Solved: Re: Change from one static endpoint group to another cause CoA?

ciscosteve84 · ‎03-13-2017

Will switching an endpoint from one static endpoint group to another static endpoint group result in a CoA? If so, is this covered under the base license?

Craig Hyps · ‎03-14-2017

In general, no it will not unless the change results in Authorization Policy change. This would be triggered by the default Profiler Exception Actions. Plus is required for Profiling, but it is possible to trigger CoA without a Plus license, for example, as part of a guest flow, or sent via API to MnT.

View solution in original post

Craig Hyps · ‎03-14-2017

In general, no it will not unless the change results in Authorization Policy change. This would be triggered by the default Profiler Exception Actions. Plus is required for Profiling, but it is possible to trigger CoA without a Plus license, for example, as part of a guest flow, or sent via API to MnT.

ciscosteve84 · ‎03-14-2017

Thanks for the response. The static endpoint group change does result in an AuthZ change. After doing some testing we've found that we can apply a temp plus license, change the CoA type action to reauth/port bounce and then delete the plus license and the CoA will still work. However, the customer said that after a reboot the CoA no longer worked until they re-added the temp plus license. I am going to test that today but I'm unsure as to why that would be.

Craig Hyps · ‎03-14-2017

CoA is not a binary function. It can be triggered by many different functions. As noted, the specific case which is trigger in your case is likely profiling which is activated with Plus license and lost if remove Plus license and reboot. If customer wants this functionality, then would it not make sense to purchase some Plus licenses?

ciscosteve84 · ‎03-14-2017

Understood. I just wanted to make sure purchasing a plus license was the way to go for them. Thanks for the help!