Additional RADIUS attributes
These attributes are included in Access-Request and Access-Accounting packets sent from the switch to the RADIUS server, advertising switch capabilities, reporting authentication session information, and dynamically reconfiguring authentication parameters:
MS-RAS-Vendor (RFC 2548): Allows switches to inform a Microsoft RADIUS server that the switches are from Hewlett Packard Enterprise Networking. This feature assists the RADIUS server in its network configuration.
HP-capability-advert: The RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, VSAs for port QoS, ingress rate-limiting, RFC 4675 QoS and VLAN attributes, and RFC 3580 VLAN-related attributes. The RADIUS server uses this information to make a more intelligent policy decision on the configuration settings to return to the switch for a client session.
HP-acct-terminate-cause: The RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was terminated. This information allows customers to diagnose network operational problems and generate reports on terminated sessions. This attribute provides extended information on the statistics provided by the acct-terminate-cause attribute.
Change-of-Authorization (CoA) (RFC 3576: Dynamic Authorization Extensions to RADIUS): A mechanism that allows a RADIUS server to dynamically disconnect messages (DM) or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The switch (NAS) does not have to initiate the exchange. For example, for security reasons you may want to limit the network services granted to an authenticated user. In this case, you can change the user profile on the RADIUS server and have the new authorization settings take effect immediately in the active client session. The Change-of-Authorization attribute provides the mechanism to dynamically update an active client session with a new user policy that is sent in RADIUS packets.
Output for dynamic authorization configuration
switch(config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212 Invalid Client Addresses (CoA-Reqs) : 0 Invalid Client Addresses (Disc-Reqs) : 0 Disc Disc Disc CoA CoA CoA Client IP Addr Reqs ACKs NAKs Reqs ACKs NAKs --------------- -------- -------- -------- -------- -------- -------- 154.34.23.106 1 1 0 2 2 0 154.45.234.12 2 1 1 3 3 0
Output showing dynamic authorization statistics
switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information Authorization Client IP Address : 154.23.45.111 Unknown PKT Types Received : 0 Disc-Reqs : 2 CoA-Reqs : 1 Disc-Reqs Authorize Only : 0 CoA-Reqs Authorize Only : 0 Disc-ACKs : 2 CoA-ACKs : 1 Disc-NAKs : 0 CoA-NAKs : 0 Disc-NAKs Authorize Only : 0 CoA-NAKs Authorize Only : 0 Disc-NAKs No Ses. Found : 0 CoA-NAKs No Ses. Found : 0 Disc-Reqs Ses. Removed : 0 CoA-Reqs Ses. Changed : 0 Disc-Reqs Malformed : 0 CoA-Reqs Malformed : 0 Disc-Reqs Bad Authentic. : 0 CoA-Reqs Bad Authentic. : 0 Disc-Reqs Dropped : 0 CoA-Reqs Dropped : 0