7 Replies Latest reply: May 9, 2018 2:37 PM by Thomas Howard RSS

Can ISE send a CoA in an Authorization Profile?

Arne Bier

Hello

 

Customer asked if/how ISE can trigger a CoA in an Authorization Profile.  I can't see how this is done in ISE.

Use case.  Windows user authentication to trigger a VLAN change, using standard Windows supplicant.

They want to be able to bounce a wired port and force the user onto a different VLAN.   The NAS is a Meraki Security appliance and it only listens for 802.1X frames for 8 seconds, and then defaults into a guest VLAN.  By the time the user types in the AD username and password, the device is already in the Guest VLAN.

One option is to disable the Guest VLAN and have the PC hand around in Layer 2 limbo, waiting for the user auth.

But the Meraki docs do mention ISE and CoA ...

https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches