153
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Audit-Session-ID (Cisco vendor-specific attribute)
Accounting-Session-ID (IETF attribute 44).
If more than one session identification attribute is included in the message, all the attributes must match the session or
the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the error code
Invalid Attribute
Value
.
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier, Length,
Authenticator, and Attributes in Type:Length:Value (TLV) format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.
CoA ACK Response Code
If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned
within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
CoA NAK Response Code
A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include attributes that
indicate the reason for the failure. Use
show
commands to verify a successful CoA.
CoA Request Commands
CoA Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture
joins the network and is associated with a restricted access authorization profile (such as a guest VLAN). A
reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are
known.
Table 26
CoA Commands Supported on the Switch
Command
1
1.
All CoA commands must include the session identifier between the switch and the CoA client.
Cisco VSA
Reauthenticate host
Cisco:Avpair=“subscriber:command=reauthenticate”
Terminate session
This is a standard disconnect request that does not require a VSA.
Bounce host port
Cisco:Avpair=“subscriber:command=bounce-host-port”
Disable host port
Cisco:Avpair=“subscriber:command=disable-host-port”
Summary of Contents for IE 4000
Page 12: ...8 Configuration Overview Default Settings After Initial Switch Configuration ...
Page 52: ...48 Configuring Interfaces Monitoring and Maintaining the Interfaces ...
Page 108: ...104 Configuring Switch Clusters Additional References ...
Page 128: ...124 Performing Switch Administration Additional References ...
Page 130: ...126 Configuring PTP ...
Page 140: ...136 Configuring CIP Additional References ...
Page 146: ...142 Configuring SDM Templates Configuration Examples for Configuring SDM Templates ...
Page 192: ...188 Configuring Switch Based Authentication Additional References ...
Page 244: ...240 Configuring IEEE 802 1x Port Based Authentication Additional References ...
Page 298: ...294 Configuring VLANs Additional References ...
Page 336: ...332 Configuring STP Additional References ...
Page 408: ...404 Configuring DHCP Additional References ...
Page 450: ...446 Configuring IGMP Snooping and MVR Additional References ...
Page 490: ...486 Configuring SPAN and RSPAN Additional References ...
Page 502: ...498 Configuring Layer 2 NAT ...
Page 770: ...766 Configuring IPv6 MLD Snooping Related Documents ...
Page 930: ...926 Configuring IP Unicast Routing Related Documents ...
Page 976: ...972 Configuring Cisco IOS IP SLAs Operations Additional References ...
Page 978: ...974 Dying Gasp ...
Page 990: ...986 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...
Page 994: ...990 Configuring MODBUS TCP Displaying MODBUS TCP Information ...
Page 996: ...992 Ethernet CFM ...
Page 1066: ...1062 Using an SD Card SD Card Alarms ...