12-12
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 12 Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Unless all session identification attributes included in the CoA message match the session, the switch
returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute.
For disconnect and CoA requests targeted to a particular session, any one of these session identifiers can
be used:
Calling-Station-ID (IETF attribute 31, which should contain the MAC address)
Audit-Session-ID (Cisco vendor-specific attribute)
Accounting-Session-ID (IETF attribute 44).
If more than one session identification attribute is included in the message, all the attributes must match
the session or the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the
error code Invalid Attribute Value.
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code,
Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.

CoA ACK Response Code

If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The
attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual
CoA Commands.

CoA NAK Response Code

A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.
CoA Request Commands
Tab l e 12-4 CoA Commands Supported on the Switch
Command1
1. All CoA commands must include the session identifier between the switch and the CoA client.
Cisco VSA
Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”
Terminate session This is a standard disconnect request that does not require a VSA.
Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”
Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”