Enable the RADIUS Change of Authorization feature

In this topic, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS Change of Authorization (CoA) packets to your NAS devices when you change access policies.

The RADIUS Change of Authorization feature lets you change authorization dynamically after the device/user is authenticated. If you modify the VLAN/ACL assignments in an access control policy, the RADIUS server can send CoA packets to all devices that use this policy, which cause these devices to authenticate with the RADIUS server again and apply the new policy. To learn more, read our technical blog post about the RADIUS Change of Authorization feature.

Portnox Cloud can send RADIUS CoA packets only from a locally installed Portnox local RADIUS Docker container, or from the Portnox LDAP Broker. This is necessary because CoA packets cannot be sent from an external network (the cloud), so you need a local application on a local server to send CoA packets.

To turn on this feature, go to Settings > Services > GENERAL SETTINGS > Change of Authorization, click on the Edit link, activate the Enable CoA checkbox, and then click on the Save button.

Note:

Originally, this functionality was only available in LDAP Broker, but it has now been extended to the local RADIUS Docker container. While the LDAP Broker method is still supported, we recommend that all new installations use the local RADIUS Docker container instead.

Send CoA packets from a local RADIUS Docker container (recommended).
Send CoA packets from a local LDAP Broker installation (obsolete: supported, but not recommended for new installations).

How does the CoA process work?

In this section, you will learn what happens during the CoA process.

To explain how the CoA process works, we will examine a case where the account is blocked manually in Portnox Cloud.

An administrator blocks the device in Portnox Cloud.
Portnox Cloud checks the last validation status of the device:
- If the device does not have an Acct-Session-Id, Portnox Cloud takes no further action.
- If the device has an Acct-Session-Id, Portnox Cloud creates a PoD request and sends it to the Portnox local RADIUS server that validated the last authentication.
Portnox Cloud updates the device information in the database so that all subsequent authentications fail.
The local RADIUS server receives the PoD request.
The local RADIUS server sends the PoD request with the Acct-Session-Id to the NAS.
The NAS receives the PoD request and disconnects all sessions with the matching Acct-Session-Id.
The NAS terminates the session without disabling the host port, causing the authenticator state machine to reinitialize.
The NAS acknowledges the PoD by sending a Disconnect-ACK to the local RADIUS server. The local RADIUS server drops the response.
The NAS sends an Accounting STOP to the local RADIUS server.
The local RADIUS server forwards the accounting packet to Portnox Cloud, and it appears in the AAA logs.

Prepare the NAS device to receive CoA packets

In this section, you will learn how to configure a Cisco device to receive CoA packets from either a local RADIUS Docker container or a local LDAP Broker installation.

This example is for Cisco devices, which do not have CoA enabled by default, so this configuration is required for CoA to work. Other manufacturers’ devices may have CoA enabled by default. To configure CoA on other devices, please consult the manufacturer documentation.

Important:

NAS devices accept CoA packets on UDP port 1700 or 3799. Port 1700 was historically used by various RADIUS servers and devices to communicate CoA-related changes. However, the IETF introduced port 3799 in 2003 in RFC 3576 as the standardized port for RADIUS CoA operations. Only some NAS devices allow you to configure a different port number. Make sure that your firewall allows these packets on the route between your local Portnox installations and your NAS devices.

Enable privileged EXEC mode.
```
enable
```
Enter the global configuration mode.
```
configure terminal
```
Globally enable authentication, authorization, and accounting (AAA).
```
aaa new-model
```
Enter the dynamic authorization local server configuration mode and specify a RADIUS client from which a device accepts CoA requests.
```
aaa server radius dynamic-author
```

Configure the RADIUS key to be shared between a device and RADIUS clients.

client {ip-address | name [vrf vrf-name]} server-key [0 | 7] string

Example:

client 10.0.9.57

Specify the port on which a device listens for RADIUS requests from configured RADIUS clients.
```
port port-number
```
Example:
```
port 3799
```
Optional: Configure the NAS device to ignore the session key.
```
ignore session-key
```
Optional: Configure the NAS device to ignore the server key.
```
ignore server-key
```
Return to global configuration mode.
```
exit
```

Send CoA packets from a local RADIUS Docker container

In this section, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS CoA packets to your NAS devices from your local RADIUS Docker container.

