aaa rfc - 3576 server

aaa rfc - 3576 server

clone

enable-radsec

event-timestamp-requi..

key

no ...

replay-protection

window-duration

Description

This command configures a RADIUS server that can send user disconnect, session timeout, and CoA messages, as described in RFC 3576, Dynamic Authorization Extensions to RADIUS.

The disconnect, session timeout and change-of-authorization messages sent from the server tomanaged devicecontains information to identify the user for which the message is sent. Starting fromArubaOS8.5.0.0, themanaged devicealso accepts disconnect, session timeout, and CoA message requests from IPv6 address based DAC, and identifies user sessions based on the user's IPv6 address.Managed Devicesupports the following attributes for identifying the users who authenticate with an RFC 3576 server:

  • user-name: name of the user to be authenticated
  • framed-ip-address: user IPv4 address
  • framed-ipv6-address: user IPv6 address
  • calling-station-id: phone number of a station that originated a call
  • accounting-session-id: unique accounting ID for the user session.

If the authentication server sends both supported and unsupported attributes tomanaged device, the unknown or unsupported attributes will be ignored. If no matching user is foundmanaged devicewill send a 503: Session Not Found error message back to the RFC 3576 server.

Parameter

Description

IPv4 or IPv6 address of the server.

clone

Name of an existing RFC 3576 server configuration from which parameter values are copied.

enable-radsec

Enable RADSEC for the server.

event-timestamp-required

To enable discard of DAC request, if Event-Timestamp is not present in DAC request. This option will only come into the effect, if replay-protection is enabled.

key

Shared secret to authenticate communication between the RADIUS client and server.

no

Negates any configured parameter.

replay-protection

Enable replay protection for DAC requests.

window-duration

Number in seconds. Default value is 300. This parameter is used:

- To check stale DAC requests.

- To specify the minimum time-span in seconds between two valid requests with same identifiers, to check replay protection and identify duplicates.

Example

The following command configures an RFC 3576 server:

(host) ^[md] (config) aaa rfc-3576-server 10.1.1.245

clone default

key P@$$w0rD;

Related Commands

Command

Description

show aaa state user

View information for a user whose session timeout is altered by a RFC 3576 server.

Command History

Release

Modification

ArubaOS8.5.0.0

Thesub-parameter was updated to also support IPv6 address of the server.

ArubaOS8.2.0.0

Event-timestamp-required,replay-protection, andwindow-durationparameters were added.

ArubaOS8.0.0.0

Command introduced.

Command Information

Platforms

许可证

Command Mode

All platforms

Base operating system.

Config mode onMobility Conductor.