Enable the RADIUS Change of Authorization feature
In this topic, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS Change of Authorization (CoA) packets to your NAS devices when you change access policies.
The RADIUS Change of Authorization feature lets you change authorization dynamically after the device/user is authenticated. If you modify the VLAN/ACL assignments in an access control policy, the RADIUS server can send CoA packets to all devices that use this policy, which cause these devices to authenticate with the RADIUS server again and apply the new policy. To learn more, read our technical blog post about the RADIUS Change of Authorization feature.
Portnox Cloud can send RADIUS CoA packets only from a locally installed Portnox Active Directory Broker. This is necessary because CoA packets cannot be sent from an external network (the cloud), so you need a local application on a local server to send CoA packets. Portnox chose the AD Broker to perform this function, because it already communicates regularly with Portnox Cloud, and it is commonly used by our customers.
-
Set up and run a local instance of the Portnox Active Directory Broker.
Follow the instructions in the relevant topic:
Note: If you want to send CoA packets but you don’t use Active Directory or OpenLDAP, you can use the following workaround: Set up a local AD/OpenLDAP server with an empty directory and connect the AD Broker to that empty directory. To send CoA packets, the AD Broker does not need access to your corporate directory, you just need a locally running application that communicates with the Portnox Cloud. However, to install AD Broker, you have to connect it to a directory, and so you need the empty LDAP directory for that purpose. -
Configure RADIUS on your NAS devices.
Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.
With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:
- Portnox Cloud determines the devices that the policy settings apply to.
- The next time that the AD Broker polls the cloud (default: every 30 seconds), it receives instructions to send CoA packets to specific NAS devices.
- The AD Broker sends the RADIUS CoA packets to NAS devices in the local network.
- The NAS devices react to the CoA packets by contacting Portnox cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
- After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.