Skip to content

3.4.7 Change of Authorization (CoA) Workflow Examples

Document Information

Item Details
Organization Abhavtech.com
Version 2.0
Last Updated December 2025

1. CoA Overview

1.1 CoA Types

CoA Type RFC Purpose Use Case
Session Terminate RFC 5176 Disconnect user immediately Security incident
Session Reauthenticate RFC 5176 Force re-authentication Policy change
Port Bounce Cisco Reset port VLAN change
Port Disable Cisco Administratively disable Quarantine
CoA Push Cisco Update session attributes SGT change

1.2 CoA Flow

┌─────────────────────────────────────────────────────────────────────┐
│                       CoA Message Flow                               │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   ┌─────────┐         ┌─────────┐         ┌─────────┐              │
│   │   ISE   │────────►│ Switch  │────────►│Endpoint │              │
│   │   PSN   │  CoA    │  (NAD)  │  Action │         │              │
│   └─────────┘ Request └─────────┘         └─────────┘              │
│        │                   │                   │                    │
│        │    CoA-Request    │                   │                    │
│        │ (Session-Terminate│                   │                    │
│        │  or Reauthenticate)                   │                    │
│        │──────────────────►│                   │                    │
│        │                   │                   │                    │
│        │                   │   Disconnect      │                    │
│        │                   │──────────────────►│                    │
│        │                   │                   │                    │
│        │                   │   (Reconnect)     │                    │
│        │                   │◄──────────────────│                    │
│        │                   │                   │                    │
│        │  CoA-ACK          │   New Auth        │                    │
│        │◄──────────────────│──────────────────►│                    │
│        │                   │                   │                    │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

2. Real-World CoA Workflows

2.1 Workflow: Security Incident - Quarantine Endpoint

Scenario: XDR detects malware on endpoint. Automatically quarantine.

Workflow_Quarantine_Malicious_Endpoint:

  Trigger: XDR threat score >= 90

  Step_1_XDR_Detection:
    Event: Malware detected on 10.100.10.150
    Endpoint MAC: AA:BB:CC:DD:EE:FF
    User: jsmith@abhavtech.com
    Threat Score: 95

  Step_2_XDR_to_ISE_Integration:
    pxGrid: XDR sends threat context to ISE
    ISE Action: Threat-Centric NAC evaluates
    Decision: Quarantine required

  Step_3_ISE_CoA_Execution:
    ISE Console Path: Operations → Adaptive Network Control → Quarantine

    Automatic via API:
      POST /admin/API/mnt/CoA/Disconnect/{macAddress}

    Or Manual:
      - Search endpoint by MAC
      - Select "Quarantine"
      - Reason: "XDR Malware Detection"

  Step_4_CoA_Message:
    Type: Reauthenticate + Authorization Change
    New Authorization Profile: QUARANTINE-PROFILE
    Attributes:
      - VLAN: 999 (Quarantine)
      - SGT: 999 (Quarantine)
      - dACL: QUARANTINE-DACL
      - URL Redirect: remediation.abhavtech.com

  Step_5_Switch_Action:
    Switch: MUM-ED-01
    Port: Gi1/0/15
    Actions:
      - Apply QUARANTINE-DACL
      - Change VLAN to 999
      - Redirect HTTP to remediation portal

  Step_6_User_Experience:
    - User loses network access
    - Browser redirects to: https://remediation.abhavtech.com
    - Message: "Your device has been quarantined due to security threat"
    - Instructions: Contact IT Security

  Step_7_SOC_Notification:
    - PagerDuty alert: P1 Security Incident
    - ServiceNow ticket created
    - Email to soc@abhavtech.com

2.2 Workflow: Posture Non-Compliance

Scenario: Endpoint fails posture check (missing patches). Limit access.

Workflow_Posture_NonCompliance:

  Trigger: Posture assessment fails

  Step_1_Initial_Authentication:
    User: mwilliams@abhavtech.com
    MAC: 11:22:33:44:55:66
    Initial Auth: SUCCESS
    Posture Status: PENDING
    Initial Profile: POSTURE-REDIRECT

  Step_2_Posture_Assessment:
    Secure Client checks:
      - [ ] Antivirus updated: FAIL (definitions 14 days old)
      - [ ] Windows patches: FAIL (KB5034441 missing)
      - [ ] Firewall enabled: PASS
      - [ ] Disk encryption: PASS
    Result: NON-COMPLIANT

  Step_3_ISE_Policy_Decision:
    Policy: "Posture_NonCompliant_Limited"
    Action: CoA with limited access profile

