Session States; Rfc 3576 Dynamic Authorization - Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual

Session States

A session may be in one of three possible states:
Active—An active session is one for which the RADIUS server has received an accounting start

message and has not received a stop message, which indicates that service is being provided by a NAS
on behalf of an authorized client.
While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server.
This maintains up-to-date traffic statistics and keeps the session active. The frequency of the accounting
update messages is configurable in the RADIUS server.
Stale—If an accounting stop message is never sent for a session—for example, if the visitor does not

log out— that session will remain open. After 24 hours without an accounting update indicating session
traffic, the session is considered 'stale' and is not counted towards the active sessions limit for a visitor
account. To ensure that accounting statistics are correct, you should check the list for stale sessions and
close them.
For information on configuring RADIUS server options, see
Services chapter. For details of the options that can be configured, including accounting update intervals
and elapsed time before a session is considered stale, see
chapter.
Closed—A session ends when the visitor logs out or if the session is disconnected. When a session is

explicitly ended in either of these ways, the NAS sends an accounting stop message to the RADIUS
server. This closes the session. No further accounting updates are possible for a closed session.

RFC 3576 Dynamic Authorization

Dynamic authorization describes the ability to make changes to a visitor account's session while it is in
progress. This includes disconnecting a session, or updating some aspect of the authorization for the
session.
The Active Sessions page provides two dynamic authorization capabilities that apply to currently active
sessions:
Disconnect causes a Disconnect-Request message to be sent to the NAS for an active session,

requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-
ACK message if the session was terminated or Disconnect-NAK if the session was not terminated.
Reauthorize causes a Disconnect-Request message to be sent to the NAS for an active session. This

message will contain a Service-Type attribute with the value 'Authorize Only'. The NAS should respond
with a Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request
message to the RADIUS server. The RADIUS server's response will contain the current authorization
details for the visitor account, which will then update the corresponding properties in the NAS session.
If the NAS does not support RFC 3576, attempts to perform dynamic authorization will time out and result
in a 'No response from NAS' error message.
Refer to
220 | Guest Management
RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol.
"Server Configuration"
"RADIUS Server Options"
Amigopod 3.7 | Deployment Guide
in the RADIUS
in the Reference