User's Manual
12-13
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 12 Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
CoA Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown 
identity or posture joins the network and is associated with a restricted access authorization profile (such 
as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate 
authorization group when its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which 
contains a Cisco vendor-specific attribute (VSA) in this form: 
Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes.
The current session state determines the switch response to the message. If the session is currently 
authenticated by IEEE 802.1x, the switch responds by sending an Extensible Authentication Protocol 
over LAN (EAPoL) RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an 
access-request to the server, passing the same identity attributes used for the initial successful 
authentication. 
If session authentication is in progress when the switch receives the command, the switch terminates the 
process, and restarts the authentication sequence, starting with the method configured to be attempted 
first. 
If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar 
policies, the reauthentication message restarts the access control methods, beginning with the method 
configured to be attempted first. The current authorization of the session is maintained until the 
reauthentication leads to a different authorization result. 
CoA Session Termination
There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request 
terminates the session, without disabling the host port. This command causes reinitialization of the 
authenticator state machine for the specified host, but does not restrict that host’s access to the network.
To restrict a host’s access to the network, use a CoA Request with the 
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is 
known to be causing problems on the network, and you need to immediately block network access for 
the host. When you want to restore network access on the port, reenable it using a non-RADIUS 
mechanism. 
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example, 
after a VLAN change), terminate the session on the host port with port-bounce (temporarily disable and 
then reenable the port). 
CoA Disconnect-Request
This command is a standard Disconnect-Request. Because this command is session-oriented, it must be 
accompanied by one or more of the session identification attributes described in the 
“CoA Session 
Identification” section on page 12-11. If the session cannot be located, the switch returns a 
Disconnect-NAK message with the “Session Context Not Found” error-code attribute. If the session is 
located, the switch terminates the session. After the session has been completely removed, the switch 
returns a Disconnect-ACK.
If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process 
is repeated on the new active switch when the request is resent from the client. If the session is not found 
following resend, a Disconnect-ACK is sent with the “Session Context Not Found” error-code attribute. 










