Change of Authorization (Dynamic Authorization)

The RADIUS protocol, defined in (RFC2865), does not support unsolicited messages sent from the RADIUS server to the Network Access Server (NAS). However, it may be desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate user session(s) in progress. Alternatively, if the user changes authorization level, this may require that authorization attributes be added/deleted from user session(s). To overcome these limitations, several vendors have implemented additional RADIUS commands to enable unsolicited messages to be sent to the NAS. These extended commands provide support for Disconnect and Change-of-Authorization (CoA) packets.

Supported Platforms

Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X620, X440-G2 series switches.

Limitations

The following features of Change-of-Authorization (RFC5176) are not implemented in ExtremeXOS:

Reverse Path Forwarding Check—Typically this is used in a proxy scenario. This check is used to determine if the IP address indicated by the RADIUS attributes is a routable destination address for a request sent by the switch software.
IPSEC encryption—End-to-end encryption of both the RADIUS requests and responses.
Disconnect-Request and Change-of-Authorization packets identifying sessions with anything other than the Calling-Station-Id attribute containing a properly formatted MAC address. In addition to the Calling-Station-ID attribute, you can also use a NAS-Port attribute, which indicates the index of the specific port the session is connected to.
Acct-Session-Id attribute—This is an alternate means of session identification. Sessions are currently uniquely identified by port and MAC address pair.
Retransmissions of Disconnect-Request or Change-of-Authorization ACK and NAK packets—Retransmissions of packets is the responsibility of the device initiating the dynamic authorization transactions.

New CLI Commands

enable radiusdynamic-authorization

disable radiusdynamic-authorization

configure radius dynamic-authorization index server [host_ipaddr | host_ipV6addr | hostname] client-ip [client_ipaddr | client_ipV6addr] {vr vr_name} {shared-secret {encrypted} secret}

show radius dynamic-authorization index

Changed CLI Commands

Changes are underlined.

unconfigure radius {dynamic-authorization [server index]

The following command was updated to show dynamic authorization status:

show radius

Published November 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Change of Authorization (Dynamic Authorization)

Supported Platforms

Limitations

New CLI Commands

Changed CLI Commands