Concept Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module

741

742

743

744

745

746

747

748

749

750

radius dynamic-auth

2 Enter the following command to congure the re-authentication of 802.1x sessions:

coa-reauthenticate

NAS re-initiates the user authentication state.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)coa-reauthenticate

NAS takes the following actions whenever re-authentication is triggered:

• validates the CoA request and the session identication attributes.

• sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain both the calling-station-id as well

as the NAS-port attribute.

• sends a CoA-Ack if the re-authentication of the 802.1x session is successful.

• sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is unable to initiate the re-authentication process.

• sends a CoA-Nak if user authentication fails due to unresponsive supplicant or RADIUS server.

• sends a CoA-Ack, if the user is congured with static MAB prole.

• discards the packet, if simultaneous requests are received for the same calling-station-id or NAS-port or both.

• returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-station-id or

NAS-port attribute or both.

• sends NAK if user is congured with forced-unauthorization.

• sends-ACK if user is congured with forced-authorization.

Terminating the 802.1x user session

Dell EMC Networking OS provides RADIUS extension commands that terminate the 802.1x user session. When this request is initiated, the

NAS disconnects the 802.1x user session without disabling the physical port that authenticated the current session.

Before terminating the 802.1x user session, ensure that the following prerequisites are satised:

• Shared key is congured in NAS for DAC.

• NAS server listens on the Management IP UDP port 3799 (default) or the port congured through CLI.

• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server.

NAS uses the calling-station-id or the NAS-port attributes to identify the 802.1x session. In case of the EAP and MAB users, the calling-

station-id is the MAC address of the supplicant and the NAS-port attribute is the interface identier. Using these atrributes, the NAS

retrieves the supplicant that is connected to the interface.

1 Enter the following command to congure the dynamic authorization feature:

radius dynamic-auth

2 Enter the following command to terminate the 802.1x user session:

terminate-session

NAS terminates the 802.1x user session without disabling the physical port.

Dell(conf#)radius dynamic-auth

Dell(conf-dynamic-auth#)terminate-session

NAS takes the following actions whenever session termination is triggered:

• validates the DM request and the session identication attributes.

• sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the calling-station-id and NAS-port

attributes.

• returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-station-id or

NAS-port attribute or both.

• sends a DM-Ack, if it is able to terminate the session.

Security

747