You can disconnect an authenticated user on a port and remove all associated session context.
Notify the user of the disconnect by sending an 802.1x disconnect message to the client.
Remove all session context from the port.
Remove the port from the RADIUS-assigned VLAN, if applicable.
Send the disconnect response Disconnect-ACK to the RADIUS server if the user session is disconnected and all steps successfully performed.
Send the Disconnect-NAK response to the RADIUS server if the user session is not found or if the Network Access Server (NAS) cannot disconnect the session and discard the session context.
You can use the Change of Authorization command to dynamically change the VLAN used by the RADIUS server.
If the RADIUS server issues a Change of Authorization command to the switch and the switch identifies a user (that satisfies all attributes of the RADIUS server request) on a port that has enabled RADIUS dynamic extensions commands, the switch performs the following actions:
If the Change of Authorization command specifies a valid VLAN ID for a port, the port is removed from the VLAN specified by RADIUS and added to the VLAN specified in the request.
A CoA-ACK response is sent to the RADIUS server.
If the user session is not found or an error is encountered in processing the Change of Authorization command, then a CoA-NAK response is sent to the RADIUS server.
If the Change of Authorization request specifies a VLAN that is not port-based, a CoA-NAK response is sent to the RADIUS server.
You can dynamically initiate client re-authentication.
Re-authenticate requests can be made with Change of Authorization or Disconnect packet IDs, but they must have the Re-authentication Request Vendor-Specific Attributes (VSA) set to True.
Dynamic session changes are directed to specific user sessions, as identified by RADIUS attributes.
You must enable EAP or Endpoint Tracking globally and at the port level.
You must enable RADIUS dynamic extensions commands at the port level.
You can use the show radius dynamic-server statistics command to view statistics about dynamic session changes.
Switch:1#enable Switch:1#show radius dynamic-server statistics ================================================================================ RADIUS Dynamic Authorization Global Statistics ================================================================================ Disconnects From Invalid Client Addresses: 0 CoAs From Invalid Client Addresses: 0 --------------------------------------------------------------------------------