9-22
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS

Preconditions

To use the CoA interface, a session must already exist on the switch. CoA can be used to identify a
session and enforce a disconnect request. The update affects only the specified session.
CoA Request Response Code
The CoA Request response code can be used to convey a command to the switch. The supported
commands are listed in Table 9-4 on page 9-24.

Session Identification

For disconnect and CoA requests targeted at a particular session, the switch locates the session based on
one or more of the following attributes:
Calling-Station-Id (IETF attribute 31 which contains the host MAC address)
Audit-Session-Id (Cisco VSA)
Acct-Session-Id (IETF attribute 44)
Unless all session identification attributes included in the CoA message match the session, the switch
returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute.
Table 9-3 Error-Cause Values
Value Explanation
201 Residual Session Context Removed
202 Invalid EAP Packet (Ignored)
401 Unsupported Attribute
402 Missing Attribute
403 NAS Identification Mismatch
404 Invalid Request
405 Unsupported Service
406 Unsupported Extension
407 Invalid Attribute Value
501 Administratively Prohibited
502 Request Not Routable (Proxy)
503 Session Context Not Found
504 Session Context Not Removable
505 Other Proxy Processing Error
506 Resources Unavailable
507 Request Initiated
508 Multiple Session Selection Unsupported