Configure Cloud-Assisted Change of Authorization (CoA)
Configure Cloud-Assisted Change of Authorization (CoA) to authenticate clients.
Benefits of CoA
CoA is a method of on-demand reauthorization and network policy reassignment of a given client from a RADIUS server (RFC). Typical CoA use-cases in the wireless world include:
-
MacAuth: Reauthorize a client session for a guest user after captive portal authentication to allow internet access or to redirect a client back to the captive portal after current guest session has timed-out.
-
802.1X: Reauthorize a client session for a corporate user after posture assessment has been completed on the client device to permit unrestricted network access.
-
802.1X/MAB: Reauthorize a client to move a client to quarantine policy/VLAN when a threat is detected from that client device.
Mist Edge uses the Mist cloud’s help to redirect the CoA/DM to right AP/client.
High-Level Authentication Flow
A client connects to a tunneled WLAN and inputs their RADIUS username and password. Or, you can configure it so that the client connects via MAC address authentication.
The Access-Request is passed through Mist Edge Radius Proxy.
When the Access-Challenge is verified, the RADIUS server sends the first Access-Accept with a redirect URL.
The client is redirected to a portal to accept your terms and conditions.
The RADIUS server sends a CoA request to change the level of authorization.
Mist Edge sends a CoA Ack response.
The RADIUS server and Mist Edge exchange an additional round of Access-Request, Access-Challenge, and Access-Accept messages. The Access-Accept will not have a redirect URL.
The following example shows the flow of RADIUS messages between the RADIUS server (192.168.1.101) and the Mist Edge (192.168.1.100).
Firmware Requirements
Your access points need firmware version 0.14.29091 or later.
Configuration
To configure cloud-assisted CoA:
-
Add the RADIUS and CoA servers.
-
Set up a WLAN that uses this CoA server for authentication.