Describe network access with CoA

📘CompTIA Security+ (SY0-701)

What is CoA?

  • CoA stands for Change of Authorization.
  • It is a method used in network access control to change the permissions or policies applied to a device or user after they are already connected to the network.
  • In other words, the user or device is already on the network, and you want to update their access privileges without disconnecting them.

Think of it as changing the rules for a user mid-session based on new security requirements or user behavior.

How CoA Works in IT Networks

  1. Network Devices Involved:
    • Authenticator: This is typically a switch or wireless access point where the device connects to the network.
    • Authentication Server: Usually a RADIUS server (like Cisco ISE), which decides what access a device or user should have.
    • Supplicant: The device trying to access the network (like a laptop or phone).
  2. Process Flow:
    • A device connects to the network and is authenticated using 802.1X, MAB, or WebAuth.
    • The authentication server assigns an initial policy (e.g., VLAN assignment, access to certain resources).
    • Later, if the user’s role or status changes, the server can send a CoA message to the switch or access point.
    • The network device then updates the user’s session dynamically—for example:
      • Moving the user to a different VLAN
      • Applying stricter ACLs (firewall rules)
      • Restricting or revoking access entirely
      • Allowing more privileges

Key point: The user does not need to disconnect or log in again. CoA applies changes in real-time.

Types of CoA Messages

CoA messages are sent from the RADIUS server to the network device (switch/AP) to enforce changes. Cisco networks commonly use these RADIUS message types:

  1. Reauthenticate (Reauth)
    • Forces the network device to reauthenticate the user.
    • Can trigger a new 802.1X authentication session.
    • Example: A user’s role changes from “guest” to “employee,” and they now need full access.
  2. Disconnect
    • Forces the device to disconnect the user immediately.
    • Example: A device is detected as infected with malware; network access is revoked.
  3. Change of VLAN
    • Moves the user to a different VLAN without disconnecting.
    • Example: A guest initially has internet-only access and is moved to a VLAN with corporate resources after approval.
  4. ACL or QoS Update
    • Changes firewall rules, ACLs, or Quality of Service dynamically.

How CoA is Implemented in Cisco Networks

  • Cisco uses Cisco ISE (Identity Services Engine) as the central authentication and policy server.
  • Network devices (switches, APs) must support RADIUS CoA and be configured to accept CoA messages.
  • Key steps:
    1. Enable CoA on the RADIUS server (ISE).
    2. Enable CoA on the network device. For example, on a Cisco switch: aaa new-model aaa authorization network default group radius radius-server host <ISE-IP> auth-port 1812 acct-port 1813 coa-port 3799
    3. Define policies in ISE that trigger CoA based on conditions like:
      • Device posture (compliant or noncompliant)
      • User role changes
      • Security events (malware detected, high-risk activity)
    4. Test CoA to ensure changes apply in real-time without disconnecting sessions.

Why CoA is Important

  1. Dynamic Security
    • Adjusts user/device permissions immediately in response to security events.
    • Example: Endpoint fails posture check → CoA moves it to a restricted VLAN.
  2. Minimizes Disruption
    • Users do not need to disconnect and reconnect for policy changes.
  3. Supports Guest and BYOD
    • Helps manage temporary access for guests and personal devices efficiently.
  4. Enforces Compliance
    • Automatically applies security policies if devices are noncompliant.

Example Scenarios in IT Networks

  1. Endpoint Posture
    • A laptop connects and passes initial checks. Later, antivirus becomes outdated.
    • CoA moves it to a restricted VLAN until it updates.
  2. Role Changes
    • Employee gets promoted → CoA updates ACLs to allow access to sensitive resources.
  3. Security Threat
    • Device shows unusual traffic → CoA disconnects it immediately or limits access.

Exam Tips for 350-701

  • Remember the main purpose: CoA changes access policies after the device is already connected.
  • Know the types of CoA messages: Reauth, Disconnect, VLAN change, ACL/QoS update.
  • Understand the flow: Device → Authenticator → RADIUS Server → CoA message back → Policy enforcement.
  • Be familiar with real Cisco commands for enabling CoA on switches and ISE.
  • Associate CoA with dynamic security and posture enforcement.

Key Takeaways

  • CoA = Change of Authorization, dynamic policy changes for connected users.
  • Works without user disconnection.
  • Triggered by RADIUS server (ISE) using CoA messages.
  • Types of actions: Reauthenticate, Disconnect, VLAN change, ACL/QoS update.
  • Essential for security, compliance, and dynamic network access control.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by