The device supports the RADIUS CoA and DM functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users.
The system view is displayed.
Step |
Command |
Remarks |
|---|---|---|
Configure a RADIUS authorization server. |
radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ protect enable ] |
By default, no RADIUS authorization server is configured. |
Configure the port number of the RADIUS authorization server. |
radius-server authorization port port-id |
By default, the port number of the RADIUS authorization server is 3799. |
The device is configured to match RADIUS attributes in the received CoA or DM Request packets against user information on the device.
By default, a device matches RADIUS attributes in the received CoA or DM Request packets against user information on the device in any mode. That is, the device matches an attribute with a high priority in a Request packet against user information on the device.
The policy to be enforced after the authorization information check fails is configured.
By default, the device allows users to go online after the authorization information check fails.
Session management is enabled for the RADIUS server.
By default, session management is disabled for the RADIUS server.
Run radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }
The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is configured.
Run radius-server authorization attribute-decode-sameastemplate
The device is configured to parse the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server template configurations.
By default, the device is not configured to parse RADIUS attribute 31 in RADIUS CoA or DM packets based on RADIUS server template configurations.
By default, the device parses the MAC address in the calling-station-id attribute carried in RADIUS dynamic authorization packets based on the MAC address length, without considering the MAC address format and delimiter.
Run radius-server authorization attribute-encode-sameastemplate
The device is configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.
By default, the device is not configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.
Table 1 lists the RADIUS attributes that can be configured in this step.
RADIUS Attribute |
Description |
Command for Configuring the Attribute in a RADIUS Server Template |
|---|---|---|
RADIUS attribute 1 (User-Name) |
User name |
radius-server user-name domain-included |
RADIUS attribute 4 (NAS-IP-Address) |
NAS IP address |
radius-attribute nas-ip |
RADIUS attribute 31 (Calling-Station-Id) |
MAC address format |
calling-station-id mac-format |
Run radius-server authorization hw-ext-specific command bounce-port disable
The function of ignoring the authorization attribute indicating that the port goes Down intermittently in a CoA packet is configured.
Run radius-server authorization hw-ext-specific command down-port disable
The function of ignoring the authorization attribute indicating that the port is disabled in a CoA packet is configured.
By default, the device supports the authorization attributes indicating that the port goes Down intermittently or is disabled in CoA packets.
Run aaa
The AAA view is displayed.
Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the authorization server is configured.
By default, the update mode of user authorization information delivered by the authorization server is overlay.