cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13688
Views
21
Helpful
3
Replies

COA and ISE Clarification

gtuthill
Level 1
Level 1

Can anyone clarify exactly what COA (Change of autorisation) is?

From my understanding ISE can do an initial authentication and authorization using configured policies but this is not considered COA.

If subsequently a posture check or profiling is carried out for this authenticated, authorized session and a new policy is applied to this existing session then this would be considered COA.

Hence COA is only achievable with an advanced license, due to posturing and profiling.

Many thanks.

Graham

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.

With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).

CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.

With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).

CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Excellent, thanks for your speedy response.

Additionally, CoA is used to re-trigger the second authorization.