Change of Authorization

A Change of Authorization is a network policy mechanism that

  • modifies session attributes for active authentication, authorization, and accounting sessions,

  • supports actions such as session query, reauthentication, termination, port bounce, and port shutdown, and

  • enables dynamic activation or deactivation of service templates.

Change of Authorization is part of Identity-Based Networking Services and enforces policy changes in real time. This feature allows administrators to respond to changes in user roles, device states, or network conditions.

Information about Change of Authorization

How Change of Authorization reauthentication work

Summary

Change of Authorization reauthentication enables dynamic policy changes in AAA sessions after initial authentication.

  • When a policy changes for a user or user group in AAA, administrators can send RADIUS CoA packets from the AAA server.

  • The AAA server, such as Cisco Identity Services Engine, uses CoA packets to reinitialize authentication and apply the new policy.

  • The RADIUS interface provides various primitives that can be used during a CoA event.

  • These primitives and their functions are essential for effectively applying new policies to users or groups during a session.

Workflow

Figure 1. Workflow
  1. The administrator changes a user or user group policy in the AAA system.
  2. The AAA server sends a RADIUS CoA packet to the network device, specifying policy updates.
  3. The device receives the CoA packet and reinitializes authentication, applying the new policy.
  4. The RADIUS interface returns either a CoA-ACK (acknowledgement) or CoA-NAK (nonacknowledgement) as a response.

Result

By default, the RADIUS interface is enabled on the device. However, some basic configuration is required for the following attributes:

  • Security and Password

  • Accounting

  • CoA acknowledgement (ACK) [CoA-ACK]

  • CoA nonacknowledgement (NAK) [CoA-NAK]

What’s next

After posture assessment is succeessful, full network access is pushed down to the device for specific client through CoA re-authentication command based on its compliance state derived from last assessment. It is optional to enforce downloadable ACLs with Permit-ALL or limited access to certain resources to corresponding clients. Per-session CoA requests are supported for session identification, session termination, host reauthentication, port shutdown, and port bounce. This model comprises one request (CoA-Request) and two possible response codes:

Change of Authorization requests

A Change of Authorization is a network policy mechanism that:

  • facilitates endpoint re-authentication based on posture assessment,

  • integrates with Cisco AnyConnect and Cisco ISE, version 2.6 and

  • enhances security through customizable security policies per client.

Topology diagram of Cisco 1000 Series Integrated Services Router as a branch router

The network topology below shows a typical Cisco 1000 Series Integrated Services Router as a branch router in a network for secure access with ISE and other network services deployed in Campus or Data Center. CoA is critical part of the solution to initiate re-authentication or re-authorization to endpoint’s network access based on its posture assessment result. Downloadable ACL is the Target/Purpose of the entire solution.
Figure 2. Network topology of Cisco ISR1000 with ISE and other Network Services
A Cisco ISR1000 in a Network for Secure Access with ISE and other Network Services

Limitations for Change of Authorization

You must observe these restrictions when configuring Change of Authorization features:

  • Most CoA and posture functions rely on hardware TCAMs such as Downloadable ACL, Redirect ACL, and SISF based device tracking. These are only supported on Cisco 1000 Series Integrated Services Router 8-Port SKUs.

  • Port ACL is not supported on 1000 Series Integrated Services.

  • IPv6 Access Control Entries are not supported.

  • IPv4 ACE cannot support IPv4 option header or IP fragment match. TCP or UDP Layer 4 port number matching is supported only with eq (equals sign) or any (asterisk) options. The gt (greater than), lt (less than), and range (A to B) match types are not supported.

    .

  • On 1000 Series Integrated Services Routers (except for the C1131 series):

    • Do not exceed 128 dACL ACEs or 64 RACL ACEs for all switchports.

    • Only TCP or UDP port number matching is supported for IPv4 ACE Layer 4 matches.

  • On C1131 series routers:

    • Do not exceed 2048 dACL ACEs or 512 RACL ACEs for all switchports.

