Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3410
Views
2
Helpful
2
Replies

ISE || Confusion about change of authorization

Go to solution
SMD28316
Level 1
Level 1

‎07-28-2021 03:27 AM

I am trying to understand CoA, when I choose the type to be reauth, how would it be triggered?

From my understanding, the device (say an IP phone from a specific vendor) is authenticated for the first time, it wont be profiled yet, so ISE needs to re-auth the device a second time to profile it successfully and get it to hit on the correct authorization policy role based on it's type. But how does that happen? what do I need to do to trigger this reauth? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎07-28-2021 05:52 AM

Hi @SMD28316 ,

 CoA is the only communication that is initiated by the Authentication Server (ISE) to the Authenticator (NAD), it's critical for Profiling and Posture.

 For a better understand of what triggers CoA, please take a look to the following table: Change of Authorization Issued for Each Type of CoA Configuration.

 

Hope this helps !!!

View solution in original post

2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎07-28-2021 05:52 AM

Hi @SMD28316 ,

 CoA is the only communication that is initiated by the Authentication Server (ISE) to the Authenticator (NAD), it's critical for Profiling and Posture.

 For a better understand of what triggers CoA, please take a look to the following table: Change of Authorization Issued for Each Type of CoA Configuration.

 

Hope this helps !!!

Go to solution
GI Alex
Cisco Employee
Cisco Employee

‎11-20-2024 08:57 AM

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_asset_visibility.html?bookSearch=true#ID586

 

 

Change of Authorization Issued for Each Type of CoA Configuration

Table 47. Change of Authorization Issued for Each Type of CoA Configuration

Scenarios

No CoA Configuration

Port Bounce Configuration

Reauth Configuration

Additional Information

Global CoA configuration in Cisco ISE (typical configuration)

No CoA

Port Bounce

Reauthentication

An endpoint is disconnected on your network

No CoA

No CoA

No CoA

Change of authorization is determined by the RADIUS attribute Acct-Status -Type value Stop.

Wired with multiple active sessions on the same switch port

No CoA

Reauthentication

Reauthentication

Reauthentication avoids disconnecting other sessions.

Wireless endpoint

No CoA

Packet-of-Disconnect CoA (Terminate Session)

Reauthentication

Support to Wireless LAN Controller.

Incomplete CoA data

No CoA

No CoA

No CoA

Due to missing RADIUS attributes.
Kind regards,
Alex
Customers Also Viewed These Support Documents