  Step_4_CoA_Execution:
    CoA Type: Session Reauthenticate
    New Profile: LIMITED-ACCESS-PROFILE
    Attributes:
      - VLAN: 10 (same - no VLAN change)
      - SGT: 997 (Non-Compliant)
      - dACL: LIMITED-INTERNET-ONLY
      - URL Redirect: posture-remediation.abhavtech.com

  Step_5_Limited_Access:
    Permitted:
      - Internet access (for updates)
      - Windows Update servers
      - Antivirus update servers
      - DNS
    Blocked:
      - Internal corporate resources
      - File shares
      - Internal applications

  Step_6_Remediation_Portal:
    URL: https://posture-remediation.abhavtech.com
    Shows:
      - "Your device is non-compliant"
      - Missing: Antivirus update, Windows patch KB5034441
      - "Click to remediate automatically"
      - Secure Client triggers remediation

  Step_7_Re-Posture_After_Fix:
    User fixes issues → Secure Client re-checks
    Result: COMPLIANT
    ISE: Automatic CoA to full access
    New Profile: EMPLOYEE-FULL-ACCESS
    SGT: 10 (Employee)

2.3 Workflow: Employee Termination

Scenario: HR terminates employee. Immediate network access revocation.

Workflow_Employee_Termination:

  Trigger: HR system notifies ISE of termination

  Step_1_HR_Integration:
    Source: Workday HR system
    Event: Employee termination - John Smith
    Username: jsmith@abhavtech.com
    Effective: Immediate

  Step_2_AD_Account_Disable:
    Automatic: AD account disabled
    ISE: Receives AD sync update

  Step_3_Active_Session_Identification:
    ISE Query: All active sessions for jsmith
    Results:
      - Session 1: Laptop, MUM-ED-05 Gi1/0/23, MAC: AA:BB:CC:11:22:33
      - Session 2: Phone, MUM-ED-05 Gi1/0/24, MAC: AA:BB:CC:11:22:34
      - Session 3: Wireless, MUM-WLC-01, MAC: AA:BB:CC:11:22:35

  Step_4_CoA_All_Sessions:
    ISE: Send CoA to all NADs
    CoA Type: Session Terminate (disconnect immediately)

    API Call (for automation):
      POST /admin/API/mnt/CoA/Disconnect/jsmith@abhavtech.com
      Body: { "command": "Terminate", "reason": "Employee Termination" }

  Step_5_Switch_Actions:
    MUM-ED-05: Disconnects ports Gi1/0/23, Gi1/0/24
    MUM-WLC-01: Deauthenticates wireless client

  Step_6_Prevent_Reconnection:
    AD: Account disabled - auth will fail
    ISE: Logs attempt as "User Disabled in AD"

  Step_7_Audit_Trail:
    ISE Log: "Session terminated - Employee Termination"
    SIEM: Alert logged for compliance
    HR System: Confirmation of access revocation

2.4 Workflow: VLAN Change (No Reauth)

Scenario: Network team needs to move endpoints to new VLAN without disruption.

Workflow_VLAN_Change:

  Trigger: Planned VLAN migration for Building A

  Step_1_Update_ISE_Policy:
    Authorization Profile: BUILDING-A-EMPLOYEES
    Old VLAN: 10
    New VLAN: 110
    Save profile

  Step_2_CoA_Push_New_Attributes:
    Target: All endpoints in Building A
    Filter: Location = "Building A"
    CoA Type: CoA Push (no disconnect)

  Step_3_Bulk_CoA_Execution:
    ISE Console: Operations → Troubleshoot → Endpoint Debug
    Select all Building A endpoints
    Action: "Reauthenticate"

    Or via API:
      POST /admin/API/mnt/CoA/Reauth
      Body: {
        "filter": "Location:Building-A",
        "command": "Reauthenticate"
      }

  Step_4_Switch_Behavior:
    Switch receives CoA-Reauthenticate
    Triggers new RADIUS authentication
    Gets new VLAN assignment (110)
    Applies new VLAN without bouncing port

  Step_5_User_Experience:
    - Minimal disruption (TCP sessions may reset)
    - IP address changes (DHCP in new VLAN)
    - User may notice brief connectivity blip

  Step_6_Verification:
    ISE: Check endpoints have new VLAN
    Switch: "show authentication sessions interface GiX/X/X"
    Confirm: VLAN = 110

3. CoA Configuration

3.1 ISE CoA Settings

Administration → Network Resources → Network Devices → [Device]

RADIUS Authentication Settings:
  ☑ Enable Change of Authorization (CoA)
  CoA Port: 1700 (default)

Device Profile:
  ☑ Cisco (default)

