Change of Authorization with RADIUS (CoA) on MR Access Points
RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MR access points Support. CoA is supported by several RADIUS vendors including Cisco, Bradford, ForeScout, and PacketFence.
Use Cases
Change of Authorization is used to change client authorizations in the following use cases:
Reauthenticate RADIUS Clients
Changing the Group Policy or VLAN for an existing client session using a WPA2-Enterprise network is possible using CoA to force the client to re-authenticate and assign the new policy. CoA Reauthentication.
Disconnecting RADIUS Clients
Disconnecting an client on a WPA2-Enterprise network, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy.
For customers that use Cisco ISE for the identity management solution, Cisco ISE can profile a client when they join the secure WPA2-Enterprise network, place the client on a quarantine VLAN. Then using CoA, Cisco ISE can inform the AP when the posturing is completed to grant elevated network access.
Cisco ISE Central Web Authentication (CWA)
Customers may choose to use Cisco ISE as their guest management solution. Using MAC-based Authentication (MBA) on a open network, Cisco ISE can instruct the AP to redirect the client to the guest portal hosted on the Cisco ISE server. After the client satisfies the guest portal requirements, Cisco ISE will instruct the AP using CoA to grant elevated network access.
CoA is not currently supported on Meraki MR access points operating in repeater mode.
CoA Considerations and Requirements
These are the considerations and requirements that need to be made when using Change of Authorization to change client authorizations:
Supported Client IP assignment methods:
- NAT mode, Bridge mode, Layer 3 Roaming, Layer 3 Roaming with a Concentrator*, VPN*
* These require a minimum firmware of MR 25.2, and MX 13.10
Supported association requirement methods:
- MAC-based access control
- WPA2-Enterprise with RADIUS server
Change in CoA functionality from MR 25 to MR 26:
- MR 25 - When the server sends a CoA request, the client is completely disassociated from its existing session. The client device has to initiate a new RADIUS session
- MR 26 - When the server sends a CoA request, the client is not completely disassociated from its RADIUS session. Instead, the AP sends a new EAP request to the client to reauthenticate
Visibility of Username and account information:
- Supported for MAC-based authentication and WPA2-Enterprise with RADIUS authentication but not with Cisco ISE Central Web Authentication (CWA)
Cloud RADIUS proxy:
- Cloud RADIUS proxy is not supported with CoA
Configuration
Enable RADIUS Configuration
In order for Cisco Meraki Access Points to honor and respond to CoA, the SSID's Access Control settings must be configured for MAC-based Authentication or WPA2-Enterprise. The shared secret must be the same as the RADIUS shared secret.
Enable Cisco ISE
For Cisco ISE servers, enable Cisco Identity Services Engine (ISE) Authentication. If enabled, Meraki devices will use the value of the RADIUS CiscoAVPair 'url-redirect' attribute sent in RADIUS Access-Accept messages to redirect clients to the Cisco ISE web portal for authentication.
Enable RADIUS CoA support
For RADIUS servers other than Cisco ISE, enable CoA support under Wireless > Configure > Access control > RADIUS. With Cisco ISE, RADIUS CoA is automatically enabled. If enabled, Meraki devices will act as a RADIUS Dynamic Authorization Server (CoA) and will respond to RADIUS Disconnect and Change of Authorization messages sent by the RADIUS server.
Dynamic Authorization Port Settings
The access point's UDP Port for CoA must be reachable from your RADIUS server:
- Port 1700 must be accessible for Cisco ISE
- Port 3799 must be accessible for Bradford, ForeScout, PacketFence, or others
CoA Request
The CoA Request frame is a RADIUS code 43 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:
- Calling-Station-ID
- Cisco AVPair
- subscriber:command=reauthenticate
- audit-session-id
The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS Access-request message that begins the client session.
If your deployment uses CoA ensure you enable Cisco ISE even if ISE is not used, otherwise audit-session-id is not included and the CoA exchange may not work.
An example frame for a CoA request for a particular station to be subjected to a reauthenticated by the Access Point. If successful the Access Point will respond with a CoA-ACK frame to the RADIUS server.
Disconnect Request
The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:
- Cisco AVPair
- audit-session-id
- Calling-Station-Id
The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS Access-request message that begins the client session, for this AVPair to be generated, the SSID must be configured with 'Enterprise' association requirements and Splash page set to '
An example frame for a Disconnect request for a particular station disconnected from the access point. If successfully the Access Point will respond with a Disconnect-ACK frame destined to the RADIUS server.
Roaming with CoA
There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.
CoA FAQ
Question: What is required for CoA?
MR 24.0 and MS 8.10 or higher are necessary for the CoA for RADIUS. This firmware is not required for Cloud-based CoA for Splash Sign-on.
Question: What is Central Web Authentication (CWA)?
Cisco ISE's terminology for captive portal / splash page hosted on Cisco ISE server.
Question: What is Local Web Authentication (LWA)?
Cisco ISE's terminology for Meraki Hosted Splash.
Question: What is Device Posturing?
Cisco ISE's terminology for captive portal / splash page hosted on Cisco ISE server that performs a NAC function checking for AV or other things.
Question: What is Network Supplicant Provisioning (NSP)?
Cisco ISE splash page that configures user devices for 802.1X authentication with a WiFi profile and certificate instead of MDM.
Question: What is BYOD?
BYOD stands for Bring Your Own Device and refers to the concept of people bringing their personal Smartphones and even Laptops to work.