Home > Switches > Access Control > Change of Authorization with RADIUS (CoA) on MS Switches

Change of Authorization with RADIUS (CoA) on MS Switches

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MS switches support. CoA is supported by several RADIUS vendors including Cisco, and Bradford.

If you do not see CoA support on your network, make sure to be on the latest firmware.  If an update is not available, please contact Meraki Support.

Use Cases

Change of Authorization is used to change client authorizations in the following use cases:

  • Reauthenticate RADIUS Clients
    Changing the VLAN for an existing client session when authentication via Wired 802.1x or MAC Authentication Bypass (MAB) is possible using CoA.  A port bounce will force the client to re-authenticate and assign the new VLAN.  
  • Disconnecting RADIUS Clients
    Disconnecting a client authenticated via Wired 802.1x or MAB, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. 

Configuration

Creating an Access Policy

Access policies contain the RADIUS host configuration information. You can configure multiple access policies and prioritize them by navigation to Switch > Configure > Access policies.  After adding a new access policy, you will then be prompted for the Host IP address, port number, and shared secret as configured on the RADIUS server.

Enable RADIUS CoA support 

Enabling RADIUS CoA support is as easy as enabling the feature in the drop-down menu, as shown below.

Dynamic Authorization Port Settings

The switch's UDP Port for CoA must be reachable from your RADIUS server:

  • Port 1700 must be accessible for Cisco ISE
  • Port 3799 must be accessible for Bradford, or others

CoA Reauthentication Request

The CoA Request frame is a RADIUS code 43 frame. The Cisco Meraki switches will honor the following attribute pairs within this frame:

  • Calling-Station-ID
  • Cisco AVPair
    • subscriber:command=reauthenticate
    • audit-session-id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a CoA request for a particular station to be subjected to a reauthentication by the switch. If successful the switch will respond with a CoA-ACK frame to the RADIUS server. 

 

 

Disconnect Request

The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki switch will honor the following attribute pairs within this frame:

  • Cisco AVPair
    • audit-session-id
  • Calling-Station-Id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a Disconnect request for a particular station disconnected from the switch. If successfully the switch will respond with a Disconnect-ACK frame destined to the RADIUS server. 

 

You must to post a comment.
Last modified
14:20, 3 Nov 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 5487

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case