Reset Search
 

 

Article

KB40800 - What is classified as AAA traffic when "Send AAA Traffic via Management Port" feature is enabled for traffic segregation?

« Go Back

Information

 
Last Modified Date7/20/2017 7:55 PM
Synopsis
This article provides information on the type of AAA traffic is sent via management port when "Send AAA Traffic via Management Port" is enabled.
Problem or Goal
When the send AAA Traffic via Management Port feature is enabled CRL/OCSP traffic is also sent via the management interface, if the CRL CDP/OCSP Responder is not reachable via the management network the Service Provider Edition (SPE) Virtual Appliance cannot determine if machine or client certificates are revoked so denies users access.
Cause
Solution
Traffic Segregation was introduced in 7.2R1 and is a feature only available for Virtual Appliances. It was designed for service providers to have an option to send AAA traffic over the management port instead of the internal port. This allows the service provider AAA infrastructure to be hosted on a different network than their customer's AAA infrastructure.

When this option is enabled, the device will send all AAA traffic via management port. The following traffic will be sent when traffic segregation is enabled:​
  • LDAP
  • Active Directory
  • Radius 
  • Certificate authentication including CRL / OCSP verification
  • SAML
  • AAA DNS Traffic
  • DMI
  • System logging (syslog)

Traffic segregation does not support NIS or ACE authentication servers.


Special consideration needed for customers using certificate authentication with CRL or OCSP validation:

If CRL or OCSP validation is enabled and traffic segregation feature is enabled, the following traffic will be considered as AAA traffic and sent through the management port.  If CRL or OCSP service is not reachable through the management network, end user will fail authentication due to failed CRL or OCSP check.

Another option is to use the Default Network and the internal interface for the service provider's customer network and the service provider configures the Administrative Network for their administrator access via the management port, see Configuring AAA Traffic Through Both the Internal and Management Ports for more details.

 
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255