Configuring the RADIUS DAS feature
Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can perform the following operations:
Log off online users.
Change online user authorization information.
Shut down or reboot the online users' access ports.
DAE uses the client/server model.
In a RADIUS network, the RADIUS server typically acts as the DAE client (DAC) and the NAS acts as the DAE server (DAS).
When the RADIUS DAS feature is enabled, the NAS performs the following operations:
Listens to the default or specified UDP port to receive DAE requests.
Logs off online users who match the criteria in the requests, changes their authorization information, or shuts down or reboots their access ports.
Sends DAE responses to the DAC.
DAE defines the following types of packets:
Disconnect Messages (DMs)—The DAC sends DM requests to the DAS to log off specific online users.
Change of Authorization Messages (CoA Messages)—The DAC sends CoA requests to the DAS to change the authorization information of specific online users or shut down or reboot the users' access ports.
To configure the RADIUS DAS feature:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the RADIUS DAS feature and enter RADIUS DAS view. | radius dynamic-author server | By default, the RADIUS DAS feature is disabled. |
3. Specify a RADIUS DAC. | client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] * | By default, no RADIUS DACs are specified. |
4. Specify the RADIUS DAS port. | port port-number | By default, the RADIUS DAS port is 3799. |