Administrator Guide
• responds with CoA-Nak, if no matching session is found for the session identification attributes in CoA; Error-Cause value is “Session
Context Not Found” (503).
• responds with CoA-Nak, for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
• ignores attributes that are supported as per RFC but irrelevant to the CoA operations.
• responds to a CoA-Request containing one or more incorrect attribute values with a CoA-Nak; Error-Cause value is “Invalid Attribute
Value” (407).
NOTE:
The Invalid Attribute Value Error-Cause is applicable to following scenarios:
• if the CoA request contains incorrect Vendor-Specific attribute value.
• if the CoA request contains incorrect NAS-port or calling-station-id values.
• rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak;
Error-Cause value is “NAS Identification Mismatch” (403).
• responds with a CoA-Nak, if it is configured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is
“Administratively Prohibited” (501).
NOTE:
The Administratively Prohibited Error-Cause is also applicable to following scenarios:
• if the dot1x feature is not enabled in the NAS-port.
• if the NAS-port state is administratively down.
CoA or DM Discard
This section lists various actions that the NAS performs during CoA or DM discard.
The following activities are performed by NAS:
• discards the packet, if dynamic authorization feature is not enabled in NAS.
• discards the packet, if the configured shared key entry is not found for the source IP address of the packet.
• discards the packet with invalid code field. NAS supports the following radius codes.
• Disconnect-Request (40)
• CoA-Request (43)
• discards the duplicate packets, if NAS is currently processing the original packet. NAS identifies the duplicate packet with the following
fields:
• Source IP address
• Source UDP port
• Identifier
• VRF ID
• discards the packets, if length of the packet is shorter than the length field value.
• discards the packets, if length of the packet is shorter than 20 or longer than 4096.
• discards the packets, if request authenticator does not match the calculated MD5 checksum. NAS calculates the MD5 hash using
following fields from the request:
• Code
• Identifier
• Length
• 16 Zero Octets
• Request Attributes
• Shared secret (based on the source IP address of the packet)
• discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using
the following fields:
• Code Type
• Identifier
• Length
• Request Authenticator
• Attributes
700
Security