Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N4000 Series
261262263264265266267268269270
Authentication, Authorization, and Accounting 269
The RADIUS server should be configured such that it will send the Cisco AV
Pair attribute with the “roles” value. For example:
shell:roles=router-admin
The above example attribute gives the user access to the commands
permitted by the router-admin profile.
RADIUS Change of Authorization
Dell Networking N-Series switches support the Change of Authorization
Disconnect-Request per RFC 3575. The Dell Networking N-Series switch
listens for the Disconnect-Request on UDP port 3799. The Disconnect-
Request identifies the user session to be terminated using the following
attributes:
State (IETF attribute #24)
•Acct-Session-Id (IETF attribute #44)
Calling-Station-Id (IETF attribute #31, which contains the host MAC
address)
The following messages from RFC 3575 are supported:
40 – Disconnect-Request
41 – Disconnect-ACK
42 – Disconnect-NAK
A CoA Disconnect-Request terminates the session without disabling the
switch port. Instead, CoA Disconnect-Request termination causes
reinitialization of the authenticator state machine for the specified host.
MAC-based authentication can be enabled for 802.1X sessions in conjunction
with CoA. In this case, if the RADIUS server successfully terminates a MAB
session and subsequently does not re-authorize the host MAC address to
access network resources, the host is effectively denied network access.
If the session cannot be located, the device returns a Disconnect-NAK
message with the “Session Context Not Found” error-code attribute. If the
session is located, the device terminates the session. After the session has
been completely removed, the device returns a Disconnect-ACK message.
The attributes returned within a CoA ACK can vary based on the CoA
Request.