CoA Deactivate Service Command
The CoA deactivate service command can be used to deactivate a service template on a session. The AAA
server sends the request in a standard CoA-Request message using the following VSAs:
Cisco:Avpair="subscriber:command=deactivate-service"
Cisco:Avpair="subscriber:service-name=<service-name>"
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes described in the Session Identification section below. If the device cannot locate a session, it returns
a CoA-NAK message with the "Session Context Not Found" error-code attribute. If the device locates a session,
it initiates a deactivate template operation for the hosting port and a CoA-ACK is returned. If deactivating
the template fails, a CoA-NAK message is returned with the Error-Code attribute set to the appropriate message.
If the device fails before returning a CoA-ACK to the client, the process is repeated on the new active device
when the request is re-sent from the client. If the device fails after returning a CoA-ACK message to the client
but before the operation is complete, the operation is restarted on the new active device.
Session Identification
For disconnect and CoA requests targeted at a particular session, the device locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31, which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
• Framed-IPv6-Address
• Plain IP Address (IETF attribute #8)
If more than one session identification attribute is included in the message, all of the attributes must match
the session or the device returns a Disconnect-NAK or CoA-NAK with the error code "Invalid Attribute
Value."
For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code "Invalid Attribute Value" if any of the above session identification attributes are included in the message.
CoA Request: Disable Host Port
The RADIUS server CoA disable port command administratively shuts down the authentication port that is
hosting a session, resulting in session termination. This command is useful when a host is known to cause
problems on the network and network access needs to be immediately blocked for the host. To restore network
access on the port, reenable it using a non-RADIUS mechanism. This command is carried in a standard
CoA-Request message that has this new vendor-specific attribute (VSA):
Cisco:Avpair="subscriber:command=disable-host-port"
together create a full IPv6 address per RFC 3162
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Information About RADIUS Change-of-Authorization
969