Set up and run a local RADIUS server using the Portnox Docker container.
Follow the instructions in the relevant topic:
- Run the local RADIUS server in a container
Note:
Use the Docker container option for deploying the local RADIUS server. While you can also run the local RADIUS server from a local virtual machine using the local RADIUS virtual machine images, the CoA functionality is only supported by the Docker container.
Configure RADIUS on your NAS devices.

Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.
1. As your highest priority RADIUS server, configure the Cloud RADIUS server closest to your location.
2. Optional: As your next priority RADIUS server, configure the second Cloud RADIUS server (if you selected the International (geo-redundancy) option when you created your tenant).
3. As your next priority RADIUS server, configure the local RADIUS server (based on the Portnox Docker container) – this server will send CoA packets.
  
  If you need very fast response times, you can set up the local RADIUS server with higher priority than the cloud servers, but you will have less detailed logs, and any changes that you make in Portnox Cloud will be visible to your devices only upon cache expiration.
Check your firewall settings for the RADIUS container.
Open your firewall ports as required according to the description in this topic: How to set up the firewall for the local RADIUS instance to connect to Portnox Cloud. Note that CoA functionality requires additional open ports.

With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:

Portnox Cloud determines the devices that the policy settings apply to.
The next time that the local RADIUS server synchronizes with the Cloud RADIUS server (synchronization is performed every minute), it receives instructions to send CoA packets to specific NAS devices.
The local RADIUS server sends the RADIUS CoA packets to NAS devices in the local network.
The NAS devices react to the CoA packets by contacting Portnox Cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.

Send CoA packets from a local LDAP Broker installation

In this section, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS CoA packets to your NAS devices from your local LDAP Broker installation.

Note:

This method is not recommended for new installations. Portnox Cloud originally sent CoA packets only from local AD Broker installations. However, many NAS devices limit the number of RADIUS servers to three, making it impossible to use redundant Cloud RADIUS servers, a local RADIUS server, and an LDAP Broker for CoA purposes. Therefore, we recommend to use the local RADIUS server Docker container instead.

Set up and run a local instance of the Portnox LDAP Broker.
Follow the instructions in the relevant topic:
- Integrate with Active Directory through LDAP Broker
- Integrate with OpenLDAP through LDAP Broker
Note:
If you want to send CoA packets but you don’t use Active Directory or OpenLDAP, you can use the following workaround: Set up a local AD/OpenLDAP server with an empty directory and connect the LDAP Broker to that empty directory. To send CoA packets, the LDAP Broker does not need access to your corporate directory, you just need a locally running application that communicates with the Portnox Cloud. However, to install LDAP Broker, you have to connect it to a directory, and so you need the empty LDAP directory for that purpose.
Configure RADIUS on your NAS devices.

Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.
1. As your highest priority RADIUS server, configure the Cloud RADIUS server closest to your location.
2. Optional: As your next priority RADIUS server, configure the second Cloud RADIUS server (if you selected the International (geo-redundancy) option when you created your tenant).
3. Optional: As your next priority RADIUS server, configure the local RADIUS server (if you use the local RADIUS server).
  
  If you need very fast response times, you can set up the local RADIUS server with higher priority than the cloud servers, but you will have less detailed logs, and any changes that you make in Portnox Cloud will be visible to your devices only upon cache expiration.
  
  Note:
  If your NAS device limits the number of RADIUS servers to three, you must skip either this step or the previous step (second Cloud RADIUS server).
4. As your lowest priority RADIUS server, configure the LDAP Broker installation as follows:
  - As the IP address of this RADIUS server, provide the IP address of the server where you installed the LDAP Broker.
  - As the authentication port and the accounting port, you can use any port numbers that are not used by the server where you installed the LDAP Broker.
  - As the shared secret, use the same shared secret as the first configured Cloud RADIUS server.
  The LDAP Broker is not a RADIUS server, but you must configure it in the NAS device so that the NAS device can accept CoA packets coming from this server. Since you configure it with the lowest priority, the NAS device never contacts it when attempting to authenticate connections. That is why the authentication port and the accounting port are never used (they are used only if the NAS contacts the RADIUS server).

With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:

Portnox Cloud determines the devices that the policy settings apply to.
The next time that the LDAP Broker polls the cloud (default: every 30 seconds), it receives instructions to send CoA packets to specific NAS devices.
The LDAP Broker sends the RADIUS CoA packets to NAS devices in the local network.
The NAS devices react to the CoA packets by contacting Portnox Cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.