    • IPv4 ACE Layer 4 match supports TCP or UDP port match, and Layer 4 Flags with match all (not match any).

  • SISF device tracking supports IPv4 address glean (using security level glean) and tracking (using tracking enable).

  • Multi-authentication per user VLAN assignment is not supported.

  • Neither NEAT nor CISP is supported.

How to configure Change of Authorization

Dot1x SANet configuration commands

The following AAA and dot1x configuration commands establish 802.1X authentication using RADIUS on a subscriber network. These commands define authentication and authorization methods, associate RADIUS server groups, enable dot1x operation, and apply necessary policy maps for control. 

aaa new-model
aaa authentication dot1x default group coa-ise
aaa authorization network default group coa-ise
dot1x system-auth-control
aaa group server radius coa-ise
server name coa
radius server coa
address ipv4 10.10.1.10 auth-port 1812 acct-port 1813
key cisco123
policy-map type control subscriber simple_coa
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x
interface gigabitethernet0/0/1\
switchport access vlan 22
switchport mode access
access-session closed
access-session port-control auto
dot1x pae authenticator
service-policy type control subscriber simple_coa

Attributes of Change of Authorization

The following example allows you to configure Change of Authorization effectively in your network.

aaa server radius dynamic-author
client 
server-key ******
auth-type any
ignore server-key
ip access-list extended redirect_acl
20 deny udp any eq bootps any
25 deny udp any eq domain any
30 deny udp any any eq bootpc
40 deny udp any eq bootpc any
50 deny ip any host %{ise.ip}
60 permit tcp any any eq www
70 permit tcp any any eq 443
device-tracking tracking
device-tracking policy tracking_test
security-level glean
no protocol ndp
no protocol dhcp6
tracking enable
interface 0/0/1
device-tracking attach-policy tracking_test

Configuration examples for Change of Authorization

RADIUS server status example

This example shows how to check if the RADIUS server is active.


Device# show aaa servers
RADIUS: id 1, priority 1, host 10.75.28.231, auth-port 1812, acct-port 1813, hostname host
State: current UP
duration 188755s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 188755s, previous duration 0s

Device tracking policy verification examples

The following commands help verify device tracking policy configuration and operation:

Device# show aaa group radius coa3 **** port 1813 new-code
User successfully authenticated
USER ATTRIBUTES
username             0   "coa3"

Check enabled device tracking policy parameters


Device# show device-tracking policies
Target               Type  Policy               Feature        Target range
Gi0/1/1              PORT  tracking_test        Device-tracking vlan all
Gi0/1/2              PORT  tracking_test        Device-tracking vlan all
Gi0/1/3              PORT  tracking_test        Device-tracking vlan all
Gi0/1/4              PORT  tracking_test        Device-tracking vlan all

Review SISF table entries

Device# show device-tracking database
Binding Table has 1 entries, 1 dynamic (limit 100000)
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   
Network Address        Link Address       Interface  vlan  prlvl    age    state     Time left 
ARP 10.11.22.20       0050.5683.3f97      Gi0/1/4     22    0005    11s   REACHABLE      295 s 

Verify access-session authentication and authorization


Device# show access-session interface gigabitEthernet 0/1/7 detail
Interface:  GigabitEthernet0/1/7
IIF-ID:  0x0DB9315A
MAC Address:  b496.913d.4f9b
IPv6 Address:  Unknown
IPv4 Address:  10.10.22.27
User-Name:  coa2
Status: Authorized
Domain:  DATA
Oper host mode:  multi-auth
Oper control dir:  both
Session timeout:  N/A
Common Session ID:  611C4B0A00000053F483D7B0
Acct Session ID:  Unknown
Handle:  0x21000049urrent Policy:  POLICY_COA  
Server Policies: Filter-ID: Filter_ID_COA2
Method status list:  Method      State
dot1x         Authc Success