Additional RADIUS attributes

These attributes are included in Access-Request and Access-Accounting packets sent from the switch to the RADIUS server, advertising switch capabilities, reporting authentication session information, and dynamically reconfiguring authentication parameters:

  • MS-RAS-Vendor (RFC 2548): Allows switches to inform a Microsoft RADIUS server that the switches are from Hewlett Packard Enterprise Networking. This feature assists the RADIUS server in its network configuration.

  • HP-capability-advert: The RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, VSAs for port QoS, ingress rate-limiting, RFC 4675 QoS and VLAN attributes, and RFC 3580 VLAN-related attributes. The RADIUS server uses this information to make a more intelligent policy decision on the configuration settings to return to the switch for a client session.

  • HP-acct-terminate-cause: The RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was terminated. This information allows customers to diagnose network operational problems and generate reports on terminated sessions. This attribute provides extended information on the statistics provided by the acct-terminate-cause attribute.

  • Change-of-Authorization (CoA) (RFC 3576: Dynamic Authorization Extensions to RADIUS): A mechanism that allows a RADIUS server to dynamically disconnect messages (DM) or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The switch (NAS) does not have to initiate the exchange. For example, for security reasons you may want to limit the network services granted to an authenticated user. In this case, you can change the user profile on the RADIUS server and have the new authorization settings take effect immediately in the active client session. The Change-of-Authorization attribute provides the mechanism to dynamically update an active client session with a new user policy that is sent in RADIUS packets.

Output for dynamic authorization configuration

switch(config)# show radius dyn-authorization
 Status and Counters - RADIUS Dynamic Authorization Information

  NAS Identifier : LAB-8212
  Invalid Client Addresses (CoA-Reqs) : 0
  Invalid Client Addresses (Disc-Reqs) : 0

                  Disc     Disc     Disc     CoA      CoA      CoA
  Client IP Addr  Reqs     ACKs     NAKs     Reqs     ACKs     NAKs
  --------------- -------- -------- -------- -------- -------- --------   1        1        0        2        2        0   2        1        1        3        3        0

Output showing dynamic authorization statistics

switch(config)# show radius host dyn-authorization
Status and Counters - RADIUS Dynamic Authorization Information

  Authorization Client IP Address :
  Unknown PKT Types Received : 0

  Disc-Reqs                : 2     CoA-Reqs                : 1
  Disc-Reqs Authorize Only : 0     CoA-Reqs Authorize Only : 0
  Disc-ACKs                : 2     CoA-ACKs                : 1
  Disc-NAKs                : 0     CoA-NAKs                : 0
  Disc-NAKs Authorize Only : 0     CoA-NAKs Authorize Only : 0
  Disc-NAKs No Ses. Found  : 0     CoA-NAKs No Ses. Found  : 0
  Disc-Reqs Ses. Removed   : 0     CoA-Reqs Ses. Changed   : 0
  Disc-Reqs Malformed      : 0     CoA-Reqs Malformed      : 0
  Disc-Reqs Bad Authentic. : 0     CoA-Reqs Bad Authentic. : 0
  Disc-Reqs Dropped        : 0     CoA-Reqs Dropped        : 0