vpn interface dot1x das—Configure dynamic authorization service (DAS) parameters for use with IEEE 802.1X authentication so that the router can accept change of authentication (CoA) requests from a RADIUS server (on vEdge routers only).
When discussing DAS, the vEdge router (the NAS) is the server and the RADIUS server (or other authentication server) is the client.
vManage Feature Template
For vEdge routers only:
Configuration ► Templates ► VPN Interface Ethernet
- secret-key password
Password that the the RADIUS or other authentication server uses to access the vEdge router 802.1X interface.
- Port Number
- port port-number
UDP port number for the vEdge router to use to listen for CoA requests from the RADIUS server. If you configure DAS on multiple 802.1Z interfaces on a vEdge router, you must configure each interface to use a different UDP port.
Range: 1 through 65535
- RADIUS Server IP Address
- client ip-address
IP address of the RADIUS authentication server or other authentication server from which to accept CoA requests.
Require the DAS client (which is the RADIUS or other authentication server) to include an event timestamp in all CoA messages. When timestamps are required both the vEdge router and the RADIUS server check that the timestamp in the CoA request is current and within a specific time window (the default time window is 5 minutes). If it is not, the CoA request is discarded. Also, when timestamps are required, a CoA received without a timestamp is discarded immediately. By default, timestamps are not required.
- Time Window
- time-window seconds
How long a CoA request is valid. The time window is applied to CoA requests only if you have configured require-timestamp. When you configure timestamps, both the vEdge router and the RADIUS server check that the timestamp in the CoA request is within the time window. If the timestamp is outside this window, the CoA request is discarded.
Range: 0 through 1000 seconds
Default: 300 seconds (5 minutes)
- vpn vpn-id
VPN through which the RADIUS or other authentication server is reachable.
Configure DAS with a network RADIUS servers to allow the vEdge router to accept CoA requests from that server. This configuration requires timestamps in the CoA requests and extends the valid CoA window to 10 minutes.
vEdge(config-das)# show full-configuration vpn 0 interface ge0/2 dot1x das time-window 600 require-timestamp client 10.1.15.150 secret-key $4$L3rwZmsIic8zj4BgLEFXKw== ! ! ! !
Command introduced in Viptela Software Release 16.3.