Limitations
The following features of Change-of-Authorization (RFC5176) are not
implemented in ExtremeXOS:
- Reverse Path Forwarding Check—Typically this is used in a proxy scenario.
This check is used to determine if the IP address indicated by the RADIUS attributes is a routable destination address for a request sent by the switch
software.
- IPSEC encryption—End-to-end encryption of both the RADIUS requests and
responses.
- Disconnect-Request and Change-of-Authorization packets identifying
sessions with anything other than the Calling-Station-Id attribute containing a properly
formatted MAC address. In addition to the Calling-Station-ID attribute, you can also use a
NAS-Port attribute, which indicates the index of the specific port the session is connected
to.
- Acct-Session-Id attribute—This is an alternate means of session
identification. Sessions are currently uniquely identified by port and MAC address pair.
- Retransmissions of Disconnect-Request or Change-of-Authorization ACK and
NAK packets—Retransmissions of packets is the responsibility of the device initiating the
dynamic authorization transactions.