Service Manual

ManualsBrandsDell ManualsAccess PlatformsOS9

781

782

783

784

785

786

787

788

789

790

NOTE:

The Administratively Prohibited Error-Cause is also applicable to following scenarios:

○ if the dot1x feature is not enabled in the NAS-port.

○ if the NAS-port state is administratively down.

CoA or DM Discard

This section lists various actions that the NAS performs during CoA or DM discard.

The following activities are performed by NAS:

● discards the packet, if dynamic authorization feature is not enabled in NAS.

● discards the packet, if the configured shared key entry is not found for the source IP address of the packet.

● discards the packet with invalid code field. NAS supports the following radius codes.

○ Disconnect-Request (40)

○ CoA-Request (43)

● discards the duplicate packets, if NAS is currently processing the original packet. NAS identifies the duplicate packet with

the following fields:

○ Source IP address

○ Source UDP port

○ Identifier

○ VRF ID

● discards the packets, if length of the packet is shorter than the length field value.

● discards the packets, if length of the packet is shorter than 20 or longer than 4096.

● discards the packets, if request authenticator does not match the calculated MD5 checksum. NAS calculates the MD5 hash

using following fields from the request:

○ Code

○ Identifier

○ Length

○ 16 Zero Octets

○ Request Attributes

○ Shared secret (based on the source IP address of the packet)

● discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is

calculated using the following fields:

○ Code Type

○ Identifier

○ Length

○ Request Authenticator

○ Attributes

Disconnect Message Processing

This section lists various actions that the NAS performs during DM processing.

The following activities are performed by NAS:

● responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause

value is “Session Context Not Found” (503).

● responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).

● ignores attributes that are supported as per RFC but are irrelevant to the DM operation.

● responds to a disconnect message containing one or more incorrect attributes values with a Disconnect-NAK; Error-Cause

value is “Invalid Attribute Value” (407).

● responds to a disconnect message containing unsupported attributes with DM-Nak; Error-Cause value is “Unsupported

Attributes” (401).

NOTE:

Unsupported attributes are the ones that are not mentioned in the RFC 5176 but present in the disconnect

message that is received by the NAS.

Security 781