Instruction manual
New Features
296-1011-220 Rel. 4.1, Doc. Rev. 07.02 2-9
New Functionality
DVS Tunnel Local Authentication
This release supports the DVS Local Authentication feature on the CVX switch.
This feature is not visible to the user and there are no new configuration
parameters on the CVX switch. DVS local Authentication is enabled by using the
enhanced support for the DVS CPM (Radius) return list attribute,
Annex-User-Server-Location. When DVS Local Authentication is configured, the
second DVS user authentication now goes to a locally configured authentication
server, as defined on the CVX switch, instead of a remote user authentication
server, as defined by the returned tunnel attributes.
DVS Local Authentication still uses the DVS two-step user authentication
process. The first user authentication (after pre-auth, if enabled) identifies the user
as a DVS user, with the CPM (Radius) server returning DVS tunnel attributes.
The attribute Annex-User-Server-Location can now return one of three valid
values: 0 for none, 1 for local, or 2 for remote. (Previously only 0 and 2 were
supported). If a value of 1 is returned for Annex-User-Server-Location, any
remote authentication attributes also returned are ignored.
For the second user authentication, the CVX switch now uses a locally configured
authentication server. This authentication server is configured on the CVX switch
like any other local authentication server, and referenced via the DVS users
configured VPOP. This authentication server must be reachable directly from the
CVX switch, and not across any DVS tunnels.
All other DVS tunnel negotiations remain unchanged.
The following example sets up an ip_aaa_group for CPM.
Note: The CPM can be configured for DVS local authentication using the
domain-based strategy or the dial-number based strategy.