Enable the RADIUS Change of Authorization feature

In this topic, you will learn how to set up your environment to let Portnox™ Cloud send RADIUS Change of Authorization (CoA) packets to your NAS devices when you change access policies.

The RADIUS Change of Authorization feature lets you change authorization dynamically after the device/user is authenticated. If you modify the VLAN/ACL assignments in an access control policy, the RADIUS server can send CoA packets to all devices that use this policy, which cause these devices to authenticate with the RADIUS server again and apply the new policy. To learn more, read our technical blog post about the RADIUS Change of Authorization feature.

Portnox Cloud can send RADIUS CoA packets only from a locally installed Portnox Active Directory Broker. This is necessary because CoA packets cannot be sent from an external network (the cloud), so you need a local application on a local server to send CoA packets. Portnox chose the AD Broker to perform this function, because it already communicates regularly with Portnox Cloud, and it is commonly used by our customers.

  1. Set up and run a local instance of the Portnox Active Directory Broker.

    Follow the instructions in the relevant topic:

    Note: If you want to send CoA packets but you don’t use Active Directory or OpenLDAP, you can use the following workaround: Set up a local AD/OpenLDAP server with an empty directory and connect the AD Broker to that empty directory. To send CoA packets, the AD Broker does not need access to your corporate directory, you just need a locally running application that communicates with the Portnox Cloud. However, to install AD Broker, you have to connect it to a directory, and so you need the empty LDAP directory for that purpose.
  2. Configure RADIUS on your NAS devices.

    Refer to your NAS device manual to learn how to configure the NAS device to access RADIUS servers. You can also find configuration suggestions for different NAS devices in the following collections of topics: Configure wireless devices to work with Portnox Cloud and Configure Ethernet devices to work with Portnox Cloud.

    1. As your highest priority RADIUS server, configure the cloud RADIUS server closest to your location.
    2. Optional: As your next priority RADIUS server, configure the second cloud RADIUS server (if you selected the International (geo-redundancy) option when you created your tenant).
    3. Optional: As your next priority RADIUS server, configure the local RADIUS server (if you use the local RADIUS server).

      If you need very fast response times, you can set up the local RADIUS server with higher priority than the cloud servers, but you will have less detailed logs, and any changes that you make in Portnox Cloud will be visible to your devices only upon cache expiration.

    4. As your lowest priority RADIUS server, configure the AD Broker installation as follows:
      • As the IP address of this RADIUS server, provide the IP address of the server where you installed the AD Broker.
      • As the authentication port and the accounting port, you can use any port numbers that are not used by the server where you installed the AD Broker.
      • As the shared secret, use the same shared secret as the first configured cloud RADIUS server.

      The AD Broker is not a RADIUS server, but you must configure it in the NAS device so that the NAS device can accept CoA packets coming from this server. Since you configure it with the lowest priority, the NAS device never contacts it when attempting to authenticate connections. That is why the authentication port and the accounting port are never used (they are used only if the NAS contacts the RADIUS server).

With this configuration, Portnox Cloud performs the following steps when you change the access policy settings:

  1. Portnox Cloud determines the devices that the policy settings apply to.
  2. The next time that the AD Broker polls the cloud (default: every 30 seconds), it receives instructions to send CoA packets to specific NAS devices.
  3. The AD Broker sends the RADIUS CoA packets to NAS devices in the local network.
  4. The NAS devices react to the CoA packets by contacting Portnox cloud RADIUS servers to re-authenticate (in order of priority configured in the NAS).
  5. After authentication, the NAS devices receive information from the RADIUS servers about VLANs/ACLs they should use.