Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

851

852

853

854

855

856

857

858

859

860

4. Log in to switch using console or telnet or ssh with a valid user role.

When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor

authentication is used, the system prompts you to enter a one-time password as a second step of authentication. If a valid one-

time password is supplied, the authentication succeeds enabling you to access the switch.

Support for Change of Authorization and Disconnect Messages

packets

The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service

does not support unsolicited messages sent from the RADIUS server to the NAS.

However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring

the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate user sessions in

progress.

Alternatively, if the user changes authorization level, this change may require that authorization attributes be added or deleted

from the user sessions.

To overcome these limitations, Dell EMC Networking OS provides RADIUS extension commands in order to enable unsolicited

messages to be sent to the NAS. These extension commands provide support for Disconnect Messages (DMs) and Change-of-

Authorization (CoA) packets. DMs cause user sessions to be terminated immediately; whereas, CoA packets modify session

authorization attributes such as VLAN IDs, user privileges, and so on.

Change of Authorization (CoA) packets

Using the CoA packets, the NAS can handle authorization of dot1x sessions by processing the following requests from the

Dynamic Authorization Client (DAC): Re-authentication of the supplicant, Port disable, and Port bounce.

The CoA packets constitute one message request (CoA request) and one of the following two possible responses:

● Change of Authorization Acknowledgement (CoA-Ack) - If the authorization state change is successful, then NAS sends a

CoA-Ack.

● Change of Authorization non-Acknowledgement (CoA-Nak) - If the authorization state change is not successful, then the

NAS sends a CoA-Nak, which is a negative acknowledgement.

Disconnect Messages

Using the Disconnect Messages, the NAS can disconnect AAA and dot1x sessions. NAS can disconnect AAA sessions using

either username or a combination of the username and session id. NAS can disconnect dot1x sessions using NAS-port, or calling-

station ID, or both.

The disconnect messages constitue one message request (DM request) and one of the following two possible responses:

● Disconnect Acknowledgement (DM-Ack) - If the session is disconnected successfully, then NAS sends a DM-Ack.

● Disconnect non-Acknowledgement (DM-Nak) - If the session is not disconnected successfully, then NAS sends a DM-Nak.

Attributes

In Disconnect messsage requests and CoA-Request packets, certain attributes are used to uniquely identify the NAS as well as

user sessions on the NAS.

The combination of NAS and session identification attributes included in a CoA-request or a disconnect-message request must

match at least one session in order for a request to be successful; otherwise, a disconnect-Nak or CoA-Nak is sent. For

disconnect-user operations using DMs, if all NAS identification attributes match, and more than one session matches all of the

session identification attributes, then a CoA-request or a disconnect-message request applies to all matching sessions.

The following tables describe the various types of attributes that identify the NAS and the user sessions:

Security

859