Advanced Settings:
  ☑ RADIUS Dynamic Authorization

3.2 Switch CoA Configuration

! Enable CoA on Catalyst 9300

aaa server radius dynamic-author
 client 10.250.10.21 server-key $RadiusKey$
 client 10.250.10.22 server-key $RadiusKey$
 port 1700
 auth-type any

! Enable CoA for 802.1X
dot1x system-auth-control

! Interface configuration
interface GigabitEthernet1/0/1
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server

3.3 CoA Verification Commands

! Check CoA statistics
show aaa servers | include CoA

! Check recent CoA events
show authentication sessions | include CoA

! Debug CoA (use sparingly)
debug radius
debug aaa coa

! Check specific session
show authentication sessions interface Gi1/0/15 details

4. ISE Authorization Profiles for CoA

4.1 Quarantine Profile

Profile Name: QUARANTINE-PROFILE

Access Type: ACCESS_ACCEPT

Common Tasks:
  VLAN: 999

Advanced Attributes:
  cisco-av-pair = cts:security-group-tag=0999-00
  cisco-av-pair = url-redirect-acl=QUARANTINE-REDIRECT-ACL
  cisco-av-pair = url-redirect=https://remediation.abhavtech.com/quarantine

DACL: QUARANTINE-DACL
  permit udp any any eq 53
  permit tcp any host 10.250.10.100 eq 443
  deny ip any any log

4.2 Limited Access Profile (Posture Remediation)

Profile Name: LIMITED-ACCESS-PROFILE

Access Type: ACCESS_ACCEPT

Common Tasks:
  VLAN: (no change - use current)

Advanced Attributes:
  cisco-av-pair = cts:security-group-tag=0997-00
  cisco-av-pair = url-redirect-acl=POSTURE-REDIRECT-ACL
  cisco-av-pair = url-redirect=https://posture.abhavtech.com

DACL: LIMITED-INTERNET-DACL
  permit udp any any eq 53
  permit tcp any any eq 80
  permit tcp any any eq 443
  permit tcp any host 10.250.10.50 eq 8443   ! Posture server
  deny ip any 10.0.0.0 0.255.255.255 log     ! Block internal
  permit ip any any

5. Troubleshooting CoA

5.1 Common CoA Issues

Issue Cause Resolution
CoA not received Firewall blocking UDP 1700 Open port from ISE to switches
CoA NAK Wrong shared secret Verify RADIUS key matches
Session not found Session ID mismatch Use MAC-based CoA instead
VLAN not changing Switch not supporting Check IOS version, enable DAI
URL redirect fails dACL not applied Verify dACL configured on switch

5.2 CoA Debug Procedure

CoA_Troubleshooting:

  Step_1_Verify_ISE_Sending:
    ISE: Operations → RADIUS → Live Logs
    Filter: CoA
    Look for: "CoA Request sent"

  Step_2_Check_Switch_Receiving:
    Switch: debug radius
    Look for: "CoA received from [ISE IP]"

  Step_3_Check_Switch_Response:
    Switch log: "CoA-ACK" = success
    Switch log: "CoA-NAK" = failure (check reason)

  Step_4_Verify_Session_Updated:
    Switch: show authentication sessions interface GiX/X/X
    Confirm new VLAN/dACL applied

  Step_5_Check_ISE_Confirmation:
    ISE: Live Logs
    Look for: "CoA Acknowledgement received"

6. Automation Scripts

6.1 Python Script: Quarantine Endpoint

#!/usr/bin/env python3
# /opt/abhavtech/scripts/quarantine_endpoint.py

import requests
import sys

ISE_HOST = "ise-pan.abhavtech.com"
ISE_USER = "api-admin"
ISE_PASS = "********"

def quarantine_endpoint(mac_address, reason):
    """Send CoA to quarantine an endpoint"""

    url = f"https://{ISE_HOST}:9060/ers/config/ancendpoint"

    headers = {
        "Content-Type": "application/json",
        "Accept": "application/json"
    }

    payload = {
        "OperationAdditionalData": {
            "additionalData": [
                {"name": "macAddress", "value": mac_address},
                {"name": "policyName", "value": "QUARANTINE"}
            ]
        }
    }

    response = requests.put(
        url,
        auth=(ISE_USER, ISE_PASS),
        headers=headers,
        json=payload,
        verify=False
    )

    if response.status_code == 204:
        print(f"SUCCESS: Endpoint {mac_address} quarantined")
        print(f"Reason: {reason}")
    else:
        print(f"FAILED: {response.status_code} - {response.text}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: quarantine_endpoint.py <MAC> <reason>")
        sys.exit(1)

    quarantine_endpoint(sys.argv[1], sys.argv[2])

Document Version: 2.0 Abhavtech.com - SD-Access Implementation