User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

251

252

253

254

255

256

257

258

259

260

10-24

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 10 Configuring Switch-Based Authentication

Controlling Switch Access with RADIUS

• If authentication completes with either success or failure, the signal that triggered the

reauthentication is removed from the stack member.

• If the stack master fails before authentication completes, reauthentication is initiated after stack

master switch-over based on the original command (which is subsequently removed).

• If the stack master fails before sending an ACK, the new stack master treats the re-transmitted

command as a new command.

Session Termination

There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request

terminates the session, without disabling the host port. This command causes re-initialization of the

authenticator state machine for the specified host, but does not restrict that host’s access to the network.

To restrict a host’s access to the ne

twork, use a CoA Request with the

Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is

known to be causing problems on the network, and you need to immediately block network access for

the host. When you want to restore network access on the port, re-enable it using a non-RADIUS

mechanism.

When a device with no supplicant, suc

h as a printer, needs to acquire a new IP address (for example,

after a VLAN change), terminate the session on the host port with port-bounce (temporarily disable and

then re-enable the port).

CoA Disconnect-Request

This command is a standard Disconnect-Request. Because this command is session-oriented, it must be

accompanied by one or more of the session identification attributes described in the “Session

Identification” section on page 10-22. If the session cannot be located, the switch returns a

Disconnect-NAK message with the “Sessio

n Context Not Found” error-code attribute. If the session is

located, the switch terminates the session. After the session has been completely removed, the switch

returns a Disconnect-ACK.

If the switch fails-over to a standby switch before returning a D

isconnect-ACK to the client, the process

is repeated on the new active switch when the request is re-sent from the client. If the session is not found

following re-sending, a Disconnect-ACK is sent with the “Session Context Not Found” error-code

attribute.

CoA Request: Disable Host Port

This command is carried in a standard CoA-Request message that has this new VSA:

Cisco:Avpair="subscriber:command

=disable-host-port"

Because this command is session-oriented, it must be

accompanied by one or more of the session

identification attributes described in the “Session Identification

” section on page 10-22. If the session

cannot be located, the switch returns a CoA-NAK message with

the “Session Context Not Found”

error-code attribute. If the session is located, the switch disables the hosting port and returns a CoA-ACK

message.

If the switch fails before returning a CoA-ACK to the cl

ient, the process is repeated on the new active

switch when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message

to the client but before the operation has completed, the operation is restarted on the new active switch.