Cisco Catalyst 3560-X Software Configuration Manual page 256

Controlling Switch Access with RADIUS
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful
authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted
first.
If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar
policies, the reauthentication message restarts the access control methods, beginning with the method
configured to be attempted first. The current authorization of the session is maintained until the
reauthentication leads to a different authorization result.
Session Reauthentication in a Switch Stack
When a switch stack receives a session reauthentication message:
•
•
•
•
•
Session Termination
There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request
terminates the session, without disabling the host port. This command causes re-initialization of the
authenticator state machine for the specified host, but does not restrict that host's access to the network.
To restrict a host's access to the network, use a CoA Request with the
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is
known to be causing problems on the network, and you need to immediately block network access for
the host. When you want to restore network access on the port, re-enable it using a non-RADIUS
mechanism.
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example,
after a VLAN change), terminate the session on the host port with port-bounce (temporarily disable and
then re-enable the port).
CoA Disconnect-Request
This command is a standard Disconnect-Request. Because this command is session-oriented, it must be
accompanied by one or more of the session identification attributes described in the
Identification" section on page
Disconnect-NAK message with the "Session Context Not Found" error-code attribute. If the session is
located, the switch terminates the session. After the session has been completely removed, the switch
returns a Disconnect-ACK.
If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process
is repeated on the new active switch when the request is re-sent from the client. If the session is not found
following re-sending, a Disconnect-ACK is sent with the "Session Context Not Found" error-code
attribute.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-24
It checkpoints the need for a re-authentication before returning an acknowledgement (ACK).
It initiates reauthentication for the appropriate session.
If authentication completes with either success or failure, the signal that triggered the
reauthentication is removed from the stack member.
If the stack master fails before authentication completes, reauthentication is initiated after stack
master switch-over based on the original command (which is subsequently removed).
If the stack master fails before sending an ACK, the new stack master treats the re-transmitted
command as a new command.
1-22. If the session cannot be located, the switch returns a
Chapter 1 Configuring Switch-Based Authentication
"Session
OL-25303-03