153
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Audit-Session-ID (Cisco vendor-specific attribute)
Accounting-Session-ID (IETF attribute 44).
If more than one session identification attribute is included in the message, all the attributes must match the session or
the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the error code Invalid Attribute
Value.
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier, Length,
Authenticator, and Attributes in Type:Length:Value (TLV) format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.
CoA ACK Response Code
If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned
within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
CoA NAK Response Code
A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include attributes that
indicate the reason for the failure. Use show commands to verify a successful CoA.
CoA Request Commands
CoA Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture
joins the network and is associated with a restricted access authorization profile (such as a guest VLAN). A
reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are
known.
Table 26 CoA Commands Supported on the Switch
Command
1
1. All CoA commands must include the session identifier between the switch and the CoA client.
Cisco VSA
Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”
Terminate session This is a standard disconnect request that does not require a VSA.
Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”
Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”
To Next Page
Loading...
Need help?
General