Which action does the CoA perform?

– by 3

A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA.
Which action does the CoA perform?
A. It terminates the client session.
B. It applies the downloadable ACL provided in the CoA.
C. It triggers the NAD to reauthenticate the client.
D. It applies new permissions provided in the CoA to the client session.

cisco-exams

3 thoughts on “Which action does the CoA perform?

  1. Correct answer is C:

    CoA for CWA explained. The CoA reauth happens before the DACL.

    Switch NADs: https://www.ciscopress.com/articles/article.asp?p=3100059&seqNum=2
    WLC NADs: https://www.ciscopress.com/articles/article.asp?p=3100059&seqNum=3

    Step 1. The endpoint entering the network does not have a supplicant.

    Step 2. The authenticator performs MAB, sending the RADIUS Access-Request to Cisco ISE (the authentication server).

    Step 3. The authentication server (ISE) sends the RADIUS result, including a URL redirection, to the centralized portal on the ISE server.

    Step 4. The end user enters credentials into the centralized portal. Unlike the LWA options, the credentials are never sent to the switch; instead, they are stored within the ISE session directory and tied together with the MAB coming from the switch.

    Step 5. ISE sends a reauthentication Change of Authorization (CoA-reauth) to the switch. This causes the switch to send a new MAB request with the same SessionID to ISE, and it is processed.

    Step 6. ISE sends the final authorization result to the switch for the end user.

    CWA and the URL-redirection capability in the switches and wireless devices are the basis for many of the other solutions in ISE, including Device Registration WebAuth, BYOD onboarding, MDM onboarding, and posture assessment.

    Reply

  2. I think it is C – reauthenticate the client

    https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_with_Cisco_ISE

    Client machine associates to the web authentication SSID

    Client MAC address is sent to RADIUS server as a username and password (Access-Request) by MR, and the MR responds to the client machine acknowledging the association request

    ISE server responds with an RADIUS Access-Accept and a redirect URL

    Client machine gets an IP address and DNS server address through DHCP

    Client machine tries to reach a webpage which results in an HTTP GET packet

    MR intercepts the GET packet and sends redirect URL instead (with webpage hosted on ISE)

    Client machine authenticates on the ISE web portal

    RADIUS server then sends a CoA request (CoA requests work on UDP Port 1700) with a request to re-authenticate, also indicating that user is valid
    MR sends CoA-ACK
    MR Authenticator sends an Access-Request with existing client machine’s session-ID and MAC address
    ISE server then responds back with Access-Acccept and any extra ISE functions after client’s successful authentication to web portal

    Client is allowed access to the network

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.