How RADIUS Dynamic-Request Server Works
In a typical client-server RADIUS environment, the E Series router functions as the
client and the RADIUS server functions as the server. However, when using the
RADIUS dynamic-request server feature, the roles are reversed. For example, during
a RADIUS-initiated disconnect operation, the E Series router's RADIUS
dynamic-request server functions as the server, and the RADIUS server functions as
the disconnect client.
RADIUS-Initiated Disconnect
This section describes the RADIUS dynamic-request server's RADIUS-initiated
disconnect feature.
Disconnect Messages
To centrally control the disconnection of remote access users, the RADIUS
dynamic-request server on the router must receive and process unsolicited messages
from RADIUS servers.
The RADIUS-initiated disconnect feature uses the existing format of RADIUS
disconnect request and response messages. The RADIUS-initiated disconnect feature
uses the following codes in its RADIUS request and response messages:
Message Exchange
The RADIUS server and the router's RADIUS dynamic-request server exchange
messages using User Datagram Protocol (UDP). The Disconnect-Request message
sent by the RADIUS server has the same format as the CoA-Request packet that is
sent for a change of authorization operation.
The disconnect response is either a Disconnect-ACK or a Disconnect-NAK message:
RFC 5176 Dynamic Authorization Extensions to Remote Authentication Dial
In User Service (RADIUS) (January 2008)
Disconnect-Request (40)
Disconnect-ACK (41)
Disconnect-NAK (42)
If AAA successfully disconnects the user, the response is a RADIUS-formatted
packet with a Disconnect-ACK message.
If AAA cannot disconnect the user, the request is malformed, or attributes are
missing from the request, the response is a RADIUS-formatted packet with a
Disconnect-NAK message.
Chapter 4: Configuring RADIUS Dynamic-Request Server
How RADIUS Dynamic-Request Server Works
243