Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series

691

692

693

694

695

696

697

698

699

700

• responds with CoA-Nak, if no matching session is found for the session identification attributes in CoA; Error-Cause value is “Session

Context Not Found” (503).

• responds with CoA-Nak, for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).

• ignores attributes that are supported as per RFC but irrelevant to the CoA operations.

• responds to a CoA-Request containing one or more incorrect attribute values with a CoA-Nak; Error-Cause value is “Invalid Attribute

Value” (407).

NOTE:

The Invalid Attribute Value Error-Cause is applicable to following scenarios:

• if the CoA request contains incorrect Vendor-Specific attribute value.

• if the CoA request contains incorrect NAS-port or calling-station-id values.

• rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak;

Error-Cause value is “NAS Identification Mismatch” (403).

• responds with a CoA-Nak, if it is configured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is

“Administratively Prohibited” (501).

NOTE:

The Administratively Prohibited Error-Cause is also applicable to following scenarios:

• if the dot1x feature is not enabled in the NAS-port.

• if the NAS-port state is administratively down.

CoA or DM Discard

This section lists various actions that the NAS performs during CoA or DM discard.

The following activities are performed by NAS:

• discards the packet, if dynamic authorization feature is not enabled in NAS.

• discards the packet, if the configured shared key entry is not found for the source IP address of the packet.

• discards the packet with invalid code field. NAS supports the following radius codes.

• Disconnect-Request (40)

• CoA-Request (43)

• discards the duplicate packets, if NAS is currently processing the original packet. NAS identifies the duplicate packet with the following

fields:

• Source IP address

• Source UDP port

• Identifier

• VRF ID

• discards the packets, if length of the packet is shorter than the length field value.

• discards the packets, if length of the packet is shorter than 20 or longer than 4096.

• discards the packets, if request authenticator does not match the calculated MD5 checksum. NAS calculates the MD5 hash using

following fields from the request:

• Code

• Identifier

• Length

• 16 Zero Octets

• Request Attributes

• Shared secret (based on the source IP address of the packet)

• discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using

the following fields:

• Code Type

• Identifier

• Length

• Request Authenticator

• Attributes

700

Security