i would like to auth my users with an ACE , my SA6000 has a trunk to the internal port with 6 IVS and i would like to use the ACE.
i have seen that the ACE can be configured only from the root IVS.
i dont use the root IVS for any SSL traffic.
how can deploy this kind of setup?
from which vlan/port do i need to create connectivity to the ACE, does the mgt port takes place in this kind of traffic?
well in one of the 6.2 beta there was n option to share the Auth servers between ivs and IVE but i cant find that feature any where now. I think it was pulled for some reason but that is the only way you can use an ACE server to auth against an IVS. You can run Radius on the ACE server and use that to authenticate against the same ACE DB.
It's in the "6.2 What's New" document, so I'm guessing it got to production. Wish it had been in 6.0 - I must have defined at least 15 IVSs with the same authentication server.
I just read the description of the function in the 6.2 Admin Guide and played with an IVE running 6.3r2. I really don't understand the big deal - it appears that you have to define the authentication server in every IVS using it, and define the VLAN it is on as the default VLAN for every IVS which will use it. I did this in 6.0 - I coded the same Radius server in all my IVSs, and coded the "Internal port" VLAN as the default VLAN for all of the IVSs. It worked fine, so I don't know what 6.2 added in terms of funtionality. Anybody understand it differently?
I am quite sure and it is validated by a juniper system engineer that you are just able to define ONE ACE server for the complete IVS environment.
- True that it has to be defined in the root instance.
- When you use internal AND external port, the INTERNAL port will ALWAYS be used for any kind of authentication/validation, so even external radius servers need to be reached by the internal interface in some way.
- you can define multiple radius servers, but just one ACE
Hope this clears some things,