Change of Authorization (CoA)

Change of authorization (CoA) allows administrators to change authorization dynamically after the device or user is authenticated. As part of authorization, the user or device is given access to specific resources on the network based on the policies or commands downloaded from the RADIUS server. The CoA allows the administrator to change these policies without terminating the sessions. A CoA request packet can be sent by the CoA client (typically a RADIUS or policy server) to change the session authorizations on the ICX device. The request identifies the device and the sessions to be authorized. The following table explains the CoA commands and relevant attributes needed.

Note: Only relevant attributes should be present in the CoA request packet. Any additional attributes present in the CoA Request packet sent from the RADIUS client may cause the CoA request to fail (could result in a NAK).
Table 1. CoA Commands and RADIUS Attributes
CoA command Description RADIUS attributes
Disconnect Disconnect the specified session Calling-Station-Id(31), NAS-IP-Address(4)
Modify ACL Modify ingress/egress ACLs on specified session Calling-Station-Id(31), NAS-IP-Address(4), Filter-Id(11)
Disable Port Disable the specified port Calling-Station-Id(31), NAS-IP-Address(4), Ruckus FlexAuth AVP(20)
Flip Port Flip the specified port (disable and enable) Calling-Station-Id(31), NAS-IP-Address(4), Ruckus FlexAuth AVP(20)
Reauth Host Reauthenticate the specified host (session) Calling-Station-Id(31), NAS-IP-Address(4), Ruckus FlexAuth AVP(20)

For more information on attributes for RADIUS to support CoA, refer to Company-specific attributes on the RADIUS server.