Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11826
Views
21
Helpful
3
Replies

COA and ISE Clarification

Go to solution
gtuthill
Level 1
Level 1

‎10-03-2012 09:27 AM - edited ‎03-10-2019 07:37 PM

Can anyone clarify exactly what COA (Change of autorisation) is?

From my understanding ISE can do an initial authentication and authorization using configured policies but this is not considered COA.

If subsequently a posture check or profiling is carried out for this authenticated, authorized session and a new policy is applied to this existing session then this would be considered COA.

Hence COA is only achievable with an advanced license, due to posturing and profiling.

Many thanks.

Graham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎10-03-2012 09:55 AM

Hi,

CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.

With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).

CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎10-03-2012 09:55 AM

Hi,

CoA is a feature which allows bidirection communication within the radius protocol. Before you had the scenario when clients connect to the network, the NAD intiates a radius authentication session, and then you either received an accept, or reject.

With CoA, after you receive the reject, or accept. You can now terminate an existing session, reauthenticate a user if their session information changes and match a different access policy (must like the example if a client moves from non compliant to compliant).

CoA, is not entirely used for the advanced license features. There are a few scenarios where CoA can be initiated, for example if an admin deletes any endpoint from the ISE database. ISE will then query its internal session cache to see if there is an active session and then will issue a CoA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
gtuthill
Level 1
Level 1
In response to Tarik Admani

‎10-03-2012 10:24 AM

Excellent, thanks for your speedy response.

0 Helpful

Go to solution
subodh_Chamoli
Level 1
Level 1
In response to Tarik Admani

‎06-18-2021 06:26 PM

Additionally, CoA is used to re-trigger the second authorization.

0 Helpful
Customers Also Viewed These Support Documents