Cisco Systems 3560X Manual De Usuario
10-22
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 10 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
Session Identification
For disconnect and CoA requests targeted at a particular session, the switch locates the session based on
one or more of the following attributes:
one or more of the following attributes:
•
Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
•
Audit-Session-Id (Cisco VSA)
•
Acct-Session-Id (IETF attribute #44)
Unless all session identification attributes included in the CoA message match the session, the switch
returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
For disconnect and CoA requests targeted to a particular session, any one of the following session
identifiers can be used:
identifiers can be used:
•
Calling-Station-ID (IETF attribute #31, which should contain the MAC address)
•
Audit-Session-ID (Cisco vendor-specific attribute)
•
Accounting-Session-ID (IETF attribute #44).
If more than one session identification attribute is included in the message, all the attributes must match
the session or the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the
error code “Invalid Attribute Value.”
the session or the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the
error code “Invalid Attribute Value.”
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code,
Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.
Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The attributes field is used to carry Cisco VSAs.
CoA ACK Response Code
If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The
attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual
CoA Commands.
attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual
CoA Commands.
CoA NAK Response Code
A negative acknowledgement (NAK) indicates a failure to change the authorization state and can include
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.
CoA Request Commands
This section includes:
•