Users Guide
NOTE:
The Invalid Attribute Value Error-Cause is applicable to following scenarios:
– if the CoA request contains incorrect Vendor-Specic attribute value.
– if the CoA request contains incorrect NAS-port or calling-station-id values.
• rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak;
Error-Cause value is “NAS Identication Mismatch” (403).
• responds with a CoA-Nak, if it is congured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is
“Administratively Prohibited” (501).
NOTE:
The Administratively Prohibited Error-Cause is also applicable to following scenarios:
– if the dot1x feature is not enabled in the NAS-port.
– if the NAS-port state is administratively down.
CoA or DM Discard
This section lists various actions that the NAS performs during CoA or DM discard.
The following activities are performed by NAS:
• discards the packet, if dynamic authorization feature is not enabled in NAS.
• discards the packet, if the congured shared key entry is not found for the source IP address of the packet.
• discards the packet with invalid code eld. NAS supports the following radius codes.
– Disconnect-Request (40)
– CoA-Request (43)
• discards the duplicate packets, if NAS is currently processing the original packet. NAS identies the duplicate packet with the following
elds:
– Source IP address
– Source UDP port
– Identier
– VRF ID
• discards the packets, if length of the packet is shorter than the length eld value.
• discards the packets, if length of the packet is shorter than 20 or longer than 4096.
• discards the packets, if request authenticator does not match the calculated MD5 checksum. NAS calculates the MD5 hash using
following elds from the request:
– Code
– Identier
– Length
– 16 Zero Octets
– Request Attributes
– Shared secret (based on the source IP address of the packet)
• discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using the
following elds:
– Code Type
– Identier
– Length
– Request Authenticator
– Attributes
Security
909