Security

Dear Experts, 

Can someone guide me how to write the Radius CoA (Bounce port) profile for Huawei switches?

------------------------------
owais
------------------------------

generally you need to enable the Huawei RADIUS dictionary. Administration » Dictionaries » RADIUS
then based on the RADIUS attributes for the vendor, you'll have corresponding RADIUS dynamic authz temp
I could not find anything for Hauwei, which means that you need to find out the RADIUS attribute for Hauwei that does the port bounce.
then get that added to the RADIUS dictionary. Once you have that, you can build the "RADIUS dynamic authz temp"
as an example, here is the H3C CoA template.




------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 26, 2022 07:48 AM
From: owais iqbal
Subject: Radius CoA for Huawei Switches

Dear Experts,

Can someone guide me how to write the Radius CoA (Bounce port) profile for Huawei switches?

------------------------------
owais
------------------------------

Hi Owais.

You will find Huawei specification for RADIUS/CoA at Huawei site.

Specifically for CoA it is the following paragraf:

26-238

HW-Ext-Specific

string

User extended attributes: user-dscp-in: DSCP value of inbound user packets. The value ranges from 0 to 63. user-dscp-out: DSCP value of outbound user packets. The value ranges from 0 to 63. NOTE: If the DSCP value of outbound user packets is small, the Portal authentication success page may fail to be pushed. user-command: is used in RADIUS CoA dynamic authorization. The value can be 1, 2, or 3. 1: indicates that user reauthentication will be performed. In this case, you need to set the value of this attribute on the authentication server to user-command=1. 2: indicates that the authentication interface will be disconnected intermittently. In this case, you need to run the undo radius-server authorization hw-ext-specific command bounce-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=2. 3: indicates that the authentication interface will be disabled. In this case, you need to run the undo radius-server authorization hw-ext-specific command down-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=3. NOTE: During RADIUS CoA dynamic authorization, when the value of user-command is 1, 2, or 3, other authorization attributes are not supported. The user-dscp-in and user-dscp-out attributes cannot be authorized to wireless users in direct forwarding mode. This attribute applies only to NAC users. Pay attention to the following points if the value of the user-command field in the RADIUS attribute HW-Ext-Specific(26-238) carried in a CoA packet sent by the RADIUS server is 2 or 3: Ensure that only one user resides on the authentication port or the user to be authenticated is directly connected to the authentication port; otherwise, other users on the authentication port will be affected if the port goes Down intermittently or disabled. Only a physical port, as opposed to an Eth-Trunk, can function as the authentication port. The policy association scenario is not supported.

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Dec 26, 2022 07:48 AM
From: owais iqbal
Subject: Radius CoA for Huawei Switches

Dear Experts,

Can someone guide me how to write the Radius CoA (Bounce port) profile for Huawei switches?

------------------------------
owais
------------------------------

Original Message:
Sent: 1/4/2023 7:08:00 AM
From: GorazdKikelj
Subject: RE: Radius CoA for Huawei Switches

Hi Owais.

You will find Huawei specification for RADIUS/CoA at Huawei site.

Specifically for CoA it is the following paragraf:

26-238

HW-Ext-Specific

string

User extended attributes: user-dscp-in: DSCP value of inbound user packets. The value ranges from 0 to 63. user-dscp-out: DSCP value of outbound user packets. The value ranges from 0 to 63. NOTE: If the DSCP value of outbound user packets is small, the Portal authentication success page may fail to be pushed. user-command: is used in RADIUS CoA dynamic authorization. The value can be 1, 2, or 3. 1: indicates that user reauthentication will be performed. In this case, you need to set the value of this attribute on the authentication server to user-command=1. 2: indicates that the authentication interface will be disconnected intermittently. In this case, you need to run the undo radius-server authorization hw-ext-specific command bounce-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=2. 3: indicates that the authentication interface will be disabled. In this case, you need to run the undo radius-server authorization hw-ext-specific command down-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=3. NOTE: During RADIUS CoA dynamic authorization, when the value of user-command is 1, 2, or 3, other authorization attributes are not supported. The user-dscp-in and user-dscp-out attributes cannot be authorized to wireless users in direct forwarding mode. This attribute applies only to NAC users. Pay attention to the following points if the value of the user-command field in the RADIUS attribute HW-Ext-Specific(26-238) carried in a CoA packet sent by the RADIUS server is 2 or 3: Ensure that only one user resides on the authentication port or the user to be authenticated is directly connected to the authentication port; otherwise, other users on the authentication port will be affected if the port goes Down intermittently or disabled. Only a physical port, as opposed to an Eth-Trunk, can function as the authentication port. The policy association scenario is not supported.

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Dec 26, 2022 07:48 AM
From: owais iqbal
Subject: Radius CoA for Huawei Switches

Dear Experts,

Can someone guide me how to write the Radius CoA (Bounce port) profile for Huawei switches?

------------------------------
owais
------------------------------