Administrator Guide
seq 27 deny ip any any count (0 packets)
seq 32 permit tcp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 monitor no-drop order
254
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor no-drop
order 254
seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3
seq 47 permit ip 100.0.0.0/28 200.0.0.0/23
seq 52 permit ip 100.0.0.0/16 any
seq 57 permit icmp host 1.1.1.1 200.0.0.0/23
seq 62 permit icmp any 200.0.0.0/27
seq 67 permit icmp host 1.1.1.1 any
seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535
!
Extended Ingress IP access list test1 on GigabitEthernet 2/1(Radius-ACL)Supplicant
MAC-38:8f:17:91:00:00
Total cam count 3
seq 5 permit ip host 10.10.10.10 host 20.20.20.20 count (0 packets)
seq 10 permit ip host 100.0.0.1 host 200.0.0.100 count (0 packets)
seq 15 deny ip host 100.0.0.1 host 111.0.0.100 count (0 packets)
Support for Change of Authorization and Disconnect
Messages packets
The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service does not
support unsolicited messages sent from the RADIUS server to the NAS.
However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to
initiate the exchange. For example, it may be desirable for administrators to be able to terminate user sessions in progress.
Alternatively, if the user changes authorization level, this change may require that authorization attributes be added or deleted from the
user sessions.
To overcome these limitations, Dell EMC Networking OS provides RADIUS extension commands in order to enable unsolicited messages
to be sent to the NAS. These extension commands provide support for Disconnect Messages (DMs) and Change-of-Authorization (CoA)
packets. DMs cause user sessions to be terminated immediately; whereas, CoA packets modify session authorization attributes such as
VLAN IDs, user privileges, and so on.
Change of Authorization (CoA) packets
Using the CoA packets, the NAS can handle authorization of dot1x sessions by processing the following requests from the Dynamic
Authorization Client (DAC): Re-authentication of the supplicant, Port disable, and Port bounce.
The CoA packets constitute one message request (CoA request) and one of the following two possible responses:
• Change of Authorization Acknowledgement (CoA-Ack) - If the authorization state change is successful, then NAS sends a CoA-Ack.
• Change of Authorization non-Acknowledgement (CoA-Nak) - If the authorization state change is not successful, then the NAS sends
a CoA-Nak, which is a negative acknowledgement.
Disconnect Messages
Using the Disconnect Messages, the NAS can disconnect AAA and dot1x sessions. NAS can disconnect AAA sessions using either
username or a combination of the username and session id. NAS can disconnect dot1x sessions using NAS-port, or calling-station ID, or
both.
The disconnect messages constitue one message request (DM request) and one of the following two possible responses:
• Disconnect Acknowledgement (DM-Ack) - If the session is disconnected successfully, then NAS sends a DM-Ack.
• Disconnect non-Acknowledgement (DM-Nak) - If the session is not disconnected successfully, then NAS sends a DM-Nak.
Attributes
In Disconnect messsage requests and CoA-Request packets, certain attributes are used to uniquely identify the NAS as well as user
sessions on the NAS.
The combination of NAS and session identification attributes included in a CoA-request or a disconnect-message request must match at
least one session in order for a request to be successful; otherwise, a disconnect-Nak or CoA-Nak is sent. For disconnect-user operations
using DMs, if all NAS identification attributes match, and more than one session matches all of the session identification attributes, then a
CoA-request or a disconnect-message request applies to all matching sessions.
672
Security