Cisco Systems 3560X Manual De Usuario
10-20
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 10 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
•
•
•
A standard RADIUS interface is typically used in a pulled model where the request originates from a
network attached device and the response come from the queried servers. Catalyst switches support the
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a
pushed model and allow for the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
network attached device and the response come from the queried servers. Catalyst switches support the
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a
pushed model and allow for the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests:
•
Session reauthentication
•
Session termination
•
Session termination with port shutdown
•
Session termination with port bounce
This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about
ACS, refer to:
ACS, refer to:
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration
is required for the following attributes:
is required for the following attributes:
•
“Preventing Unauthorized Access to Your Switch”
section in
the Configuring Switch-Based Authentication chapter in the Catalyst 3750 Switch Software
Configuration Guide, 12.2(50)SE
Configuration Guide, 12.2(50)SE
.
•
“Starting RADIUS Accounting”
section in the Configuring Switch-Based
Authentication chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(50)SE.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
for session identification, host reauthentication, and session termination. The model is comprised of one
request (CoA-Request) and two possible response codes:
•
CoA acknowledgement (ACK) [CoA-ACK]
•
CoA non-acknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the
switch that acts as a listener.
switch that acts as a listener.
This section includes these topics:
•
•
•
RFC 5176 Compliance
The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported
by the switch for session termination.
by the switch for session termination.