To specify a RADIUS client from which a device can accept Change of Authorization (CoA) and disconnect requests, use the client command in dynamic authorization local server configuration mode. To remove this specification, use the no form of this command.
(Optional) Virtual routing and forwarding (VRF) ID of the client.
CoA and disconnect requests are dropped.
Dynamic authorization local server configuration (config-locsvr-da-radius)
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
This command was integrated into Cisco IOS Release 15.4(1)T. The
6 keyword was added.
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the client command to specify the RADIUS clients for which the router can act as server.
The following example shows how to configure the router to accept requests from the RADIUS client at IP address 10.0.0.1:
aaa server radius dynamic-author
client 10.0.0.1 key cisco
Configures an ISG as a AAA server to facilitate interaction with an external policy server.
To specify the certificate revocation list (CRL) query and CRL cache options for the public key infrastructure (PKI) trustpool, use the
crl command in ca-trustpool configuration mode. To return to the default behavior in which the router checks the URL that is embedded in the certificate, use the
no form of this command.
The number of minutes from 1 to 43200 to wait before deleting CRL from cache.
Specifies that CRLs are not cached.
Specifies the URL published by the certification authority (CA) server to query the CRL.
The CRL is not queried and no CRL cache parameters are configured.
Ca-trustpool configuration (ca-trustpool)
This command was introduced.
This command was integrated into Cisco IOS Release 15.1(1)SY.
Before you can configure this command, you must enable the
crypto pki trustpool policycommand, which enters ca-trustpool configuration mode.
crl query command is used if the CDP is in Lightweight Directory Access Protocol (LDAP) form, which means that the CDP location in the certificate indicates only where the CRL distribution point (CDP) is located in the directory; that is, the CDP does not indicate the actual query location for the directory.
The Cisco IOS software queries the CRL to ensure that the certificate has not been revoked in order to verify a peer certificate (for example, during Internet Key Exchange (IKE) or Secure Sockets Layer (SSL) handshake). The query looks for the CDP extension in the certificate, which is used to download the CRL. If this query is unsuccessful, then the Simple Certificate Enrollment Protocol (SCEP) GetCRL mechanism is used to query the CRL from the CA server directly (some CA servers do not support this method).
Cisco IOS software supports the following CDP entries:
HTTP URL with a hostname. For example: http://myurlname/myca.crl
HTTP URL with an IPv4 address. For example: http://10.10.10.10:81/myca.crl
LDAP URL with a hostname. For example: ldap://CN=myca, O=cisco
LDAP URL with an IPv4 address. For example: ldap://10.10.10.10:3899/CN=myca, O=cisco
LDAP/X.500 DN. For example: CN=myca, O=cisco
The Cisco IOS needs a complete URL in order to locate the CDP.