Concept Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module

741

742

743

744

745

746

747

748

749

750

• sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disconnect the admin user.

• sends a DM-Nak with an error-cause value of 501 (administratively prohibited), if disconnect-user feature is not enabled in NAS.

Conguring CoA to bounce 802.1x enabled ports

Dell EMC Networking OS provides RADIUS extension commands that enables you to congure port bounce settings for the 802.1x enabled

port.

Before conguring port bounce settings on a 802.1x enabled port, ensure that the following prerequisites are satised:

• Shared key is congured in NAS for DAC.

• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.

• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

When DAC initiates a port bounce operation, the NAS server causes the links on the authentication port to ap. This incident in turn

triggers re-negotiation on one of the ports that is apped.

1 Enter the following command to congure the dynamic authorization feature:

radius dynamic-auth

2 Enter the following command to congure port-bounce setttings on a 802.1x enabled port:

coa-bounce-port

NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions connected to this

authentication port are aected.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-bounce-port

NAS takes the following actions whenever port-bounce is triggered:

• validates the CoA request and the session identication attributes.

• sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attributes.

• uses the NAS-port attribute to identify the 802.1x enabled interface.

• sends a CoA-Nak with an error-cause value of 503 (session context not found), if it is unable to retrieve 802.1x enabled interface using

the NAS-port attribute.

• sends a CoA-Ack if it is successfully able to ap the port.

• discards the packet, if simultaneous requests are received for the same NAS Port.

Conguring CoA to re-authenticate 802.1x sessions

Dell EMC Networking OS provides RADIUS extension commands that enables you to congure re-authentication of 802.1x user sessions.

When you congure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever the authorization

level of the user’s prole changes.

Before conguring re-authentication of 802.1x sessions, ensure that the following prerequisites are satised:

• Shared key is congured in NAS for DAC.

• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.

• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identication

attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users,

the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identier. If both these attributes are present

in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB user sessions are re-authenticated and the

NAS sends a CoA-Ack to the user, in case the re-authentication is successful.

1 Enter the following command to congure the dynamic authorization feature:

746

Security