Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
RFC 3576 Dynamic Authorization
Dynamic Authorization describes the ability to make changes to a guest Someone who is permitted to access the enterprise network or Internet through your Network Access Server. Also, as ClearPass Guest, a configurable ClearPass module for secure guest network access management. Access permissions are controlled through an operator profile that can be integrated with an LDAP server or Active Directory login. account’s session Service provided by a NAS to an authorized user. while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization Controls the type of access an authenticated user is permitted to have based on the user's authentication type. for the session.
The Active Sessions page provides two Dynamic Authorization capabilities that apply to currently active sessions:
Disconnect causes a Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected. message to be sent to the NAS Network Access Server. Device (such as a wireless access point, network switch, or dial-in terminal server) that provides network access to users. When a user connects to the NAS device, a RADIUS user authentication request (Access-Request) is generated by the NAS. for an active session, requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-ACK message if the session was terminated or Disconnect-NAK Negative Acknowledgement code. Response indicating a transmitted message was received with errors or is corrupted, or that the receiving device is not ready to accept transmissions. if the session was not terminated.
causes a Disconnect-Request message to be sent to the NAS for an active session. This message will contain a Service-Type attribute with the value ‘Authorize Only’. The NAS should respond with a Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request RADIUS packet sent to a RADIUS server requesting authorization. message to the RADIUS Remote Authentication Dial-In User Service. Network access-control protocol for verifying and authenticating users; provides AAA management. A RADIUS transaction might be 802.1X, MAC-Auth, or generic RADIUS. server. The RADIUS server’s response will contain the current authorization details for the guest account, which will then update the corresponding properties in the NAS session.
If the NAS does not support RFC Request For Comments; a commonly-used format for Internet standards documents. 3576, attempts to perform Dynamic Authorization will time out and result in a ‘No response from NAS’ error message.
Refer to RFC 3576 for more details about Dynamic Authorization extensions to the RADIUS protocol.
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!