Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Cloud-Assisted Change of Authorization (CoA)

Configure Cloud-Assisted Change of Authorization (CoA) to authenticate clients.

Benefits of CoA

CoA is a method of on-demand reauthorization and network policy reassignment of a given client from a RADIUS server (RFC). Typical CoA use-cases in the wireless world include:

  • MacAuth: Reauthorize a client session for a guest user after captive portal authentication to allow internet access or to redirect a client back to the captive portal after current guest session has timed-out.

  • 802.1X: Reauthorize a client session for a corporate user after posture assessment has been completed on the client device to permit unrestricted network access.

  • 802.1X/MAB: Reauthorize a client to move a client to quarantine policy/VLAN when a threat is detected from that client device.

Mist Edge uses the Mist cloud’s help to redirect the CoA/DM to right AP/client.

High-Level Authentication Flow

High-Level Authentication Flow
  1. A client connects to a tunneled WLAN and inputs their RADIUS username and password. Or, you can configure it so that the client connects via MAC address authentication.

  2. The Access-Request is passed through Mist Edge Radius Proxy.

  3. When the Access-Challenge is verified, the RADIUS server sends the first Access-Accept with a redirect URL.

  4. The client is redirected to a portal to accept your terms and conditions.

  5. The RADIUS server sends a CoA request to change the level of authorization.

  6. Mist Edge sends a CoA Ack response.

  7. The RADIUS server and Mist Edge exchange an additional round of Access-Request, Access-Challenge, and Access-Accept messages. The Access-Accept will not have a redirect URL.

The following example shows the flow of RADIUS messages between the RADIUS server (192.168.1.101) and the Mist Edge (192.168.1.100).

Figure 1: RADIUS Message Flow RADIUS Message Flow

Firmware Requirements

Your access points need firmware version 0.14.29091 or later.

Configuration

To configure cloud-assisted CoA:

  1. Add the RADIUS and CoA servers.
    1. Go to the Mist Edge cluster or the site settings.
      • To go to the Mist Edge cluster—Select Mist Edges from the left menu, and then click the cluster. Then continue with the next step.

      • To go to the site settings—Select Organization > Site Configuration from the left menu, and select the site. Then continue with the next step.

    2. Under Radius Proxy, enter these settings:
      • Select Enabled.

      • Type—Select Proxy to External RADIUS Server.

      • RADIUS Authentication Servers—Click Add Server, enter the Hostname and Shared Secret, and then click the checkmark at the top of the New Server area. If needed, repeat for additional servers.

      • RADIUS Accounting Servers—Click Add Server, enter the Hostname and Shared Secret, and then click the checkmark at the top of the New Server area. If needed, repeat for additional servers.

      • Multi Server Mode—Select Failover.

      • Tunnel IP as Source—Select the check box if you want the the requests to come from Tunterm IP. Else it will come from the Out-of Bound Interface.

      RADIUS Server Settings
    3. Under CoA/DM Server, enter these settings:
      • Select Enabled.

      • Servers—Click Add Server, enter the IP Address and Shared Secret, and then click the checkmark at the top of the New Server area. If needed, repeat for additional servers.

      • Event-Timestamp—Click Mandatory.

      CoA/DM Server Settings
    4. Save the settings.
  2. Set up a WLAN that uses this CoA server for authentication.
    1. Create or edit a site WLAN or a WLAN template.
      • Site—Select Site > Wireless > WLANs from the left menu, and then select or add a WLAN.

      • WLAN template—Select Organization > Wireless > WLAN Templates from the left menu, select or create a template, and then select or add a WLAN.

    2. Under Security, select a supported configuration:
      • Open Access security type with MAC address authentication by RADIUS lookup

      • OWE security type with MAC address authentication by RADIUS lookup

      • OWE security type with MAC address authentication by RADIUS lookup and Enable OWE Transition

      • WPA2 with Enterprise (802.1x) and any of the available Fast Roaming options (Default, OKC, or .11r)

      • WPA3 with Enterprise (802.1x) and any of the available Fast Roaming options (Default, OKC, or .11r)

      • WPA3 with Enterprise (802.1x), Enable WPA3+WPA2 Transition, and any of the available Fast Roaming options (Default, OKC, or .11r)

      Note:

      If using MAC Address authentication, enter the allowed subnets. For the hostnames, enter coa.local.

      MAC Address Authentication Example

    3. Under Authentication Servers, select Mist Edge Proxy and Enable CoA.
      Authentication Servers
    4. Under VLAN, select Tagged and enter the VLAN ID.
    5. Under Custom Forwarding, select the check box and then select the appropriate option for your Mist Edge:
      • If you have an organization-level Mist Edge, select Custom Forwarding to Mist and then select CoA-Tunnel below that.

        Custom Forwarding for Organization-Level Mist Edge
      • If you have a site-level Mist Edge, select Custom Forwarding to Site Edge.

        Custom Forwarding for Site-Level Mist Edge
    6. Save the WLAN settings.