Skip to main content
Cisco Meraki Documentation

Change of Authorization with RADIUS (CoA) on MR Access Points

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MR access points Support. CoA is supported by several RADIUS vendors including Cisco, Bradford, ForeScout, and PacketFence.

Use Cases

Change of Authorization is used to change client authorizations in the following use cases:

 

Reauthenticate RADIUS Clients

Changing the Group Policy or VLAN for an existing client session using a WPA2-Enterprise network is possible using CoA to force the client to re-authenticate and assign the new policy. CoA Reauthentication. 

 

Disconnecting RADIUS Clients

Disconnecting an client on a WPA2-Enterprise network, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. 

 

Cisco ISE Device Posturing

For customers that use Cisco ISE for the identity management solution, Cisco ISE can profile a client when they join the secure WPA2-Enterprise network, place the client on a quarantine VLAN. Then using CoA, Cisco ISE can inform the AP when the posturing is completed to grant elevated network access. 

 

Cisco ISE Central Web Authentication (CWA)

Customers may choose to use Cisco ISE as their guest management solution. Using MAC-based Authentication (MBA) on a open network, Cisco ISE can instruct the AP to redirect the client to the guest portal hosted on the Cisco ISE server. After the client satisfies the guest portal requirements, Cisco ISE will instruct the AP using CoA to grant elevated network access.

CoA is not currently supported on Meraki MR access points operating in repeater mode. 

CoA Considerations and Requirements

 

These are the considerations and requirements that need to be made when using Change of Authorization to change client authorizations:

 

Supported Client IP assignment methods:

  • NAT mode, Bridge mode, Layer 3 Roaming, Layer 3 Roaming with a Concentrator*, VPN*

 

* These require a minimum firmware of MR 25.2, and MX 13.10

 

Supported association requirement methods:

  • MAC-based access control
  • WPA2-Enterprise with RADIUS server

 

Change in CoA functionality from MR 25 to MR 26:

  • MR 25 - When the server sends a CoA request, the client is completely disassociated from its existing session. The client device has to initiate a new RADIUS session
  • MR 26 - When the server sends a CoA request, the client is not completely disassociated from its RADIUS session. Instead, the AP sends a new EAP request to the client to reauthenticate

Visibility of Username and account information: 

  • Supported for MAC-based authentication and WPA2-Enterprise with RADIUS authentication but not with Cisco ISE Central Web Authentication (CWA)

 

Cloud RADIUS proxy:

  • Cloud RADIUS proxy is not supported with CoA

Configuration

Enable RADIUS Configuration

In order for Cisco Meraki Access Points to honor and respond to CoA, the SSID's Access Control settings must be configured for MAC-based Authentication or WPA2-Enterprise. The shared secret must be the same as the RADIUS shared secret.

Enable Cisco ISE

For Cisco ISE servers, enable Cisco Identity Services Engine (ISE) Authentication. If enabled, Meraki devices will use the value of the RADIUS CiscoAVPair 'url-redirect' attribute sent in RADIUS Access-Accept messages to redirect clients to the Cisco ISE web portal for authentication.

cisco ise.PNG

Enable RADIUS CoA support 

For RADIUS servers other than Cisco ISE, enable CoA support under Wireless > Configure > Access control > RADIUSWith Cisco ISE, RADIUS CoA is automatically enabled. If enabled, Meraki devices will act as a RADIUS Dynamic Authorization Server (CoA) and will respond to RADIUS Disconnect and Change of Authorization messages sent by the RADIUS server.

coa support.PNG

Dynamic Authorization Port Settings

The access point's UDP Port for CoA must be reachable from your RADIUS server:

  • Port 1700 must be accessible for Cisco ISE
  • Port 3799 must be accessible for Bradford, ForeScout, PacketFence, or others

CoA Request

The CoA Request frame is a RADIUS code 43 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:

  • Calling-Station-ID
  • Cisco AVPair
    • subscriber:command=reauthenticate
    • audit-session-id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS Access-request message that begins the client session.

If your deployment uses CoA ensure you enable Cisco ISE even if ISE is not used, otherwise audit-session-id is not included and the CoA exchange may not work.

 

An example frame for a CoA request for a particular station to be subjected to a reauthenticated by the Access Point. If successful the Access Point will respond with a CoA-ACK frame to the RADIUS server. 

 

Screen Shot 2015-06-05 at 5.46.11 PM.png

 

Disconnect Request

The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:

  • Cisco AVPair
    • audit-session-id
  • Calling-Station-Id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS Access-request message that begins the client session, for this AVPair to be generated, the SSID must be configured with 'Enterprise' association requirements and Splash page set to '

 

An example frame for a Disconnect request for a particular station disconnected from the access point. If successfully the Access Point will respond with a Disconnect-ACK frame destined to the RADIUS server. 

 

Screen Shot 2015-06-09 at 10.30.36 AM.png

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.

CoA FAQ

Question: What is required for CoA?

MR 24.0 and MS 8.10 or higher are necessary for the CoA for RADIUS. This firmware is not required for Cloud-based CoA for Splash Sign-on. 

 

Question: What is Central Web Authentication (CWA)?

Cisco ISE's terminology for captive portal / splash page hosted on Cisco ISE server.

 

Question: What is Local Web Authentication (LWA)?

Cisco ISE's terminology for Meraki Hosted Splash.

 

Question: What is Device Posturing?

Cisco ISE's terminology for captive portal / splash page hosted on Cisco ISE server that performs a NAC function checking for AV or other things.

 

Question: What is Network Supplicant Provisioning (NSP)?

Cisco ISE splash page that configures user devices for 802.1X authentication with a WiFi profile and certificate instead of MDM.

 

Question: What is BYOD?

BYOD stands for Bring Your Own Device and refers to the concept of people bringing their personal Smartphones and even Laptops to work.

 

  • Was this article helpful?