10-23
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 10 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
• Session Reauthentication in a Switch Stack
• Session Termination
• CoA Disconnect-Request
• CoA Request: Disable Host Port
• CoA Request: Bounce-Port
Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Ta
ble 10-4.
Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown
identity or posture joins the network and is associated with a restricted access authorization profile (such
as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate
authorization group when its credentials are known.
To initiate session authentication, the AAA serve
r sends a standard CoA-Request message which
contains a Cisco vendor-specific attribute (VSA) in this form:
Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes.
The current session state determines the switch response
to the message. If the session is currently
authenticated by IEEE 802.1x, the switch r
esponds by sending an EAPoL
1
-RequestId message
(see footnote 1 below) to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-requ
est to the server, passing the same identity attributes used for the initial successful
authentication.
If session authentication is in progress when the switch
receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted
first.
If the session is not yet authorized, or is authori
zed via guest VLAN, or critical VLAN, or similar
policies, the reauthentication message restarts the access control methods, beginning with the method
configured to be attempted first. The current authorization of the session is maintained until the
reauthentication leads to a different authorization result.
Session Reauthentication in a Switch Stack
When a switch stack receives a session reauthentication message:
• It checkpoints the need for a re-authentication before returning an acknowledgement (ACK).
• It initiates reauthentication for the appropriate session.
Ta ble 10-4 CoA Commands Supported on the Switch
Command
1
1. All CoA commands must include the session identifier between the switch and the CoA client.
Cisco VSA
Reauthenticate host Cisco:Avpair=“subscriber:command
=reauthenticate”
Terminate session This is a standard disconnect reque
st that does not require a VSA.
Bounce host port Cisco:Avpair=“subscriber:command
=bounce-host-port”
Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”
1. Extensible Authentication Protocol over Lan
To Next Page
Loading...
Need help?
General
