Support User Manuals

Cisco Systems 3560-X Switch User Manual

Open as PDF

of 1438

10-22

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 10 Configuring Switch-Based Authentication

Controlling Switch Access with RADIUS

Session Identification

For disconnect and CoA requests targeted at a particular session, the switch locates the session based on

one or more of the following attributes:

• Calling-Station-Id (IETF attribute #31 which contains the host MAC address)

• Audit-Session-Id (Cisco VSA)

• Acct-Session-Id (IETF attribute #44)

Unless all session identification attributes included in t

he CoA message match the session, the switch

returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.

For disconnect and CoA requests targeted to a particular session, any one of the following session

identif

iers can be used:

• Calling-Station-ID (IETF attribute #31, which should contain the MAC address)

• Audit-Session-ID (Cisco vendor-specific attribute)

• Accounting-Session-ID (IETF attribute #44).

If more than one session identification attribute is included in the message, all the attributes must match

the s

ession or the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the

error code “Invalid Attribute Value.”

The packet format for a CoA Request code as defined in

RFC 5176 consists of the fields: Code,

Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Code | Identifier | Length |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| |

| Authenticator |

| |

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Attributes ...

+-+-+-+-+-+-+-+-+-+-+-+-+-

The attributes field is used to carry Cisco VSAs.

CoA ACK Response Code

If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The

attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual

CoA Commands.

CoA NAK Response Code

A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include

attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.

CoA Request Commands

This section includes:

• Session Reauthentication

previous next