Change of Authorization

Overview

Change of Authorization (CoA) allows you to force endpoints to reauthenticate or disconnect without waiting for session timeout.

Base URL

/admin/API/mnt/CoA

Methods

PUT

Actions

Reauth (1), Disconnect (2)

Setup

dsource d000 dev/network
ISE_MNT="${ISE_MNT_IP:-$ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_MNT}/admin/API/mnt"

Reauthenticate by MAC

Forces endpoint to reauthenticate with current policy.

netapi
netapi ise mnt coa --mac "C8:5B:76:C6:59:62" --action reauth
curl
# Reauthenticate session by MAC
MAC="C8:5B:76:C6:59:62"

# First get NAS IP from session
NAS_IP=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/Session/MACAddress/${MAC}" \
  -H "Accept: application/xml" | \
  grep -oP '(?<=<nas_ip_address>)[^<]+')

# Send CoA Reauth
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/CoA/Reauth/${NAS_IP}/${MAC}/1" \
  -H "Accept: application/xml" \
  -X PUT

Disconnect by MAC

Disconnects endpoint (port bounce). Endpoint must reconnect.

netapi
netapi ise mnt coa --mac "C8:5B:76:C6:59:62" --action disconnect
curl
# Disconnect session by MAC (port bounce)
MAC="C8:5B:76:C6:59:62"

NAS_IP=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/Session/MACAddress/${MAC}" \
  -H "Accept: application/xml" | \
  grep -oP '(?<=<nas_ip_address>)[^<]+')

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/CoA/Disconnect/${NAS_IP}/${MAC}/1" \
  -H "Accept: application/xml" \
  -X PUT

Reauthenticate by IP

# Reauthenticate by endpoint IP
ENDPOINT_IP="10.50.10.100"

# Get session details
SESSION=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/Session/EndPointIPAddress/${ENDPOINT_IP}" \
  -H "Accept: application/xml")

MAC=$(echo "$SESSION" | grep -oP '(?<=<calling_station_id>)[^<]+')
NAS_IP=$(echo "$SESSION" | grep -oP '(?<=<nas_ip_address>)[^<]+')

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/CoA/Reauth/${NAS_IP}/${MAC}/1" \
  -H "Accept: application/xml" \
  -X PUT

Bulk Operations

Reauth All on NAS

# Reauthenticate all sessions on a specific NAS (switch/WLC)
NAS_IP="10.50.1.10"

echo "Finding all sessions on ${NAS_IP}..."

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/Session/ActiveList" \
  -H "Accept: application/xml" | \
  grep -B5 "<nas_ip_address>${NAS_IP}</nas_ip_address>" | \
  grep -oP '(?<=<calling_station_id>)[^<]+' | \
  while read MAC; do
    echo "Reauth: ${MAC}"
    curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/CoA/Reauth/${NAS_IP}/${MAC}/1" \
      -H "Accept: application/xml" \
      -X PUT
    sleep 0.5  # Rate limit
  done

Disconnect All on NAS

# Disconnect all sessions on a NAS (emergency/maintenance)
NAS_IP="10.50.1.10"

echo "WARNING: Disconnecting all sessions on ${NAS_IP}"
read -p "Continue? (y/n) " -n 1 -r
echo

if [[ $REPLY =~ ^[Yy]$ ]]; then
  curl -sk -u "${ISE_AUTH}" \
    "${BASE_URL}/Session/ActiveList" \
    -H "Accept: application/xml" | \
    grep -B5 "<nas_ip_address>${NAS_IP}</nas_ip_address>" | \
    grep -oP '(?<=<calling_station_id>)[^<]+' | \
    while read MAC; do
      echo "Disconnect: ${MAC}"
      curl -sk -u "${ISE_AUTH}" \
        "${BASE_URL}/CoA/Disconnect/${NAS_IP}/${MAC}/1" \
        -H "Accept: application/xml" \
        -X PUT
      sleep 0.5
    done
fi

Reauth by Username

# Reauthenticate all sessions for a user
USERNAME="jsmith"

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/Session/UserName/${USERNAME}" \
  -H "Accept: application/xml" | \
  grep -oP '(?<=<calling_station_id>)[^<]+|(?<=<nas_ip_address>)[^<]+' | \
  paste - - | while read MAC NAS_IP; do
    echo "Reauth ${USERNAME} session: ${MAC} via ${NAS_IP}"
    curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/CoA/Reauth/${NAS_IP}/${MAC}/1" \
      -H "Accept: application/xml" \
      -X PUT
  done

