Enable the RADIUS Change of Authorization feature
In this topic, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS Change of Authorization (CoA) packets to your NAS devices when you change access policies.
The RADIUS Change of Authorization feature lets you change authorization dynamically after the device/user is authenticated. If you modify the VLAN/ACL assignments in an access control policy, the RADIUS server can send CoA packets to all devices that use this policy, which cause these devices to authenticate with the RADIUS server again and apply the new policy. To learn more, read our technical blog post about the RADIUS Change of Authorization feature.
Portnox Cloud can send RADIUS CoA packets only from a locally installed Portnox local RADIUS Docker container, or from the Portnox Active Directory Broker. This is necessary because CoA packets cannot be sent from an external network (the cloud), so you need a local application on a local server to send CoA packets.
To turn on this feature, go to Edit link, activate the Enable CoA checkbox, and then click on the Save button.
, click on the- Send CoA packets from a local RADIUS Docker container (recommended).
- Send CoA packets from a local AD Broker installation (obsolete: supported, but not recommended for new installations).
Prepare the NAS device to receive CoA packets
In this topic, you will learn how to configure a Cisco device to receive CoA packets from either a local RADIUS Docker container or a local AD Broker installation.
This example is for Cisco devices, which do not have CoA enabled by default, so this configuration is required for CoA to work. Other manufacturers’ devices may have CoA enabled by default. To configure CoA on other devices, please consult the manufacturer documentation.
-
Enable privileged EXEC mode.
enable
-
Enter the global configuration mode.
configure terminal
-
Globally enable authentication, authorization, and accounting (AAA).
aaa new-model
-
Enter the dynamic authorization local server configuration mode and specify a RADIUS client from which a device
accepts CoA requests.
aaa server radius dynamic-author
-
Configure the RADIUS key to be shared between a device and RADIUS clients.
client {ip-address | name [vrf vrf-name]} server-key [0 | 7] string
Example:
client 10.0.9.57
-
Specify the port on which a device listens for RADIUS requests from configured RADIUS clients.
port port-number
Example:
port 3799
- Optional:
Configure the NAS device to ignore the session key.
ignore session-key
- Optional:
Configure the NAS device to ignore the server key.
ignore server-key
-
Return to global configuration mode.
exit
Send CoA packets from a local RADIUS Docker container
In this section, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS CoA packets to your NAS devices from your local RADIUS Docker container.
-
Set up and run a local RADIUS server using the Portnox Docker container.
Follow the instructions in the relevant topic:
Note: Use the Docker container option for deploying the local RADIUS server. While you can also run the local RADIUS server from a local virtual machine using the local RADIUS virtual machine images, the CoA functionality is only supported by the Docker container. -
Configure RADIUS on your NAS devices.
Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.
-
Check your firewall settings for the RADIUS container.
Open your firewall ports as required according to the description in this topic: How to set up the firewall for the local RADIUS instance to connect to Portnox Cloud. Note that CoA functionality requires additional open ports.
With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:
- Portnox Cloud determines the devices that the policy settings apply to.
- The next time that the local RADIUS server synchronizes with the cloud RADIUS server (synchronization is performed every minute), it receives instructions to send CoA packets to specific NAS devices.
- The local RADIUS server sends the RADIUS CoA packets to NAS devices in the local network.
- The NAS devices react to the CoA packets by contacting Portnox cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
- After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.
Send CoA packets from a local AD Broker installation
In this section, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS CoA packets to your NAS devices from your local AD Broker installation.
-
Set up and run a local instance of the Portnox Active Directory Broker.
Follow the instructions in the relevant topic:
Note: If you want to send CoA packets but you don’t use Active Directory or OpenLDAP, you can use the following workaround: Set up a local AD/OpenLDAP server with an empty directory and connect the AD Broker to that empty directory. To send CoA packets, the AD Broker does not need access to your corporate directory, you just need a locally running application that communicates with the Portnox Cloud. However, to install AD Broker, you have to connect it to a directory, and so you need the empty LDAP directory for that purpose. -
Configure RADIUS on your NAS devices.
Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.
With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:
- Portnox Cloud determines the devices that the policy settings apply to.
- The next time that the AD Broker polls the cloud (default: every 30 seconds), it receives instructions to send CoA packets to specific NAS devices.
- The AD Broker sends the RADIUS CoA packets to NAS devices in the local network.
- The NAS devices react to the CoA packets by contacting Portnox cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
- After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.