1-20
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. Users must first successfully complete RADIUS authentication before
proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or
REJECT packets includes these items:
• Telnet, SSH, rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts
RADIUS Change of Authorization
This section provides an overview of the RADIUS interface including available primitives and how they
are used during a Change of Authorization (CoA).
• Change-of-Authorization Requests, page 1-20
• CoA Request Response Code, page 1-22
• CoA Request Commands, page 1-23
• Session Reauthentication, page 1-23
• Stacking Guidelines for Session Termination, page 1-25
A standard RADIUS interface is typically used in a pulled model where the request originates from a
network attached device and the response come from the queried servers. Catalyst switches support the
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a
pushed model and allow for the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests:
• Session reauthentication
• Session termination
• Session termination with port shutdown
• Session termination with port bounce
This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1.
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration
is required for the following attributes:
• Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in
the Configuring Switch-Based Authentication chapter in the Catalyst 3750 Switch Software
Configuration Guide, 12.2(50)SE.
• Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based
Authentication chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(50)SE.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA non-acknowledgement (NAK) [CoA-NAK]
To Next Page
Loading...
Need help?
General
