RADIUS Authentication, Authorization, and Accounting

VLAN Assignment in an Authentication Session

Additional RADIUS Attributes

The following attributes are included in Access-Request and Access-Accounting packets sent from the switch to the RADIUS server to advertise switch capabilities, report information on authentication sessions, and dynamically reconfigure authentication parameters:

MS-RAS-Vendor (RFC 2548): Allows ProCurve switches to inform a Microsoft RADIUS server that the switches are from ProCurve Networking. This feature assists the RADIUS server in its network configuration.

HP-capability-advert: A ProCurve proprietary RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, HP VSAs for port QoS, ingress rate-limiting, IDM filter rules, RFC 4675 QoS and VLAN attributes, and RFC 3580 VLAN-related attributes.

The RADIUS server uses this information to make a more intelligent policy decision on the configuration settings to return to the switch for a client session.

HP-acct-terminate-cause: A ProCurve proprietary RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was terminated. This informa- tion allows customers to diagnose network operational problems and generate reports on terminated sessions. This attribute provides extended information on the statistics provided by the acct-termi- nate-cause attribute.

change-of-authorization (RFC 3576: Dynamic Authorization Exten-

sions to RADIUS): A mechanism that allows a RADIUS server to dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The switch (NAS) does not have to initiate the exchange.

For example, for security reasons you may want to limit the network services granted to an authenticated user. In this case, you can change the user profile on the RADIUS server and have the new authorization settings take effect immediately in the active client session. The change-of-authorization attribute provides the mechanism to dynamically update an active client session with a new user policy that is sent in RADIUS packets.

5-36