10-03-2012 09:27 AM - edited 03-10-2019 07:37 PM
Can anyone clarify exactly what COA (Change of autorisation) is?
From my understanding ISE can do an initial authentication and authorization using configured policies but this is not considered COA.
If subsequently a posture check or profiling is carried out for this authenticated, authorized session and a new policy is applied to this existing session then this would be considered COA.
Hence COA is only achievable with an advanced license, due to posturing and profiling.
Many thanks.
Graham
Solved! Go to Solution.
10-03-2012 09:55 AM
Hi,
CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.
With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).
CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-03-2012 09:55 AM
Hi,
CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.
With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).
CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-03-2012 10:24 AM
Excellent, thanks for your speedy response.
06-18-2021 06:26 PM
Additionally, CoA is used to re-trigger the second authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide