Cisco Systems 3560-X, 3750-X Session Reauthentication, Session Reauthentication in a Switch Stack

10-23

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

• Session Reauthentication in a Switch Stack

• Session Termination

• CoA Disconnect-Request

• CoA Request: Disable Host Port

• CoA Request: Bounce-Port

Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 10-4.

Session Reauthentication

The AAA server typically generates a session reauthentication request when a host with an unknown

identity or posture joins the network and is associated with a restricted access authorization profile (such

as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate

authorization group when its credentials are known.

To initiate session authentication, the AAA server sends a standard CoA-Request message which

contains a Cisco vendor-specific attribute (VSA) in this form:

Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes.

The current session state determines the switch response to the message. If the session is currently

authenticated by IEEE 802.1x, the switch responds by sending an EAPoL1-RequestId message

(see footnote 1 below) to the server.

If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an

access-request to the server, passing the same identity attributes used for the initial successful

authentication.

If session authentication is in progress when the switch receives the command, the switch terminates the

process, and restarts the authentication sequence, starting with the method configured to be attempted

first.

If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar

policies, the reauthentication message restarts the access control methods, beginning with the method

configured to be attempted first. The current authorization of the session is maintained until the

reauthentication leads to a different authorization result.

Session Reauthentication in a Switch Stack

When a switch stack receives a session reauthentication message:

• It checkpoints the need for a re-authentication before returning an acknowledgement (ACK).

• It initiates reauthentication for the appropriate session.

Tab le 10-4 CoA Commands Supported on the Switch

Command1

1. All CoA commands must include the session identifier between the switch and the CoA client.

Cisco VSA

Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”

Terminate session This is a standard disconnect request that does not require a VSA.

Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”

Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”

1. Extensible Authentication Protocol over Lan