RADIUS Change of Authorization
The RADIUS Change of Authorization (CoA) provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send RADIUS CoA packets from the AAA server such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy. This section provides an overview of the RADIUS interface including available primitives and how they are used during a CoA.
-
Change-of-Authorization Requests
-
CoA Request Response Code
-
CoA Request Commands
-
Session Reauthentication
-
Stacking Guidelines for Session Termination
A standard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers. Catalyst support the RADIUS CoA extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external AAA or policy servers.
The supports these per-session CoA requests:
-
Session reauthentication
-
Session termination
-
Session termination with port shutdown
-
Session termination with port bounce
This feature is integrated with Cisco Secure Access Control Server (ACS) 5.1.
The RADIUS interface is enabled by default on Catalyst . However, some basic configuration is required for the following attributes:
-
Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in this guide.
-
Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based Authentication chapter in this guide.
-
CoA acknowledgement (ACK) [CoA-ACK]
-
CoA nonacknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a AAA or policy server) and directed to the device that acts as a listener.
The table below shows the RADIUS CoA commands and vendor-specific attributes (VSAs) supported by Identity-Based Networking Services. All CoA commands must include the session identifier between the device and the CoA client.
CoA Command |
Cisco VSA |
---|---|
Activate service |
Cisco:Avpair=“subscriber:command=activate-service” Cisco:Avpair=“subscriber:service-name=<service-name>” Cisco:Avpair=“subscriber:precedence=<precedence-number>” Cisco:Avpair=“subscriber:activation-mode=replace-all” |
Deactivate service |
Cisco:Avpair=“subscriber:command=deactivate-service” Cisco:Avpair=“subscriber:service-name=<service-name>” |
Bounce host port |
Cisco:Avpair=“subscriber:command=bounce-host-port” |
Disable host port |
Cisco:Avpair=“subscriber:command=disable-host-port” |
Session query |
Cisco:Avpair=“subscriber:command=session-query” |
Session reauthenticate |
Cisco:Avpair=“subscriber:command=reauthenticate” Cisco:Avpair=“subscriber:reauthenticate-type=last” or Cisco:Avpair=“subscriber:reauthenticate-type=rerun” |
Session terminate |
This is a standard disconnect request and does not require a VSA. |
Interface template |
Cisco:AVpair="interface-template-name=<interfacetemplate>" |