Need help with CoA and Radius

Upshot001 · ‎12-27-2013

I am going through a 2 year degree course for Network Design and Adminstration and I have an internship with the city I live in. I have been tasked to reconfigure over 150 layer 3 switches (all Cisco and ranging from 2960, 3560 to 3850 [the 3850's are new and will have an initial config when this is done])from TACACS+ to Radius. The gentlemen I work under has given me only one parameter, make it work. He wants me to do my own research and then configure both a 3560 and a 3850 in a lab enviroment first and then troubleshoot.

I have a couple of questions...

1) In the manual for the 3560 on page 10-37 under the CoA heading It says ".... This procedure is required". Does that mean if I am using radius I have to use CoA or is it if I use some of the other options such as VSA I have to use it? Also, I have read the geek speak for what CoA is but this may be a stupid question but can someone put it in a langauge an intermediate person can understand and explain why I would want to do this and is it a best practice?

2) Any words of wisdom about do's and don'ts for this process?

Amjad Abdullah · ‎12-28-2013

David,

What I understand that you have switches that are configure dfor TACACS+ config and you want to change that to RADIUS server instead. Is that correct?

Now, When a user ( a user that connects to the switchport) or an admin (an admin the remotely login to the device), the AAA server can be configured to send some attributes along with the successful authentication message. (those attributes can include for example session timeout value that can override the session timeout configured on the device itself.).

Now, the CoA allows you to send the attributes to the user or admin after s/he is authenticated; not only with the successful auth message.

There might be special configuration steps related to different type of switches that you have. better to stick with config guide for each device.

If you still have questions, please feel free to ask.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Upshot001 · ‎12-28-2013

Okay that make sense as far as it goes but help my addled brain... why would I want to send attributes to the user or admin after the authentication? It sounds redundant since it is done at the time of the authentication.

Amjad Abdullah · ‎12-28-2013

Good question.

And the answer depends on the requirements of an environment.

One example can be mentioned in the following scenario

A user has access to specific devices (Devices A) in the network only during business hours. While it has access to other devices 24/7 (Devices B).

If a user logged in to a device in group A just before end of buisness day, the user will be able to keep the session active after buisness hours until s/he exits or the session times out.

Now, you can change the authorizatoin at the end of business day so that the user's session loses access to the group A devices and keep only access to group B.

Another example can be that, you allow all users to your network to have internet only access. But allow only specific group to connect to the internal network. When a user authenticates you allow it directly in the VLAN X that allows the user for internet access only. Now, if the user is authorized and is a member of the internal group, you send a CoA message to the user to change its connection to VLAN Y that has access to both internal and internet access.

Hope it clears the picture a bit.

Amjad

Rating useful replies is more useful than saying "Thank you"