RFC 5176 — Dynamic Session Change

RFC 5176 allows you to dynamically change the following user session characteristics:
  • You can disconnect an authenticated user on a port and remove all associated session context.

    If the RADIUS server issues a disconnect command to the switch and the switch identifies a user (that satisfies all attributes of the RADIUS server request) on a port that has enabled RADIUS dynamic extensions commands, the switch performs the following actions:
    • Notify the user of the disconnect by sending an 802.1x disconnect message to the client.

    • Remove all session context from the port.

    • Remove the port from the RADIUS-assigned VLAN, if applicable.

    • Send the disconnect response Disconnect-ACK to the RADIUS server if the user session is disconnected and all steps successfully performed.

    • Send the Disconnect-NAK response to the RADIUS server if the user session is not found or if the Network Access Server (NAS) cannot disconnect the session and discard the session context.

  • You can use the Change of Authorization command to dynamically change the VLAN used by the RADIUS server.

    If the RADIUS server issues a Change of Authorization command to the switch and the switch identifies a user (that satisfies all attributes of the RADIUS server request) on a port that has enabled RADIUS dynamic extensions commands, the switch performs the following actions:

    • If the Change of Authorization command specifies a valid VLAN ID for a port, the port is removed from the VLAN specified by RADIUS and added to the VLAN specified in the request.

    • A CoA-ACK response is sent to the RADIUS server.

    • If the user session is not found or an error is encountered in processing the Change of Authorization command, then a CoA-NAK response is sent to the RADIUS server.

    • If the Change of Authorization request specifies a VLAN that is not port-based, a CoA-NAK response is sent to the RADIUS server.

  • You can dynamically initiate client re-authentication.

    Re-authenticate requests can be made with Change of Authorization or Disconnect packet IDs, but they must have the Re-authentication Request Vendor-Specific Attributes (VSA) set to True.

Dynamic session changes are directed to specific user sessions, as identified by RADIUS attributes.

To enable dynamic session changes, configure the following:
  • You must enable EAP or Endpoint Tracking globally and at the port level.

  • You must enable RADIUS dynamic extensions commands at the port level.

You can use the show radius dynamic-server statistics command to view statistics about dynamic session changes.

Switch:1#enable
Switch:1#show radius dynamic-server statistics

================================================================================
                 RADIUS Dynamic Authorization Global Statistics
================================================================================
Disconnects From Invalid Client Addresses:     0
CoAs From Invalid Client Addresses:            0
--------------------------------------------------------------------------------