Concept Guide
CoA or DM Discard
This section lists various actions that the NAS performs during CoA or DM discard.
The following activities are performed by NAS:
• discards the packet, if dynamic authorization feature is not enabled in NAS.
• discards the packet, if the congured shared key entry is not found for the source IP address of the packet.
• discards the packet with invalid code eld. NAS supports the following radius codes.
– Disconnect-Request (40)
– CoA-Request (43)
• discards the duplicate packets, if NAS is currently processing the original packet. NAS identies the duplicate packet with the following
elds:
– Source IP address
– Source UDP port
– Identier
– VRF ID
• discards the packets, if length of the packet is shorter than the length eld value.
• discards the packets, if length of the packet is shorter than 20 or longer than 4096.
• discards the packets, if request authenticator does not match the calculated MD5 checksum. NAS calculates the MD5 hash using
following elds from the request:
– Code
– Identier
– Length
– 16 Zero Octets
– Request Attributes
– Shared secret (based on the source IP address of the packet)
• discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using the
following elds:
– Code Type
– Identier
– Length
– Request Authenticator
– Attributes
Disconnect Message Processing
This section lists various actions that the NAS performs during DM processing.
The following activities are performed by NAS:
• responds with DM-Nak, if no matching session is found in NAS for the session identication attributes in DM; Error-Cause value is
“Session Context Not Found” (503).
• responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
• ignores attributes that are supported as per RFC but are irrelevant to the DM operation.
• responds to a disconnect message containing one or more incorrect attributes values with a Disconnect-NAK; Error-Cause value is
“Invalid Attribute Value” (407).
• responds to a disconnect message containing unsupported attributes with DM-Nak; Error-Cause value is “Unsupported Attributes”
(401).
Security
759