Change of Authorization with RADIUS (CoA) on MS Switches
RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MS switches support. CoA is supported by several RADIUS vendors including Cisco ISE, and others.
If you do not see CoA support on your network, make sure to be on the latest firmware. If an update is not available, please contact Meraki Support.
Use Cases
Change of Authorization is used to change client authorizations in the following use cases:
- Reauthenticate RADIUS Clients
Changing the policy (VLAN, Group Policy ACL, Adaptive Policy Group) for an existing client session when authenticated via Wired 802.1x or MAC Authentication Bypass (MAB) is possible using CoA. A reauthentication request will either send an EAPoL-Request to the 802.1X session, or will cause the switch to send a MAB request for the MAB session. - Disconnecting RADIUS Clients
Disconnecting a client authenticated via Wired 802.1x or MAB, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. - Port Bounce
Sending a Port Bounce CoA will cause the port to cycle. This can fix issues with sticky clients that have been profiled and the VLAN needs to be changed. This is aggressive and will cause all devices behind the port to lose access temporarily.
PoE behaviour differs between Catalyst (MS390/C9300-M) and all other MS series switches as below.
Catalyst (MS390/C9300-M): Bounces PoE on the port. Powered devices will power down.
MS Series (All others): Does not bounce PoE on the port. Powered devices will not power down.
-
URL Redirect Walled Garden (Supported on MS210/225/250/350/355/390**/410/420/425)
By default, URL redirect is enabled with CoA. This can be used to redirect clients to a webpage for authentication. Before authentication, http traffic is allowed but the switch redirects it to the redirect-url. The walled garden can be used to limit access to the web server only. This feature will only be enabled if one or more supported switches are in the network. Configurations on this feature will be ignored by unsupported switches.
**NOTE: MS390s support RADIUS URL-Redirect as of MS15
Configuration
Creating an Access Policy
Access policies contain the RADIUS host configuration information. You can configure multiple access policies and prioritize them by navigation to Switch > Configure > Access policies. After adding a new access policy, you will then be prompted for the Host IP address, port number, and shared secret as configured on the RADIUS server.
Enable RADIUS CoA support
Enabling RADIUS CoA support is done by enabling the feature in the drop-down menu, as shown below.
Dynamic Authorization Port Settings
The switch's UDP Port for CoA must be reachable from your RADIUS server:
- Port 1700 must be accessible for Cisco ISE
- Port 3799 must be accessible for many other vendors
CoA Reauthentication Request
The CoA Request frame is a RADIUS code 43 frame. Cisco Meraki switches require the following attribute pairs within this frame:
- Calling-Station-ID
- Cisco-AV-Pair
- subscriber:command=reauthenticate
- audit-session-id
The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session.
An example frame for a CoA request for a particular station to be subjected to a reauthentication by the switch. If successful the switch will respond with a CoA-ACK frame to the RADIUS server.
Disconnect Request
The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki switch will utilize the following attribute pairs within this frame:
- Cisco-AV-Pair
- audit-session-id
- Calling-Station-Id
The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session.
An example frame for a Disconnect request for a particular station disconnected from the switch. If successfully the switch will respond with a Disconnect-ACK frame destined to the RADIUS server.
Port Bounce
The Port Bounce request is a RADIUS code 43 request. The Cisco Meraki switch will utilize the following attribute pairs within this frame:
- Cisco-AV-Pair
- subscriber:command=bounce-host-port
- Calling-Station-Id
An Example of a Port Bounce for a particular client connected to a switch. If the switch is successful in bouncing the port there will be a subsequent CoA-ACK sent back to the RADIUS server.
URL-Redirect
The URL-Redirect frame is a RADIUS code 2 frame. The Cisco Meraki switch will utilize the following attribute pairs within this frame:
- Cisco-AV-Pair
- url-redirect
An example frame for a URL-Redirect request for a particular station authenticating from the switch.