The RADIUS change of authorization (as defined in RFC 5176) provides a mechanism to change authorization dynamically after the device/user is authenticated. Once there is a policy change for a user, you can send RADIUS CoA packets from the authorization server to reinitiate authentication and apply the new policy.
The RADIUS CoA process allows you to change the user access immediately when needed, without the need to wait for the wired switch or access point to initiate a re-authentication process, or for the device to disconnect and re-connect again.
CoA use cases (for connected authenticated devices) include:
- Access control policy update, such as VLAN assignment for a group of devices/users
- Risk/posture assessment policy was updated for a group of devices/users
- Administrator blocked a device/user
- Device risk score/compliance changes: Device is out of compliance (such as AntiVirus or firewall was turned off), thus needs to be set to quarantine VLAN or have access completely blocked; Or device is back in compliance, thus needs to be set to the production VLAN.
The CoA process functions as follow:
- A device is connected to a wired ethernet switch or WiFi SSID after a successful authentication
- There was a policy update or a change on the endpoint which requires that the device completely disconnect from the network or reconnect with different access than the current one (i.e. different VLAN, apply ACL)
- The RADIUS server sends the CoA packet to disconnect the device which leads to re-authentication and applies the new access policy
The RADIUS CoA packet is sent on port UDP 3799 or UDP 1700 – as used by some network vendors.
Disconnect-Request (PoD – Packet of Disconnect) is a request being sent to the NAS – Network Access Server (i.e. switch/access point), in order to terminate the user session/s. As a reply, two packets can be sent from the NAS:
- Disconnect-ACK – acknowledgment, successful disconnect
- Disconnect-NAK – negative acknowledgment, disconnect session failed
A CoA-Request packet can also be sent to initiate changes on the device or port such as re-authentication and bounce port. As a reply, two packets can be sent from the NAS: CoA-ACK (successful CoA action acknowledgment) and CoA-NAK (CoA failed action). When there’s a need for a VLAN change, using CoA-Request, might not force the endpoint IP address to be released and renew. Instead, it may only change the VLAN. Thus, for implementations that require VLAN change, it’s recommended to use the Disconnect-Request CoA packet which will lead to re-authentication, and for the device to get a new IP address on the updated VLAN.
CoA Disconnect-Request with 802.1X RADIUS Authentication Flow
>RADIUS Change of Authorization Packet Capture
CoA RADIUS codes
|CoA Packet||Radius Code|
Packets Capture Examples using Wireshark
These packets contain attributes with information on the NAS (wired switch/access point), endpoint involved, timestamp, and a link to the frame of the RADIUS server requests / NAS responses.
RADIUS Change of Authorization with Portnox CLEAR
Using Portnox CLEAR for CoA with dynamic VLAN assignment (previously discussed in Dynamic VLAN Assignment) implementation, allows the administrator to achieve a secure and segmented network for dynamic changes in the environment. Whether it’s an access policy change for a group of users/devices or a compliance change on a specific endpoint, the device(s) will be immediately placed on the relevant network, or blocked according to the policy.
In the following video, we’ll demonstrate a CoA use case of risk violation for a device with Portnox CLEAR. Scenario description:
- Configure SSID to work with CLEAR services, including CoA.
- In CLEAR, review risk assessment policy which requires AntiVirus to be up, running, and updated, and access control policy which places devices with risk violation in quarantine VLAN.
- Connect a device with AgentP (CLEAR agent on the endpoint for risk assessment) enrolled to the configured SSID and authenticate successfully with a certificate.
- Turn off AntiVirus on the endpoint, CLEAR identify the risk, and send CoA packet to disconnect the device.
- The re-authentication process starting, and the device is being placed in the quarantine VLAN.
- Add remediation action to start AntiVirus | AntiVirus is being enabled on the endpoint by CLEAR and the device is back in compliance.
- CoA process is initiated, and the device is being placed back in the production VLAN.
Author Ran Fridberg
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。