aaa rfc-3576-server

aaa rfc-3576-server <ipaddr>

clone <source>

enable-radsec

event-timestamp-requi..

key <psk>

no ...

replay-protection

window-duration

Description

This command configures a RADIUS server that can send user disconnect, session timeout, and CoA messages, as described in RFC 3576, Dynamic Authorization Extensions to RADIUS.

The disconnect, session timeout and change-of-authorization messages sent from the server to managed device contains information to identify the user for which the message is sent. Starting from AOS 8.5.0.0, the managed device also accepts disconnect, session timeout, and CoA message requests from IPv6 address based DAC, and identifies user sessions based on the user's IPv6 address. Managed Device supports the following attributes for identifying the users who authenticate with an RFC 3576 server:

  • user-name: name of the user to be authenticated
  • framed-ip-address: user IPv4 address
  • framed-ipv6-address: user IPv6 address
  • calling-station-id: phone number of a station that originated a call
  • accounting-session-id: unique accounting ID for the user session.

If the authentication server sends both supported and unsupported attributes to managed device, the unknown or unsupported attributes will be ignored. If no matching user is found managed device will send a 503: Session Not Found error message back to the RFC 3576 server.

Parameter

Description

<ipaddr>

IPv4 or IPv6 address of the server.

clone <source>

Name of an existing RFC 3576 server configuration from which parameter values are copied.

enable-radsec

Enable RADSEC for the server.

event-timestamp-required

To enable discard of DAC request, if Event-Timestamp is not present in DAC request. This option will only come into the effect, if replay-protection is enabled.

key <psk>

Shared secret to authenticate communication between the RADIUS client and server.

no

Negates any configured parameter.

replay-protection

Enable replay protection for DAC requests.

window-duration

Number in seconds. Default value is 300. This parameter is used:

- To check stale DAC requests.

- To specify the minimum time-span in seconds between two valid requests with same identifiers, to check replay protection and identify duplicates.

Example

The following command configures an RFC 3576 server:

(host) ^[md] (config) aaa rfc-3576-server 10.1.1.245

clone default

key P@$$w0rD;

Related Commands

Command

Description

show aaa state user

View information for a user whose session timeout is altered by a RFC 3576 server.

Command History

Release

Modification

AOS 8.5.0.0

The <ipaddr> sub-parameter was updated to also support IPv6 address of the server.

AOS 8.2.0.0

Event-timestamp-required, replay-protection, and window-duration parameters were added.

AOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Conductor.