Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsOS9

781

782

783

784

785

786

787

788

789

790

1. Enter the following command to configure the dynamic authorization feature:

radius dynamic-auth

2. Enter the following command to disable the 802.1x enabled physical port:

coa-disable-port

NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only

through a non-RADIUS mechanism or through bounce-port request.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-disable-port

NAS takes the following actions:

● validates the CoA request and the session identification attributes.

● sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.

● returns an error-cause value of 503 (session context not found), if it is not able to retrieve the port information using the

NAS-port attribute.

● sends a CoA-Ack, if it is able to successfully disable the 802.1x enabled port.

● sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disable the 802.1x enabled port.

● discards the packet, if simultaneous requests are received for the same NAS Port.

Important points to remember

Virtual link truncking (VLT) scenario

This section describes how the secondary NAS processes the PE port authorization RADIUS requests to the primary NAS.

● The NAS VLT chassis member processes the RADIUS dynamic authorization message locally if the role of chassis is primary.

● The NAS secondary VLT chassis member forwards the RADIUS dynamic authorization message authorizing dual-homed Port

Extender (PE) ports to the primary VLT peer. NAS secondary VLT chassis member forwards the response to DAC after

receiving it from the primary VLT peer.

● The NAS VLT secondary chassis member processes the RADIUS dynamic authorization message authorizing non-PE Control

Bridge (CB) ports locally.

RPM failover scenario

This section describes how the NAS handles virtual IP failovers to the secondary RPM.

● The NAS Route Processor Module (RPM) processes the RADIUS dynamic authorization message only if the role of RPM is

active.

● The NAS standby RPM processes the retransmitted CoA or DM messages without requiring a chassis reboot if primary RPM

fails and standby becomes primary.

Stack failover scenario

This section describes the stack failover scenario.

● The NAS stacking module processes the RADIUS dynamic authorization messages only if the role of module is master.

● The NAS standby stacking module processes the retransmitted CoA or DM messages without requiring a chassis reboot, if

the master module fails and the standby module becomes the master.

Configuring replay protection

NAS enables you to configure the replay protection window period.

NAS drops the packets if duplicate packets are received within replay protection window period. The default value is 5 minutes.

Enter the following command to configure replay protection:

replay-prot-window minutes

786

Security