Administrator Guide
270 Authentication, Authorization, and Accounting
The administrator can configure whether all or any of the session attributes
are used to identify a client session. If all is configured, all session
identification attributes included in the CoA Disconnect-Request must
match a session or the device returns a Disconnect-NAK or CoA-NAK with
the “Invalid Attribute Value” error-code attribute.
Dell Networking N-Series switches support the following attributes in
responses:
• State (IETF attribute #24)
• Calling-Station-ID (IETF attribute #31)
• Acct-Session-ID (IETF attribute #44)
• Message-Authenticator (IETF attribute #80)
• Error-Cause (IETF attribute #101)
A CoA NAK message is not sent for all CoA requests with a key mismatch.
The message is sent only for the first three requests for a client. After that, all
the packets from that client are dropped. When there is a key mismatch, the
response authenticator sent with the CoA NAK message is calculated from a
dummy key value.
The Dell Networking N-Series switch will start listening to the client again
based on the re-authentication timer.
RADIUS COA Example
The following example configures the Dell Networking N-Series switch to
listen for and respond to RADIUS COA messages:
1
Configure the switch to use the new model CLI command set. Dell
Networking N-Series switches do not support old model commands:
console#config
console(config)#aaa new-model
2
Configure the switch to listen to RADIUS CoA requests.
console(config)#aaa server radius dynamic-author
3
Configure a local RADIUS client connection to RADIUS server
10.11.12.13 using the shared secret “secret sauce”. The default port
number is used.
console(config-radius-da)#client 10.11.12.13 server-key
“secret sauce”