Home > Switches > Access Control > Change of Authorization with RADIUS (CoA) on MS Switches

Change of Authorization with RADIUS (CoA) on MS Switches

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MS switches support. CoA is supported by several RADIUS vendors including Cisco, and Bradford.

If you do not see CoA support on your network, make sure to be on the latest firmware.  If an update is not available, please contact Meraki Support.

Use Cases

Change of Authorization is used to change client authorizations in the following use cases:

  • Reauthenticate RADIUS Clients
    Changing the VLAN for an existing client session when authentication via Wired 802.1x or MAC Authentication Bypass (MAB) is possible using CoA.  A port bounce will force the client to re-authenticate and assign the new VLAN.  
  • Disconnecting RADIUS Clients
    Disconnecting a client authenticated via Wired 802.1x or MAB, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. 
  • URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
    By default, URL redirect is enabled with CoA.  This can be used to redirect clients to a webpage for authentication.  Before authentication, the client will have access to all HTTP resources.  The walled garden can be used to limit access to the web server only.  This feature will only be enabled if one or more supported switches are in the network.  Configurations on this feature will be ignored by unsupported switches.

Configuration

Creating an Access Policy

Access policies contain the RADIUS host configuration information. You can configure multiple access policies and prioritize them by navigation to Switch > Configure > Access policies.  After adding a new access policy, you will then be prompted for the Host IP address, port number, and shared secret as configured on the RADIUS server.

Enable RADIUS CoA support 

Enabling RADIUS CoA support is as easy as enabling the feature in the drop-down menu, as shown below.

Dynamic Authorization Port Settings

The switch's UDP Port for CoA must be reachable from your RADIUS server:

  • Port 1700 must be accessible for Cisco ISE
  • Port 3799 must be accessible for Bradford, or others

CoA Reauthentication Request

The CoA Request frame is a RADIUS code 43 frame. Cisco Meraki switches require the following attribute pairs within this frame:

  • Calling-Station-ID
  • Cisco-AVPair
    • subscriber:command=reauthenticate
    • audit-session-id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

An example frame for a CoA request for a particular station to be subjected to a reauthentication by the switch. If successful the switch will respond with a CoA-ACK frame to the RADIUS server. 

 

 

Disconnect Request

The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki switch will honor the following attribute pairs within this frame:

  • Cisco AVPair
    • audit-session-id
  • Calling-Station-Id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a Disconnect request for a particular station disconnected from the switch. If successfully the switch will respond with a Disconnect-ACK frame destined to the RADIUS server. 

 

URL-Redirect

The URL-Redirect frame is a RADIUS code 2 frame. The Cisco Meraki switch will honor the following attribute pairs within this frame:

  • Cisco-AVPair
    • url-redirect

 

An example frame for a URL-Redirect request for a particular station authenticating from the switch. 

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 5487

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community