Users Guide

Authentication, Authorization, and Accounting 325

A CoA Disconnect-Request terminates the session without disabling the

switch port. Instead, a CoA Disconnect-Request termination causes

reinitialization of the authenticator state machine for the specified host.

MAC-based authentication can be enabled for 802.1X sessions in conjunction

with CoA. In this case, if the RADIUS server successfully terminates an

802.1X host session and subsequently does not re-authorize the host MAC

address to access network resources, the host is effectively denied network

access.

If the session cannot be located, the device returns a Disconnect-NAK

message with the “Session Context Not Found” error-cause attribute. If the

session is located, the device terminates the 802.1X session. After the session

has been completely removed, the device returns a Disconnect-ACK message.

The attributes returned within a CoA ACK can vary based on the CoA

Request.

The administrator can configure whether all or any of the session attributes

are used to identify a client session. If all is configured, all session

identification attributes included in the CoA Disconnect-Request must

match a session or the device returns a Disconnect-NAK or CoA-NAK with

the “Invalid Attribute Value” error-code attribute. All attributes in the

Disconnect-Request are treated as mandatory attributes, except Acct-

Terminate-Cause. Unsupported attributes generate a Disconnect-NAK with

error-cause Unsupported Service.

Dell EMC Networking N-Series switches support the following attributes in

responses:

• User-Name (IETF attribute #1)

• NAS-Port (IETF attribute #5)

• Framed-IP-Address (IETF attribute #8)

• Calling-Station-ID (IETF attribute #31)

• Acct-Session-ID (IETF attribute #44)

• Message-Authenticator (IETF attribute #80)

• Error-Cause (IETF attribute #101)