A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA.
Which action does the CoA perform?
A. It terminates the client session.
B. It applies the downloadable ACL provided in the CoA.
C. It triggers the NAD to reauthenticate the client.
D. It applies new permissions provided in the CoA to the client session.
Correct answer is C:
CoA for CWA explained. The CoA reauth happens before the DACL.
Switch NADs: https://www.ciscopress.com/articles/article.asp?p=3100059&seqNum=2
WLC NADs: https://www.ciscopress.com/articles/article.asp?p=3100059&seqNum=3
Step 1. The endpoint entering the network does not have a supplicant.
Step 2. The authenticator performs MAB, sending the RADIUS Access-Request to Cisco ISE (the authentication server).
Step 3. The authentication server (ISE) sends the RADIUS result, including a URL redirection, to the centralized portal on the ISE server.
Step 4. The end user enters credentials into the centralized portal. Unlike the LWA options, the credentials are never sent to the switch; instead, they are stored within the ISE session directory and tied together with the MAB coming from the switch.
Step 5. ISE sends a reauthentication Change of Authorization (CoA-reauth) to the switch. This causes the switch to send a new MAB request with the same SessionID to ISE, and it is processed.
Step 6. ISE sends the final authorization result to the switch for the end user.
CWA and the URL-redirection capability in the switches and wireless devices are the basis for many of the other solutions in ISE, including Device Registration WebAuth, BYOD onboarding, MDM onboarding, and posture assessment.
I think it is C – reauthenticate the client
https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_with_Cisco_ISE
Client machine associates to the web authentication SSID
Client MAC address is sent to RADIUS server as a username and password (Access-Request) by MR, and the MR responds to the client machine acknowledging the association request
ISE server responds with an RADIUS Access-Accept and a redirect URL
Client machine gets an IP address and DNS server address through DHCP
Client machine tries to reach a webpage which results in an HTTP GET packet
MR intercepts the GET packet and sends redirect URL instead (with webpage hosted on ISE)
Client machine authenticates on the ISE web portal
RADIUS server then sends a CoA request (CoA requests work on UDP Port 1700) with a request to re-authenticate, also indicating that user is valid
MR sends CoA-ACK
MR Authenticator sends an Access-Request with existing client machine’s session-ID and MAC address
ISE server then responds back with Access-Acccept and any extra ISE functions after client’s successful authentication to web portal
Client is allowed access to the network
I believe it may be C, the explanation link does not work.