Change of Authorization (CoA)
Description
Send Change of Authorization (CoA) to an endpoint. CoA is a RADIUS extension that allows ISE to dynamically change session attributes or terminate sessions without waiting for re-authentication.
Usage
# Force re-authentication (default)
netapi ise mnt coa 70:15:FB:F8:47:EC
# Explicitly specify reauth
netapi ise mnt coa 70:15:FB:F8:47:EC --type Reauth
# Disconnect session completely
netapi ise mnt coa 70:15:FB:F8:47:EC --type Disconnect
# Port bounce (shutdown/no shutdown)
netapi ise mnt coa 70:15:FB:F8:47:EC --type PortBounceCoA Types
| Type | Action | Use Case |
|---|---|---|
|
Re-run authentication |
Apply new policy after profile change |
|
Terminate session |
Force user to reconnect |
|
Shutdown then enable port |
Clear port state, force full reauth |
Use Cases
Apply Policy Change Immediately
#!/bin/bash
# After updating authz profile, force reauth to apply
MAC="$1"
echo "Updating endpoint group..."
netapi ise update-endpoint-group "$MAC" "Trusted_Users"
echo "Sending CoA to apply new policy..."
netapi ise mnt coa "$MAC" --type Reauth
echo "Verifying new session..."
sleep 5
netapi ise mnt session "$MAC"Incident Response - Disconnect Compromised Endpoint
#!/bin/bash
# Immediately disconnect and quarantine
MAC="$1"
TICKET="$2"
echo "[$TICKET] Disconnecting $MAC"
netapi ise mnt coa "$MAC" --type Disconnect
echo "[$TICKET] Applying quarantine..."
netapi ise anc-apply "$MAC" Quarantine
echo "[$TICKET] Done. Endpoint will get quarantine policy on reconnect."Refresh All Sessions After Policy Update
#!/bin/bash
# After major policy change, refresh active sessions
echo "Getting active sessions..."
for mac in $(netapi ise mnt sessions | grep -oE '([0-9A-F]{2}:){5}[0-9A-F]{2}'); do
echo "CoA: $mac"
netapi ise mnt coa "$mac" --type Reauth
sleep 1 # Rate limit
doneRelated Commands
-
mnt session - View session before/after CoA
-
anc-apply - Quarantine with CoA
-
mnt auth-status - Verify reauth succeeded