HP-UX AAA Server A.08.00.01 Administrator's Guide
Dynamic Authorization in Authorize Only Mode
To ensure simplicity of translation between RADIUS and DIAMETER, RFC 5176
describes a different sequence of message exchanges between the HP-UX AAA Server
and the NAS for Disconnect and CoA. Figure 20-13 illustrates dynamic authorization
in authorize only mode.
Figure 20-13 Dynamic Authorization in Authorize Only Mode
The sequence of steps involved in the message exchange is as follows:
1. The HP-UX AAA Server sends a CoA-Request that includes the Service-Type
attribute. The value of attribute is Authorize Only. Therefore, the mode is called
Authorize Only. In addition to the Service-Type attribute, the CoA-Request
includes session identification attributes, a State attribute, and NAS
identification attributes. The CoA-Request does not contain any other
attribute.
2. If the NAS supports the Authorize Only mode, it responds with a CoA-NAK
containing the Service-Type and Error-Cause attributes. The value of the
Service-Type attribute is Authorize Only and the value of the Error-Cause
attribute is Request Initiated.
3. Subsequently, the NAS sends an Access-Request to the HP-UX AAA Server,
including a Service-Type attribute and the State attribute that was sent by
the HP-UX AAA Server in the initial CoA-Request. The value of the
Service-Type attribute is Authorize Only.
4. The HP-UX AAA Server responds to the Access-Request with an
Access-Accept to reauthorize the session or an Access-Reject to disconnect
it.
Configuring for Dynamic Authorization in Authorize Only Mode
To configure the HP-UX AAA Server for dynamic authorization in the Authorize Only
mode, complete the following steps:
312 Configuring the HP-UX AAA Server for Dynamic Authorization