Glossary

ManualsBrandsDell ManualsAccess PlatformsOS9

801

802

803

804

805

806

807

808

809

810

Configuring CoA to bounce 802.1x enabled ports

Dell EMC Networking OS provides RADIUS extension commands that enables you to configure port bounce settings for the

802.1x enabled port.

Before configuring port bounce settings on a 802.1x enabled port, ensure that the following prerequisites are satisfied:

● Shared key is configured in NAS for DAC.

● NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI.

● The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

When DAC initiates a port bounce operation, the NAS server causes the links on the authentication port to flap. This incident in

turn triggers re-negotiation on one of the ports that is flapped.

1. Enter the following command to configure the dynamic authorization feature:

radius dynamic-auth

2. Enter the following command to configure port-bounce setttings on a 802.1x enabled port:

coa-bounce-port

NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions

connected to this authentication port are affected.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-bounce-port

NAS takes the following actions whenever port-bounce is triggered:

● validates the CoA request and the session identification attributes.

● sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port

attributes.

● uses the NAS-port attribute to identify the 802.1x enabled interface.

● sends a CoA-Nak with an error-cause value of 503 (session context not found), if it is unable to retrieve 802.1x enabled

interface using the NAS-port attribute.

● sends a CoA-Ack if it is successfully able to flap the port.

● discards the packet, if simultaneous requests are received for the same NAS Port.

Configuring CoA to re-authenticate 802.1x sessions

Dell EMC Networking OS provides RADIUS extension commands that enables you to configure re-authentication of 802.1x user

sessions. When you configure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever

the authorization level of the user’s profile changes.

Before configuring re-authentication of 802.1x sessions, ensure that the following prerequisites are satisfied:

● Shared key is configured in NAS for DAC.

● NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI.

● The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session

identification attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of

the EAP or MAB users, the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identifier. If

both these attributes are present in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB

user sessions are re-authenticated and the NAS sends a CoA-Ack to the user, in case the re-authentication is successful.

1. Enter the following command to configure the dynamic authorization feature:

radius dynamic-auth

2. Enter the following command to configure the re-authentication of 802.1x sessions:

coa-reauthenticate

NAS re-initiates the user authentication state.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-reauthenticate

NAS takes the following actions whenever re-authentication is triggered:

● validates the CoA request and the session identification attributes.

808

Security