9-24
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4.
Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown
identity or posture joins the network and is associated with a restricted access authorization profile (such
as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate
authorization group when its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which
contains a Cisco vendor-specific attribute (VSA) in this form:
Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes.
The current session state determines the switch response to the message. If the session is currently
authenticated by IEEE 802.1x, the switch responds by sending an Extensible Authentication Protocol
over LAN (EAPoL) RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful
authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted
first.
If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar
policies, the reauthentication message restarts the access control methods, beginning with the method
configured to be attempted first. The current authorization of the session is maintained until the
reauthentication leads to a different authorization result.
Session Reauthentication in a Switch Stack
When a switch stack receives a session reauthentication message:
It checkpoints the need for a re-authentication before returning an acknowledgement (ACK).
It initiates reauthentication for the appropriate session.
If authentication completes with either success or failure, the signal that triggered the
reauthentication is removed from the stack member.
If the stack master fails before authentication completes, reauthentication is initiated after stack
master switch-over based on the original command (which is subsequently removed).
If the stack master fails before sending an ACK, the new stack master treats the re-transmitted
command as a new command.
Table 9-4 CoA Commands Supported on the Switch
Command1
1. All CoA commands must include the session identifier between the switch and the CoA client.
Cisco VSA
Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”
Terminate session This is a standard disconnect request that does not require a VSA.
Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”
Disable host port Cisco:Avpair=“subscriber:command=disable- host-port”