Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

711

712

713

714

715

716

717

718

719

720

terminate-session

NAS terminates the 802.1x user session without disabling the physical port.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)terminate-session

NAS takes the following actions whenever session termination is triggered:

● validates the DM request and the session identification attributes.

● sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the calling-station-id and

NAS-port attributes.

● returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-

station-id or NAS-port attribute or both.

● sends a DM-Ack, if it is able to terminate the session.

● sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to apply changes to the existing

session.

● discards the packet, if simultaneous requests are received for the same NAS-port or calling-station-id, or both.

Disabling 802.1x enabled port

Dell EMC Networking OS provides RADIUS extension commands that enables you to disable 802.1x enabled ports. This

command administratively shuts down the port causing the termination of the dot1x user session. This command is useful when

a port is known to cause issue in the network and needs to be disabled.

Before disabling the 802.1x enabled port, ensure that the following prerequisites are satisfied:

● Shared key is configured in NAS for DAC.

● NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI.

● The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

To initiate shutting down of the 802.1x enabled port, the DAC sends a standard CoA request that contains one or more session

identification attributes. NAS uses the NAS-port attributes to identify the 802.1x enabled physical port.

1. Enter the following command to configure the dynamic authorization feature:

radius dynamic-auth

2. Enter the following command to disable the 802.1x enabled physical port:

coa-disable-port

NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only

through a non-RADIUS mechanism or through bounce-port request.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-disable-port

NAS takes the following actions:

● validates the CoA request and the session identification attributes.

● sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.

● returns an error-cause value of 503 (session context not found), if it is not able to retrieve the port information using the

NAS-port attribute.

● sends a CoA-Ack, if it is able to successfully disable the 802.1x enabled port.

● sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disable the 802.1x enabled port.

● discards the packet, if simultaneous requests are received for the same NAS Port.

Important points to remember

Virtual link truncking (VLT) scenario

This section describes how the secondary NAS processes the PE port authorization RADIUS requests to the primary NAS.

● The NAS VLT chassis member processes the RADIUS dynamic authorization message locally if the role of chassis is primary.

718

Security