Wired Intelligent Edge

 View Only

AOS-CX 10.11.1000 Security Update - Limited Authentication Survivability : Persistence Support

This thread has been viewed 6 times
  • 1.  AOS-CX 10.11.1000 Security Update - Limited Authentication Survivability : Persistence Support

    Posted Aug 07, 2023 03:27 AM

    Hello Everyone,

    Objective of this post is to educate community members about the enhancement feature "Limited Authentication Survivability – Persistence Support" introduced as part of AOS-CX 10.11.1000 Release.

    • Cached Critical Role also known as Limited authentication Survivability - allows the authorization of authenticated clients with the previously applied roles when the RADIUS server is unreachable.
    • When the cached-critical user role feature support is enabled, the MAC address of clients and their applied roles are cached in the system during the client log-off or re-authentication. When the RADIUS server is unreachable, the cached-critical role is applied as a special role to the client. Once the RADIUS server is reachable, cache details are cleared from the switch.
    • The cached-critical role can be enabled at the global or per-interface level

    (config)# aaa authentication port-access cached-critical-role

    (config-aaa-ccr)#

      cache-replace-mode  Set the cache replace mode

      cache-timeout       Time in hours, during which clients are cached.

      disable             Disables Cached Critical Role. (Default)

      enable              Enables Cached Critical Role.

      end                 End current mode and change to enable mode.

      exit                Exit current mode and change to previous mode

      list                Print command list

      no                  Negate a command or set its defaults

      show                Show running system information

    (config-aaa-ccr)#exit

    Prior to 10.11.1000 :

    • Support for limited authentication survivability using the switch non-persistent storage
    • Cached client details will not be retained after a reboot
    • Supported platforms: CX 4100i, 6200, 6300, 6400, 8360

    10.11.1000 Release Onwards :

    • Support for limited authentication survivability using the switch persistent storage
    • The cached client details are persistent across reboot and does support vsf switchover.
    • Supported platforms: CX 4100i, 6000,6100,6200, 6300, 6400, 8360,8100(10.12 Onwards)

    (config)# aaa authentication port-access cached-critical-role

    (config-aaa-ccr)#

      cache-replace-mode  Set the cache replace mode

      cache-timeout       Time in hours, during which clients are cached.

      disable             Disables Cached Critical Role. (Default)

      enable              Enables Cached Critical Role.

      end                 End current mode and change to enable mode.

      exit                Exit current mode and change to previous mode

      list                Print command list

      no                  Negate a command or set its defaults

      persistent-storage  Configure persistent storage for cached clients.

      show                Show running system information

    (config-aaa-ccr)#exit

    Persistent Storage Configuration :

    (config)# aaa authentication port-access cached-critical-role

    (config-aaa-ccr)# persistent-storage enable

    Warning: Enabling persistent-storage will reduce the lifetime of the flash.

    Do you want to continue (y/n)? y

    (config-aaa-ccr)#

    (config)# aaa authentication port-access cached-critical-role

    (config-aaa-ccr)# persistent-storage write-interval

      <900-86400>  Interval between consecutive writes to persistent storage in

                   seconds. (Default: 3600 seconds)

    Additional Resources :

    With thanks & regards,

    Shobana

    MVP Expert



    ------------------------------
    Shobana
    Aruba
    ------------------------------