Change of Authorization Message Types in Catalyst 1300

Available Languages

Download Options

PDF (85.0 KB)
View with Adobe Reader on a variety of devices

Updated:March 5, 2025

Document ID:1741213972752260

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

kmgmt3736-coa-message-types-catalyst-1300

Objective

The objective of this article is to provide an overview of the change of authorization message types in Catalyst 1300 switches.

Applicable Devices | Software Version

Catalyst 1200 Switches | 4.1.3.36
Catalyst 1300 Switches | 4.1.3.36

Introduction

Change of Authorization (CoA) is an extension to the RADIUS protocol, allowing dynamic changes to a AAA or dot1x user session. When a policy for a user of group in AAA changes, administrators can transmit RADIUS CoA packets from the AAA server, such as a Cisco Identity Services Engines (ISE), to reinitialize authentication and apply the new policy.

This feature requires communication between the Dynamic Authorization Client (RADIUS Server) and the Dynamic Authorization Server (Catalyst switch). As seen in network diagram below, the Dynamic Authorization Client sends a disconnect or CoA message to the Dynamic Authorization Server and the switch provides a response.

The device supports the following CoA actions:

CoA Session Reauth - This forces a reauthentication on the port by sending a CoA packet with a reauthenticate command.
CoA Session Terminate - This sends a Disconnect Request with a terminate command based on an Admin request.
CoA Port Bounce - This sends a CoA Request packet with a Bounce Host Port command that will disable and re-enable the port on the switch.
CoA Session Termination with Port Bounce - This terminates the existing session and bounces the port.
CoA Session Termination with Port Shutdown - This terminates the session and administratively downs the port.

CoA Sanet Session Query is not supported by the Catalyst 1300 switches.

CoA Request Response Codes

CoA requests, as described in RFC 5176, are used to allow for session identification, host reauthentication, and session termination. The model contains a single request (CoA-Request) and two possible response codes:

CoA acknowledgment (ACK) [CoA-ACK]
CoA non-acknowledgment (NAK) [CoA-NAK]

The request is initiated from a CoA client (usually a RADIUS or policy server) and directed to the device that acts as a listener.

CoA ACK Response Code

If an authorization state is changed successfully, a positive acknowledgment (ACK) is sent. The attributes returned within a CoA ACK can vary based on the CoA request.

CoA NAK Response Code

A negative acknowledgment (NAK) indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure.

Supported Commands and Responses

CoA is an extension to the overall RADIUS protocol and has the ISE server sending packets to UDP Port 1700 on the switch.

40 - Disconnect-Request - processed by the switch. The switch replies with either Disconnect-ACK or Disconnect-NAK.
41 - Disconnect-ACK - sent by the switch
42 - Disconnect-NAK - sent by the switch
43 - CoA-Request - processed by the switch. The switch replies with either CoA-ACK or CoA-NAK.
44 - CoA-ACK - sent by the switch
45 - CoA-NAK - sent by the switch

The RADIUS packet type codes are defined in RFC3575.