Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

761

762

763

764

765

766

767

768

769

770

Conguring CoA to re-authenticate 802.1x sessions

Dell EMC Networking OS provides RADIUS extension commands that enables you to congure re-authentication of 802.1x user sessions.

When you congure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever the authorization

level of the user’s prole changes.

Before conguring re-authentication of 802.1x sessions, ensure that the following prerequisites are satised:

• Shared key is congured in NAS for DAC.

• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.

• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identication

attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users,

the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identier. If both these attributes are present

in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB user sessions are re-authenticated and the

NAS sends a CoA-Ack to the user, in case the re-authentication is successful.

1 Enter the following command to congure the dynamic authorization feature:

radius dynamic-auth

2 Enter the following command to congure the re-authentication of 802.1x sessions:

coa-reauthenticate

NAS re-initiates the user authentication state.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-reauthenticate

NAS takes the following actions whenever re-authentication is triggered:

• validates the CoA request and the session identication attributes.

• sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain both the calling-station-id as well

as the NAS-port attribute.

• sends a CoA-Ack if the re-authentication of the 802.1x session is successful.

• sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is unable to initiate the re-authentication process.

• sends a CoA-Nak if user authentication fails due to unresponsive supplicant or RADIUS server.

• sends a CoA-Ack, if the user is congured with static MAB prole.

• discards the packet, if simultaneous requests are received for the same calling-station-id or NAS-port or both.

• returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-station-id or

NAS-port attribute or both.

• sends NAK if user is congured with forced-unauthorization.

• sends-ACK if user is congured with forced-authorization.

Terminating the 802.1x user session

Dell EMC Networking OS provides RADIUS extension commands that terminate the 802.1x user session. When this request is initiated, the

NAS disconnects the 802.1x user session without disabling the physical port that authenticated the current session.

Before terminating the 802.1x user session, ensure that the following prerequisites are satised:

• Shared key is congured in NAS for DAC.

• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.

• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

762

Security