ISE Profiler and RADIUS CoA - Part 2
In my previous article, I defined CoA as a standards-based RADIUS feature that allows ISE (as a RADIUS server) to initiate unsolicited communication with network access devices, such as switches (acting as RADIUS clients), to update their access policies for an endpoint when certain changes occur. In this part, I will continue my journey by delving deeper into the inner workings of the CoA capability. Continue reading to explore how CoA functions, its implementation details, and its impact on network access control and security.
CoA requests are used in a pushed model to allow for session identification, host reauthentication, and session termination. The model comprises one request (CoA-Request) and two possible response codes—44 and 45 (CoA messages are reliable—always acknowledged):
As you can see above, the CoA response from the target device primarily relates to the session identification process enforced by the CoA requester. Before explaining CoA in more details, it is crucially important to understand more about Session ID generation and maintaining in network access devices.
ISE along with Cisco Catalyst switches implement session-aware networking. Under this, a session identifier is attached to an endpoint’s network access session (wired or wireless), and Session ID is used for all reporting purposes such as “show” commands, MIBs, and RADIUS messages and allows users to distinguish messages for one session to other sessions. With the redirect and CoA based solution, the Session ID is very important. The network device needs to preserve the session ID across requests for the solution to work properly.
Session ID in SYSLOG output:
As mentioned before, this Session ID is used consistently across all authentication methods and features applied to a session.
When an endpoint connects to network, the network device generates a unique session identifier that is a combination of the network device IP address, the session count on the network device (a monotonically increasing unique 32-bit integer), and the timestamp of the corresponding endpoint’s initial connection.
In the case of CoA, ISE can invoke the network access device to enforce specific policies for the endpoint using the Session ID. After the initial authorization, ISE issues a CoA by referencing the same Session ID. Distinct access policies for the endpoints on the same port are applied because of the separation maintained by the Session ID.
Generating and maintaining Session ID (referred be the device as Common Session ID) capability is managed in a network access device using the “aaa session-id common” command (this command is enabled automatically by executing the “aaa new-model” command):
In Part 3, I will continue my discussion by explaining the scenarios in which the ISE Profiler service uses CoA.