Concept Guide
NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions connected to this
authentication port are aected.
Dell(conf#)radius dynamic-auth
Dell(conf-dynamic-auth#)coa-bounce-port
NAS takes the following actions whenever port-bounce is triggered:
• validates the CoA request and the session identication attributes.
• sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attributes.
• uses the NAS-port attribute to identify the 802.1x enabled interface.
• sends a CoA-Nak with an error-cause value of 503 (session context not found), if it is unable to retrieve 802.1x enabled interface using
the NAS-port attribute.
• sends a CoA-Ack if it is successfully able to ap the port.
• discards the packet, if simultaneous requests are received for the same NAS Port.
Conguring CoA to re-authenticate 802.1x sessions
Dell EMC Networking OS provides RADIUS extension commands that enables you to congure re-authentication of 802.1x user sessions.
When you congure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever the authorization
level of the user’s prole changes.
Before conguring re-authentication of 802.1x sessions, ensure that the following prerequisites are satised:
• Shared key is congured in NAS for DAC.
• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.
• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.
To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identication
attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users,
the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identier. If both these attributes are present
in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB user sessions are re-authenticated and the
NAS sends a CoA-Ack to the user, in case the re-authentication is successful.
1 Enter the following command to congure the dynamic authorization feature:
radius dynamic-auth
2 Enter the following command to congure the re-authentication of 802.1x sessions:
coa-reauthenticate
NAS re-initiates the user authentication state.
Dell(conf#)radius dynamic-auth
Dell(conf-dynamic-auth#)coa-reauthenticate
NAS takes the following actions whenever re-authentication is triggered:
• validates the CoA request and the session identication attributes.
• sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain both the calling-station-id as well
as the NAS-port attribute.
• sends a CoA-Ack if the re-authentication of the 802.1x session is successful.
• sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is unable to initiate the re-authentication process.
• sends a CoA-Nak if user authentication fails due to unresponsive supplicant or RADIUS server.
• sends a CoA-Ack, if the user is congured with static MAB prole.
• discards the packet, if simultaneous requests are received for the same calling-station-id or NAS-port or both.
• returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-station-id or
NAS-port attribute or both.
• sends NAK if user is congured with forced-unauthorization.
Security
877