Coa Request Commands - Cisco Catalyst 4500 Series Configuration Manual

Chapter 44 Configuring 802.1X Port-Based Authentication
•
•
Unless all session identification attributes included in the CoA message match the session, the switch
returns a Disconnect-NAK or CoA-NAK with the "Invalid Attribute Value" error-code attribute.
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code,
Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.
CoA ACK Response Code
If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The
attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual
CoA Commands.
CoA NAK Response Code
A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.

CoA Request Commands

This section includes:
•
•
•
•
•
The switch supports the commands shown in
Table 44-4
Command
Reauthenticate host
Terminate session
OL-25340-01
Audit-Session-Id (Cisco VSA)
Acct-Session-Id (IETF attribute #44)
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Code | Identifier
Attributes ...
Session Reauthentication
Session Termination
CoA Disconnect-Request
CoA Request: Disable Host Port
CoA Request: Bounce-Port
CoA Commands Supported on the Switch
1
Cisco VSA
Cisco:Avpair="subscriber:command=reauthenticate"
it is a standard disconnect request that does not require a VSA.
2
| Length
Authenticator
Table 44-4.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Controlling Switch Access with RADIUS
3
|
|
|
|
|
44-97