RADIUS Change-of-Authorization Support
Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a push model to allow the dynamic reconfiguring of sessions from external AAA or policy servers. Per-session CoA requests are supported for session identification, session termination, host reauthentication, port shutdown, and port bounce. This model comprises one request (CoA-Request) and two possible response codes:
-
CoA acknowledgement (ACK) [CoA-ACK]
-
CoA nonacknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a AAA or policy server) and directed to the device that acts as a listener.
The table below shows the RADIUS CoA commands and vendor-specific attributes (VSAs) supported by Cisco IBNS. All CoA commands must include the session identifier between the device and the CoA client.
CoA Command |
Cisco VSA |
---|---|
Activate service |
Cisco:Avpair=“subscriber:command=activate-service” Cisco:Avpair=“subscriber:service-name=<service-name>” Cisco:Avpair=“subscriber:precedence=<precedence-number>” Cisco:Avpair=“subscriber:activation-mode=replace-all” |
Deactivate service |
Cisco:Avpair=“subscriber:command=deactivate-service” Cisco:Avpair=“subscriber:service-name=<service-name>” |
Bounce host port |
Cisco:Avpair=“subscriber:command=bounce-host-port” |
Disable host port |
Cisco:Avpair=“subscriber:command=disable-host-port” |
Session query |
Cisco:Avpair=“subscriber:command=session-query” |
Session reauthenticate |
Cisco:Avpair=“subscriber:command=reauthenticate” Cisco:Avpair=“subscriber:reauthenticate-type=last” or Cisco:Avpair=“subscriber:reauthenticate-type=rerun” |
Session terminate |
This is a standard disconnect request and does not require a VSA. |
Interface template |
Cisco:AVpair="interface-template-name=<interfacetemplate>" |