Policy Change Workflow

#!/bin/bash
# reauth-policy-change.sh
# Reauthenticate endpoints affected by policy change

POLICY_SET="Wired_802.1X_Closed"

echo "Finding active sessions using policy: ${POLICY_SET}"

# Get sessions using this policy (requires DataConnect)
MACS=$(netapi ise dc --format json query "
  SELECT DISTINCT CALLING_STATION_ID
  FROM RADIUS_AUTHENTICATIONS
  WHERE POLICY_SET_NAME = '${POLICY_SET}'
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1/24
"  | tail -n +2)

COUNT=$(echo "$MACS" | wc -l)
echo "Found ${COUNT} endpoints"

read -p "Reauthenticate all? (y/n) " -n 1 -r
echo

if [[ $REPLY =~ ^[Yy]$ ]]; then
  echo "$MACS" | while read MAC; do
    echo "Reauth: ${MAC}"
    netapi ise mnt coa --mac "${MAC}" --action reauth
    sleep 0.5
  done
fi

CoA with Verification

# CoA with verification
MAC="C8:5B:76:C6:59:62"

echo "=== Before CoA ==="
netapi ise mnt session "${MAC}"

echo -e "\n=== Sending Reauth ==="
netapi ise mnt coa --mac "${MAC}" --action reauth

echo -e "\n=== Waiting for reauth... ==="
sleep 5

echo -e "\n=== After CoA ==="
netapi ise mnt session "${MAC}"

Scheduled Reauth

#!/bin/bash
# scheduled-reauth.sh
# Reauthenticate specific endpoints (for cron jobs)

MACS=(
  "C8:5B:76:C6:59:62"
  "98:BB:1E:1F:A7:13"
  "14:F6:D8:7B:31:80"
)

LOGFILE="/var/log/ise-coa-$(date +%Y%m%d).log"

dsource d000 dev/network

for MAC in "${MACS[@]}"; do
  echo "[$(date '+%Y-%m-%d %H:%M:%S')] Reauth: ${MAC}" >> "$LOGFILE"

  RESULT=$(netapi ise mnt coa --mac "${MAC}" --action reauth 2>&1)

  if [ $? -eq 0 ]; then
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Success: ${MAC}" >> "$LOGFILE"
  else
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Failed: ${MAC} - ${RESULT}" >> "$LOGFILE"
  fi

  sleep 1
done

Response Codes

# CoA Response Interpretation

Success responses:
- "true" or empty response = CoA sent successfully
- Note: "Success" means ISE sent CoA, not that device acknowledged

Common failures:
- "No active session found" = Endpoint not authenticated
- "CoA failed" = NAS rejected or timed out
- "Invalid MAC format" = Use XX:XX:XX:XX:XX:XX

Troubleshooting:
1. Verify session exists: netapi ise mnt session "MAC"
2. Check NAS supports CoA (RFC 5176)
3. Check ISE-to-NAS connectivity on port 1700/3799
4. Verify NAS has matching RADIUS shared secret

Monitor CoA Results

# Monitor CoA results in ISE logs (via DataConnect)
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') as time,
    CALLING_STATION_ID as mac,
    NAS_IP_ADDRESS as nas,
    MESSAGE_CODE,
    PASSED
  FROM RADIUS_ACCOUNTING
  WHERE MESSAGE_CODE IN ('COA-ACK', 'COA-NAK', 'Disconnect-ACK', 'Disconnect-NAK')
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1/24
  ORDER BY TIMESTAMP_TIMEZONE DESC
  FETCH FIRST 20 ROWS ONLY
"

Use Cases

Scenario Action Method

Policy change deployed

Reauth affected endpoints

Reauth

Security incident

Disconnect compromised device

Disconnect

Maintenance window

Bounce all ports on switch

Disconnect (bulk)

VLAN change

Force reauth to get new VLAN

Reauth

Certificate renewal

Reauth to use new cert

Reauth

Troubleshooting

CoA Failed

  1. Verify session exists: netapi ise mnt session "MAC"

  2. Check NAS supports CoA (RFC 5176)

  3. Verify ISE-to-NAS connectivity on port 1700/3799

  4. Check NAS has matching RADIUS shared secret

No Active Session Found

  • Endpoint may have disconnected

  • Session aged out

  • Wrong MAC format (use XX:XX:XX:XX:XX:XX)

See Also