Coa Request Commands - Cisco IE-4000 Software Configuration Manual

Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication

Audit-Session-ID (Cisco vendor-specific attribute)

Accounting-Session-ID (IETF attribute 44).
If more than one session identification attribute is included in the message, all the attributes must match the session or
the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the error code Invalid Attribute
Value.
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier, Length,
Authenticator, and Attributes in Type:Length:Value (TLV) format.
0
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.
CoA ACK Response Code
If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned
within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
CoA NAK Response Code
A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include attributes that
indicate the reason for the failure. Use show commands to verify a successful CoA.

CoA Request Commands

Table 26 CoA Commands Supported on the Switch
1
Command
Reauthenticate host
Terminate session
Bounce host port
Disable host port
1. All CoA commands must include the session identifier between the switch and the CoA client.
CoA Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture
joins the network and is associated with a restricted access authorization profile (such as a guest VLAN). A
reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are
known.
1
| Identifier |
Authenticator
Cisco VSA
Cisco:Avpair="subscriber:command=reauthenticate"
This is a standard disconnect request that does not require a VSA.
Cisco:Avpair="subscriber:command=bounce-host-port"
Cisco:Avpair="subscriber:command=disable-host-port"
2 3
Length
153
|
|
|
|
|