Skip to main content
Cisco Meraki Documentation

Change of Authorization with RADIUS (CoA) on MS Switches

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active client session. This article describes the use cases of CoA and the different CoA messages that Cisco MS switches support. CoA is supported by several RADIUS vendors including Cisco ISE, and others.

If you do not see CoA support on your network, make sure to be on the latest firmware.  If an update is not available, please contact Meraki Support.

Use Cases

Change of Authorization is used to change client authorizations in the following use cases:

  • Reauthenticate RADIUS Clients
    Changing the policy (VLAN, Group Policy ACL, Adaptive Policy Group) for an existing client session when authenticated via Wired 802.1x or MAC Authentication Bypass (MAB) is possible using CoA.  A reauthentication request will either send an EAPoL-Request to the 802.1X session, or will cause the switch to send a MAB request for the MAB session.  
  • Disconnecting RADIUS Clients
    Disconnecting a client authenticated via Wired 802.1x or MAB, CoA enables administrators and RADIUS servers to 'kick off' a client device from the network. This will often force a client to re-authenticate and assign a new policy. 
  • Port Bounce
    Sending a Port Bounce CoA will cause the port to cycle. This can fix issues with sticky clients that have been profiled and the VLAN needs to be changed. This is aggressive and will cause all devices behind the port to lose access temporarily including power cycling PoE devices. 
  • URL Redirect Walled Garden (Supported on MS210/225/250/350/355/390**/410/420/425)
    By default, URL redirect is enabled with CoA.  This can be used to redirect clients to a webpage for authentication.  Before authentication, http traffic is allowed but the switch redirects it to the redirect-url.  The walled garden can be used to limit access to the web server only.  This feature will only be enabled if one or more supported switches are in the network.  Configurations on this feature will be ignored by unsupported switches.

**NOTE: MS390s support RADIUS URL-Redirect as of MS15 

Configuration

Creating an Access Policy

Access policies contain the RADIUS host configuration information. You can configure multiple access policies and prioritize them by navigation to Switch > Configure > Access policies.  After adding a new access policy, you will then be prompted for the Host IP address, port number, and shared secret as configured on the RADIUS server.

Enable RADIUS CoA support 

Enabling RADIUS CoA support is done by enabling the feature in the drop-down menu, as shown below.

 

CoA_dashboard_enable.png

Dynamic Authorization Port Settings

The switch's UDP Port for CoA must be reachable from your RADIUS server:

  • Port 1700 must be accessible for Cisco ISE
  • Port 3799 must be accessible for many other vendors

CoA Reauthentication Request

The CoA Request frame is a RADIUS code 43 frame. Cisco Meraki switches require the following attribute pairs within this frame:

  • Calling-Station-ID
  • Cisco-AV-Pair
    • subscriber:command=reauthenticate
    • audit-session-id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

An example frame for a CoA request for a particular station to be subjected to a reauthentication by the switch. If successful the switch will respond with a CoA-ACK frame to the RADIUS server. 

 

Screen Shot 2015-06-05 at 5.46.11 PM.png

 

Disconnect Request

The Disconnect Request frame is a RADIUS code 40 frame. The Cisco Meraki switch will utilize the following attribute pairs within this frame:

  • Cisco-AV-Pair
    • audit-session-id
  • Calling-Station-Id

The Cisco audit-session-id custom AVPair is used to identify the current client session that CoA is destined for. Meraki switches learn the session ID from the original RADIUS access accept message that begins the client session. 

 

An example frame for a Disconnect request for a particular station disconnected from the switch. If successfully the switch will respond with a Disconnect-ACK frame destined to the RADIUS server. 

 

Screen Shot 2015-06-09 at 10.30.36 AM.png

Port Bounce

The Port Bounce request is a RADIUS code 43 request. The Cisco Meraki switch will utilize the following attribute pairs within this frame:

  • Cisco-AV-Pair
    • subscriber:command=bounce-host-port
  • Calling-Station-Id

An Example of a Port Bounce for a particular client connected to a switch. If the switch is successful in bouncing the port there will be a subsequent CoA-ACK sent back to the RADIUS server. 

clipboard_ed740c005f1a53b240bd8bfa15113ab55.png

URL-Redirect

The URL-Redirect frame is a RADIUS code 2 frame. The Cisco Meraki switch will utilize the following attribute pairs within this frame:

  • Cisco-AV-Pair
    • url-redirect

An example frame for a URL-Redirect request for a particular station authenticating from the switch. 

image.png

  • Was this article helpful?