Radius Change Of Authorization - NETGEAR M4200 Software Administration Manual

RADIUS Change of Authorization

Dynamic authorization as defined in RFC 5176 describes the Dynamic Authorization Server
(DAS) and Dynamic Authorization Client (DAC). The DAC can send two types of messages:
a disconnect message (DM) and a change of authorization (CoA) message. The DAS acts on
these messages and sends an acknowledgment (ACK) message or a negative
acknowledgment (NAK) message. The DM from the DAC can cause the user session to be
terminated. The CoA message from the DAC causes the authorization status of the user
session to be changed.
The various users such as dot1x-aware users, dot1x-unaware users (for example, phones
and printers), and captive portal clients, as well as console, Telnet, SSH, HTTP, and HTTPS
users can connect to the switch by authenticating themselves using the configured
authentication method such as local authentication, RADIUS, or TACACS+. When such a
user is authenticated through a RADIUS server and dynamic authorization is enabled, you
can manage the user session from the DAC by generating a DM or CoA message. A
NETGEAR switch can detect these messages on UDP port number 3799.
When a NETGEAR switch receives a disconnect message or a CoA message, the following
occurs:
• In DM and CoA messages, all attributes are treated as mandatory attributes and one or
more unsupported attributes causes a DM-NAK message or CoA-NAK message to be
generated with an Error-Cause attribute as Unsupported Service.
• If the DAS does not perform the expected action for a session, it sends a CoA-NAK
message with an Error-Cause attribute as Unsupported Service.
RADIUS
server
172.26.2.20
Figure 41. Configuration with a RADIUS server, DAS, and DAC
Managed Switches
Computer
172.26.2.155
Telnet
1/0/3
Switch
(DAS)
1/0/2
1/0/1
172.26.2.145
Security Management
370
DAC
172.26.2.167