The AAA server
typically generates a session reauthentication request when a host with an
unknown identity or posture joins the network and is associated with a
restricted access authorization profile (such as a guest VLAN). A
reauthentication request allows the host to be placed in the appropriate
authorization group when its credentials are known.
To initiate session authentication, the AAA server sends a standard
CoA-Request message which contains a Cisco vendor-specific attribute (VSA) in
Cisco:Avpair=“subscriber:command=reauthenticate” and one or more
session identification attributes.
The current session state determines the switch response to the message.
If the session is currently authenticated by IEEE 802.1x, the switch responds
by sending an EAPoL2-RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass
(MAB), the switch sends an access-request to the server, passing the same
identity attributes used for the initial successful authentication.
If session authentication is in progress when the switch receives the
command, the switch terminates the process, and restarts the authentication
sequence, starting with the method configured to be attempted first.
If the session is not yet authorized, or is authorized via guest VLAN,
or critical VLAN, or similar policies, the reauthentication message restarts
the access control methods, beginning with the method configured to be
attempted first. The current authorization of the session is maintained until
the reauthentication leads to a different authorization result.