Administrator Guide
312 Authentication, Authorization, and Accounting
The administrator can configure whether all or any of the session attributes
are used to identify a client session. If all is configured, all session
identification attributes included in the CoA Disconnect-Request must
match a session or the device returns a Disconnect-NAK or CoA-NAK with
the “Invalid Attribute Value” error-code attribute. All attributes in the
Disconnect-Request are treated as mandatory attributes. Unsupported
attributes generate a Disconnect-NAK with error-cause Unsupported Service.
Dell EMC Networking N-Series switches support the following attributes in
responses:
• State (IETF attribute #24)
• Calling-Station-ID (IETF attribute #31)
• Acct-Session-ID (IETF attribute #44)
• Message-Authenticator (IETF attribute #80)
• Error-Cause (IETF attribute #101)
A CoA NAK message is not sent for all CoA requests with a key mismatch.
The message is sent only for the first three requests for a client. After that, all
the packets from that client are dropped. When there is a key mismatch, the
response authenticator sent with the CoA NAK message is calculated from a
dummy key value.
The Dell EMC Networking N-Series switch will start listening to the 802.1X
client again based on the re-authentication timer.
RADIUS COA Example
The following example configures the Dell EMC Networking N-Series switch
to listen for and respond to RADIUS COA messages. This example does not
configure any ports to use 802.1X or enable 802.1X. See "IEEE 802.1X" on
page 321 for information on configuring 802.1X on interfaces.
1
Configure the switch to use the new model CLI command set. Dell EMC
Networking N-Series switches do not support old model commands:
console#config
console(config)#aaa new-model
2
Configure the switch to listen to RADIUS CoA requests.
console(config)#aaa server radius dynamic-author