Home > Wireless LAN > Encryption and Authentication > Change of Authorization with RADIUS (CoA) on MR Access Points

Change of Authorization with RADIUS (CoA) on MR Access Points

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MR access points Support. CoA is supported by several RADIUS vendors including Cisco, Bradford, ForeScout, and PacketFence.

Use Cases

Change of Authorization is used to change client authorizations in the following use cases:

 

Reauthenticate RADIUS Clients

Changing the Group Policy or VLAN for an existing client session using a WPA2-Enterprise network is possible using CoA to force the client to re-authenticate and assign the new policy. CoA Reauthentication. 

 

Disconnecting RADIUS Clients

Disconnecting an client on a WPA2-Enterprise network, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. 

 

Cisco ISE Device Posturing

For customers that use Cisco ISE for the identity management solution, Cisco ISE can profile a client when they join the secure WPA2-Enterprise network, place the client on a quarantine VLAN. Then using CoA Cisco ISE can inform the AP when the posturing is completed to grant elevated network access. 

 

Cisco ISE Central Web Authentication (CWA)

Customers may choose to use Cisco ISE as their guest management solution. Using Mac Based Authentication (MBA) on a open network, Cisco ISE can instruct the AP to redirect the client to the guest portal hosted on the Cisco ISE server. After the client satisfies the guest portal requirements, Cisco ISE will instruct the AP using CoA to grant elevated network access.

CoA is not currently supported on Meraki MR access points operating in repeater mode. 

Configuration

Enable RADIUS Configuration

In order for Cisco Meraki Access Points to honor and respond to CoA, the SSID's Access Control settings must be configured for Mac Based Auth or WPA2-Enterprise.  The shared secret must be the same as the RADIUS shared secret.

Enable Cisco ISE

For Cisco ISE servers, enable Cisco Identity Services Engine (ISE) Authentication. If enabled, Meraki devices will use the value of the RADIUS CiscoAVPair 'url-redirect' attribute sent in RADIUS Access-Accept messages to redirect clients to the Cisco ISE web portal for authentication.

Enable RADIUS CoA support 

For RADIUS servers other than Cisco ISE, enable CoA support. With Cisco ISE, RADIUS CoA is automatically enabled. If enabled, Meraki devices will act as a RADIUS Dynamic Authorization Server (CoA) and will respond to RADIUS Disconnect and Change of Authorization messages sent by the RADIUS server.

Dynamic Authorization Port Settings

The access point's UDP Port for CoA must be reachable from your RADIUS server:

  • Port 1700 must be accessible for Cisco ISE
  • Port 3799 must be accessible for Bradford, ForeScout, PacketFence, or others

CoA Request

The CoA Request frame is a RADIUS code 43 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:

  • Calling-Station-ID
  • Cisco AVPair
    • subscriber:command=reauthenticate
    • audit-session-id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a CoA request for a particular station to be subjected to a reauthenticated by the Access Point. If successful the Access Point will respond with a CoA-ACK frame to the RADIUS server. 

 

 

Disconnect Request

The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki Access points will honor the following attribute pairs within this frame:

  • Cisco AVPair
    • audit-session-id
  • Calling-Station-Id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki APs learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a Disconnect request for a particular station disconnected from the access point. If successfully the Access Point will respond with a Disconnect-ACK frame destined to the RADIUS server. 

 

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.   

You must to post a comment.
Last modified
11:22, 4 Aug 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community