9-21
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about
ACS:
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration
is required for these attributes:
Security and Password—See the “Preventing Unauthorized Access to Your Switch” section in the
“Configuring Switch-Based Authentication” chapter in the Catalyst 3750 Switch Software
Configuration Guide, Cisco Release 12.2(50)SE.
Accounting—See the “Starting RADIUS Accounting” section in the “Configuring Switch-Based
Authentication” chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(50)SE.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
CoA acknowledgement (ACK) [CoA-ACK]
CoA non-acknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the
switch that acts as a listener.
This section includes these topics:
CoA Request Response Code
CoA Request Commands
Session Reauthentication

RFC 5176 Compliance

The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported
by the switch for session termination.
Table 9 -2 shows the IETF attributes are supported for this feature.
Table 9 -3 shows the possible values for the Error-Cause attribute.
Table9-2 Supported IETF Attributes
Attribute Number Attribute Name
24 State
31 Calling-Station-ID
44 Acct-Session-ID
80 Message-Authenticator
101 Error-Cause