it through management. Usually, at least i mean personally, i always do this using management RIB.

Anyways, you can't modify the source interface. But i would recommend using the management interface to work with aaa. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card