CoA with ISE


Do anyone of you happen to know if there is a way for a client to trigger the ISE server to do a CoA when the client is already logged in to the network?

Basically letting the user of a client reconnect to whatever other part of the network at will. 


  • Can you give more detail on what you're trying to achieve? Like what is the use case?

  • Cool, I will. 

    The use case is as follows: I want one thin client (TC) to be able to access 3 different VLANs/VRFs, but it needs to access only one at a time. So when a user logs inn, the user should be prompted to access one of them, and when this happens the NAD (be it a switch or a wireless access point) should be able to put it in the correct VLAN. When the user completes its business on one VLAN and want's to access another, the user could just "click a button" which informes the ISE server to make the NAD change the VLAN on the port being used by the client. 

    So the question is really what type of technologies a client can use to make the ISE change the services the client receives from its NAD.

  • Hi,

      For ISE to trigger CoA an event needs to happen (either client re-authenticating, or client posture changes, or an external entity like a firewall or a SIEM or a EMM signals to ISE that client's posture has changed). So in you case, if you want the client to push a button to trigger CoA, that button needs to flap its NIC which will force a reauthentication; but if you want the client to then get another authorization it means the client needs to use different credentials; also in your case you have to do user authentication (machine authentication could be added, optionally if you need stronger security, but it's not enough by itself as machine credentials are always the same).



  • Perfect answer Cristian! Thank you :)

Sign In or Register to comment.