Configure the DAE service

This help contains the following topics:

Introduction

The Dynamic Authorization Extensions (DAE) protocol is an extension of the RADIUS protocol defined in RFC 5176. Use it to force authenticated users offline or modify online user authorization information. DAE uses a client/server communication model, consisting of DAE clients and DAE servers.

With the RADIUS DAE service enabled, the device will act as a RADIUS DAE server and listen for DAE request messages from the specified RADIUS DAE clients on the specified UDP port. It will then search for users, modify user authorization information, disconnect user connections, or close or restart user access ports, and send DAE response messages to the RADIUS DAE clients.

The device locates users based on user ID information carried in the DAE request messages, including username, user IP address, Acct-Session-Id, Acct-Multi-Session-Id, and EDSG policy name. If the device does not find the corresponding user, it will not process the DAE request. By default, the device verifies all user ID information in a DAE request message and processes the DAE request only if it finds a user that exactly matches all the information. If the device has loose check enabled, it will verify only partial user ID information in the DAE message, including the user's IP address, Acct-Session-Id, and Acct-Multi-Session-Id.

Configuration guide

Basic configuration

To configure basic settings:

  1. From the left navigation pane, select Configure > Authentication > AAA Settings > RADIUS Settings. Click the DAE Server tab.

  2. Enable the RADIUS DAE service. The device will listen for DAE request messages sent by the specified RADIUS DAE clients and then modify user authorization information and disconnect user connection requests based on these messages.

  3. In the Basic Configuration section, configure the DAE packet listening clients and the UDP port for receiving DAE requests.

  4. Click Submit to submit the basic configuration.