10-20
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 10 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
CoA Request Commands, page 10-22
Session Reauthentication, page 10-23
Stacking Guidelines for Session Termination, page 10-25
A standard RADIUS interface is typically used in a pulled model where the request originates from a
network attached device and the response come from the queried servers. Catalyst switches support the
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a
pushed model and allow for the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests:
Session reauthentication
Session termination
Session termination with port shutdown
Session termination with port bounce
This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about
ACS, refer to:
http://cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration
is required for the following attributes:
Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in
the Configuring Switch-Based Authentication chapter in the Catalyst 3750 Switch Software
Configuration Guide, 12.2(50)SE.
Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based
Authentication chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(50)SE.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
CoA acknowledgement (ACK) [CoA-ACK]
CoA non-acknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the
switch that acts as a listener.
This section includes these topics:
CoA Request Response Code
CoA Request Commands
Session Reauthentication

RFC 5176 Compliance

The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported
by the switch for session termination.
Table 10-2 shows the IETF attributes are supported for this feature.