Enable Virtual-Router-Aware Interface for External Authentication of Platform

Authentication, Authorization, and Accounting (AAA) for the threat defense device is managed through the management interface of the device. You can also enable virtual-router-aware data interface, data sub-interface, port-channel, or sub port-channel to manage AAA for the threat defense device. When enabled, the AAA route lookup is in the Virtual Routing and Forwarding (VRF) routing domain, and the AAA management traffic is forwarded to the data interfaces. The following server configuration are supported when using virtual-router-aware data interfaces for AAA:

  • RADIUS or LDAP servers for external authentication

  • FQDN, IPv4, or IPv6 server addresses

To use a virtual-router-aware interface for external authentication of a threat defense device, modify its external authentication policy by associating the authentication servers with the virtual-router-aware interface of the device.

Before you begin

  • Ensure that you have configured the required Virtual Routing and Forwarding (VRF) interface with a static route for the device. For information about configuring a VRF interface, see Configure a Virtual Router, and for information about adding a static route, see Add a Static Route.

  • Ensure that security zones or interface groups with a single virtual-router-aware interface exists. For information about creating security zones and interface groups, see Create Security Zone and Interface Group Objects.

  • If the primary authentication server is configured with the FQDN of the server, ensure that the backup authentication server, if configured, is also with its FQDN. In addition, configure the DNS server in the threat defense device's management interface. For information about the DNS server configuration, see Configure DNS.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Click External Authentication and edit the external authentication policy.

Step 3

In the External Authentication dialog box, the available security zone and interface groups are listed. To associate a virtual-router-aware interface with the external authentication servers, select the security zone or interface group having a single virtual-router-aware interface, and then do the following:

  1. To associate the interface object with the primary authentication server, click Add to Primary Server.

  2. (Optional) To associate the interface object with the backup authentication server, click Add to Backup Server. If the Add to Backup Server button is inactive, it means that a backup server for external authentication is not configured in the device.

Step 4

Click Ok.

Step 5

Save and deploy the changes.