07-28-2014 11:53 AM
I was asked today by a peer to explain the difference between a dot1x-server-group and an RFC 3576 entry, and I was not able to come up with a cohesive answer. Could anyone please explain the difference?
07-28-2014 11:55 AM
07-28-2014 11:59 AM
07-28-2014 12:06 PM
Great, thanks for that. I found this document that explains everything. I'll post the blurb here:
Configuring an RFC-3576 RADIUS Server
You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS)”.
The disconnect and change-of-authorization messages sent from the server to the controller contains information to identify the user for which the message is sent. The controller supports the following attributes for identifying the users who authenticate with a RFC 3576 server:
|||user-name: Name of the user to be authenticated|
|||framed-ip-address: User’s IP address|
|||calling-station-id: Phone number of a station that originated a call|
|||accounting-session-id: Unique accounting ID for the user session.|
If the authentication server sends both supported and unsupported attributes to the controller, the unknown or unsupported attributes are ignored. If no matching user is found the controller sends a 503: Session Not Found error message back to the RFC 3576 server.
07-28-2014 02:01 PM
There's a trick here. If you use an RFC3576 server to send attributes that change the role/vlan, you should ALSO define the server as an auth server and put it in the auth server group. Use the horribly named "mode" button on that server definition to turn it off. This will allow the RFC3576 responses to run through the server derivation rules, but will prevent auth/acct requests from being sent to the rfc3576 server.