Change of Authorization (CoA)

SUMMARY Explore the benefits of adding a Change of Authorization (CoA) server to your WLAN.

With Change of Authorization (CoA), you can modify authorized RADIUS sessions after initial authentication to meet changing access requirements. For example, CoA can enable use cases such as administrator-initiated session resets to terminate sessions. CoA also can be used to grant updated access to users after they successfully complete guest registration.

Benefits of Change of Authorization (CoA) in RADIUS

Benefits of Change of Authorization (CoA) in RADIUS:

Enhances control over active user sessions: By allowing the RADIUS server to send unsolicited messages to the NAS, CoA gives you the ability to modify session characteristics after initial authentication. This enhanced control can be used to terminate or re-authorize user sessions as required.
Overcomes limitations of standard RADIUS protocol: The standard RADIUS protocol only allows messages to be initiated by the NAS. CoA extends this functionality, providing a more flexible and dynamic approach to session management.
Streamlines Network Administration: The Disconnect Message feature of CoA allows for efficient session resets. This not only saves time and resources, but also simplifies administrative duties.
Facilitates Guest Access Management: The CoA Re-Auth Message feature can be utilized to grant full network access after a guest user registers through a captive portal, making the process of managing guest access smoother and more effective.
Supports Vendor-Specific Attributes: CoA's compatibility with vendor-specific attributes enables effective interoperation between the RADIUS server and NAS devices when sending CoA messages. This contributes to a seamless and efficient network operation.

Overview

When you implement the Change of Authorization (CoA) feature in your RADIUS environment, you empower the RADIUS server to actively send unsolicited messages to the Network Access Server (NAS) to modify session characteristics after the initial authentication process. This proactive approach addresses the limitations of the standard RADIUS protocol, which traditionally permits only the NAS to initiate messages.

In the CoA functionality, there are two primary message types that you can leverage:

Disconnect Message: This message type is designed to terminate user sessions by incorporating the Acct-Terminate-Cause attribute in the message. A key application of this feature is when you need to reset sessions for various reasons.
CoA Re-Auth Message: This message type prompts the NAS to re-authorize a session. In scenarios like Guest Access, this is particularly useful when a guest user completes registration through a captive portal, and consequently, the network grants them full access. To convey the re-authorize command effectively, the message employs vendor-specific attributes.

To ensure seamless interoperability between the RADIUS server and NAS devices, you might need to enable support for specific vendor attributes. By doing so, you facilitate the smooth functioning of CoA messages within your network infrastructure.

In summary, by incorporating the CoA feature in your RADIUS environment, you can achieve the following:

Enable RADIUS servers to actively modify sessions after authentication, overcoming the constraints of the standard protocol.
Utilize two key message types (Disconnect and CoA Re-Auth) to manage different session scenarios effectively.
Address various use cases, such as administrator-initiated session resets and granting full network access to guest users post-registration.
Leverage vendor-specific attributes to ensure optimal compatibility and functionality of CoA across different network devices.

By adopting this approach, you can create a more dynamic and responsive network environment, capable of handling diverse session management requirements and providing a robust, secure experience for your users.

Message Flow

Disconnect Message: Session Termination
- AVP: Acct-Terminate-Cuase
- Value: Admin-Reset
CoA: Session Re-authentication
- AVP: Vendor Specific (Cisco-AVP)
- Value: Reauthenticate
CoA Messages that are not applicable to Juniper Mist:
- Session termination with Port-Shut
- Session termination with Port-Bounce

Disconnect Message: Posturing

Use Case: Guest Access

Enable MAC address authentication by RADIUS lookup. In your WLAN configuration, add your server as a RADIUS Authentication Server and CoA/DM Server.

Creating a WLAN with MAC Address Authentication

When a client associates to this WLAN:

The MAC address of the client is sent across to the RADIUS server via an Access-Request.
The RADIUS server looks up its database and if the client is not found in the database, sends back a Access_Accept with a redirection URL to the Mist AP.
The client now is provided with limited access to the network which includes access to the BOOTP, DNS and RADIUS server.
After the client receives an IP, the AP opens a web socket to and listens to any HTTP traffic initiated from the client.
Any HTTP traffic initiated from the client is intercepted and is responded with a URL that was sent by RADIUS server.
The client is presented with URL. Based on the policy: it might be a sponsored portal, a self registration portal or a hotspot portal.
Once the client provides necessary info on the URL, the ISE now install this client’s MAC address in its database and also issues a CoA (Change of Authorization) request with a command to re-authorize this client.
The Mist AP, upon receiving the CoA request, acknowledges the request and sends back the same Access_Request as in step 1.
At this point, the client is available in the RADIUS server database and hence would be provided with a Access-Accept without any restrictions of URL-Redirect and the client would have network connectivity based on the policies defined.