Limitations
The following features of Change-of-Authorization (RFC5176) are not implemented in ExtremeXOS:
- Reverse Path Forwarding Check—Typically this is used in a proxy scenario. This check is used to determine if the IP address indicated by the RADIUS attributes is a routable destination address for a request sent by the switch software.
- IPSEC encryption—End-to-end encryption of both the RADIUS requests and responses.
- Disconnect-Request and Change-of-Authorization packets identifying sessions with anything other than the Calling-Station-Id attribute containing a properly formatted MAC address. In addition to the Calling-Station-ID attribute, you can also use a NAS-Port attribute, which indicates the index of the specific port the session is connected to.
- Acct-Session-Id attribute—This is an alternate means of session identification. Sessions are currently uniquely identified by port and MAC address pair.
- Retransmissions of Disconnect-Request or Change-of-Authorization ACK and NAK packets—Retransmissions of packets is the responsibility of the device initiating the dynamic authorization transactions.