Cisco Catalyst 4500 series Administration Manual page 1240

Controlling Switch Access with RADIUS
Table 46-4
Command
Reauthenticate host
Terminate session
Bounce host port
Disable host port
1. All CoA commands must include the session identifier between the switch and the CoA client.
Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown
identity or posture joins the network and is associated with a restricted access authorization profile (such
as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate
authorization group when its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which
contains a Cisco vendor-specific attribute (VSA) in this form:
Cisco:Avpair="subscriber:command=reauthenticate" and one or more session identification attributes.
The current session state determines the switch response to the message. If the session is currently
authenticated by IEEE 802.1x, the switch responds by sending an EAPoL
(see footnote
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful
authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted
first.
If the session is not yet authorized, or is authorized by using guest VLAN, or critical VLAN, or similar
policies, the reauthentication message restarts the access control methods, beginning with the method
configured to be attempted first. The current authorization of the session is maintained until the
reauthentication leads to a different authorization result.
Session Termination
Three types of CoA requests can trigger session termination. A CoA Disconnect-Request terminates the
session, without disabling the host port. This command causes re-initialization of the authenticator state
machine for the specified host, but does not restrict that hosts' access to the network.
To restrict a hosts' access to the network, use a CoA Request with the
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is
known to be causing problems on the network, and you need to immediately block network access for
the host. When you want to restore network access on the port, reenable it using a non-RADIUS
mechanism.
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example,
after a VLAN change), terminate the session on the host port with port-bounce (temporarily disable and
then re-enable the port).
1. Extensible Authentication Protocol over Lan
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46-102
CoA Commands Supported on the Switch
1
Cisco VSA
Cisco:Avpair="subscriber:command=reauthenticate"
it is a standard disconnect request that does not require a VSA.
Cisco:Avpair="subscriber:command=bounce-host-port"
Cisco:Avpair="subscriber:command=disable-host-port"
1 below) to the server.
Chapter 46 Configuring 802.1X Port-Based Authentication
1
-RequestId message
OL_28731-01