40-95
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication
Controlling Switch Access with RADIUS
• CoA Request Commands, page 40-97
• Session Reauthentication, page 40-98
• Displaying 802.1X Statistics and Status, page 40-113
Overview
A standard RADIUS interface is typically used in a pulled model where the request originates from a
network attached device and the response come from the queried servers. Catalyst switches support the
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a
pushed model and allow for the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
The switch supports these per-session CoA requests:
• Session reauthentication
• Session termination
• Session termination with port shut down
• Session termination with port bounce
The RADIUS interface is enabled by default on Catalyst switches.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA non-acknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the
switch that acts as a listener.
This section includes these topics:
• CoA Request Response Code
• CoA Request Commands
• Session Reauthentication
RFC 5176 Compliance
The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported
by the switch for session termination.
Table 40-2 shows the IETF attributes are supported for this feature.
Table 40-2 Supported IETF Attributes
Attribute Number Attribute Name
24 State
31 Calling-Station-ID
44 Acct-Session-ID
