Understanding AAA Server Connectivity
LDAP, AD, and RADIUS AAA servers must be reachable from the threat defense device for your intended purposes: user-identity handling only, VPN authentication only, or both activities. AAA servers are used in remote access VPN for the following activities:
-
User-identity handling— the servers must be reachable over the Management interface.
On the threat defense, the Management interface has a separate routing process and configuration from data interfaces.
-
VPN authentication—the servers must be reachable over a data interface or the Management interface.
To use the Management interface, you must explicitly select Management as the source interface. Other management-only interfaces cannot be used.
To use the same AAA servers for both activities, we recommend specifying the Management interface as the source interface.
For more information about various interfaces, see Regular Firewall Interfaces.
After deployment, use the following CLI commands to monitor and troubleshoot AAA server connectivity from the threat defense device:
-
show aaa-server to display AAA server statistics.
-
show network and show network-static-routes to view the Management interface default route and static routes.
-
show route to view data traffic routing table entries.
-
ping system and traceroute system to verify the path to the AAA server through the Management interface.
-
ping interface ifname and traceroute destination to verify the path to the AAA server through the data interfaces.
-
test aaa-server authentication and test aaa-server authorization to test authentication and authorization on the AAA server.
-
clear aaa-server statistics groupname or clear aaa-server statistics protocol protocol to clear AAA server statistics by group or protocol.
-
aaa-server groupname active host hostname to activate a failed AAA server, or aaa-server groupname fail host hostname to fail a AAA server.
-
debug ldap level , debug aaa authentication , debug aaa authorization , and debug aaa accounting .