Change of Authorization (Dynamic
Authorization)
NAS Indentification attributes provided by the extension
packets are used to determine the DA Controller that is to disconnect the session:
- NAS-IP-Address—This IPV4 address must
match the primary IP address of the default interface for a match to occur.
If all of these attributes do not match, the request is responded to with a Disconnect-NAK
response.
Starting with ExtremeXOS 31.3, the nas-ip option can be configured to ignore this requirement.
Supported Platforms
Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X620, X440-G2, 5420, and 5520 series
switches.
Limitations
The following features of Change-of-Authorization (RFC5176) are not implemented in
ExtremeXOS:
- Reverse Path Forwarding Check—Typically this is used in a proxy scenario.
This check is used to determine if the IP address indicated by the attributes is a routable destination address for a request sent by the switch
software.
- IPSEC encryption—End-to-end encryption of both the RADIUS requests and
responses.
- Disconnect-Request and Change-of-Authorization packets identifying
sessions with anything other than the Calling-Station-Id attribute containing a properly
formatted MAC address. In addition to the Calling-Station-ID attribute, you can also use a
NAS-Port attribute, which indicates the index of the specific port the session is connected
to.
- Acct-Session-Id attribute—This is an alternate means of session
identification. Sessions are currently uniquely identified by port and MAC address pair.
- Retransmissions of Disconnect-Request or Change-of-Authorization ACK and
NAK packets—Retransmissions of packets is the responsibility of the device initiating the
dynamic authorization transactions.
Changed CLI Command
Changes are underlined.
configure radius
dynamic-authorization
index [nas-ip [ignore | require] | server [host_ipaddr | host_ipV6addr | hostname] client-ip [client_ipaddr | client_ipV6addr] {vr
vr_name} {shared-secret {encrypted} secret}
