What Is RADIUS CoA (Change of Authorization)?

Updated on May 12, 2025

Managing access control in dynamic networks requires accuracy and adaptability. RADIUS CoA (Change of Authorization) enhances the RADIUS protocol by allowing administrators to update user sessions in real time. With CoA, admins can apply new policies, revoke access, or update session settings without interrupting connectivity. 

This blog breaks down the basics of RADIUS CoA, how it works, and its practical uses, highlighting how it supports flexible policy enforcement in enterprise networks.

Definition and Core Concepts

What Is RADIUS CoA?

RADIUS CoA is an extension to the RADIUS (Remote Authentication Dial-In User Service) protocol that allows the RADIUS server to send unsolicited messages to Network Access Devices (NADs). These messages modify the authorization or accounting attributes of an active user session in real time.

CoA redefines how networks enforce policies, giving administrators the ability to adjust session settings dynamically without requiring user reauthentication.

Core Concepts of RADIUS

RADIUS Overview

RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users accessing network resources. Its primary purpose is to ensure security, track user activity, and manage access policies.

Authorization

Authorization determines what resources or services a user or device can access after authentication. RADIUS CoA extends this capability, enabling updates to authorization attributes during active sessions.

Accounting

Accounting tracks user activities and resource consumption during a session. With CoA, administrators can modify accounting attributes dynamically, such as setting session quotas.

Unsolicited Messages

Unlike traditional RADIUS requests initiated by clients (e.g., NADs), CoA messages are server-initiated. This allows the server to push changes to a session without waiting for a client request.

Attribute Modification

CoA enables real-time alteration of session attributes such as access permissions, bandwidth limits, and session timeouts. These modifications adapt the session to evolving conditions or policies.

Real-Time Policy Enforcement

The true power of RADIUS CoA lies in its ability to implement changes instantly. This ensures policies are applied dynamically, responding promptly to events like security alerts or policy updates.

How It Works

CoA Request

A RADIUS CoA process begins with the server sending a CoA-Request message to the NAD. This request identifies the active session using a unique Session-Id or other identifying attributes like User-Name and NAS-IP-Address/NAS-Port, and specifies which attributes should be changed. Here’s what the process includes:

• Session Identification: Each session is uniquely identified by the Session-Id.
• Requested Modifications: Attributes to be updated, such as bandwidth, access level, or session duration.

CoA Response

After receiving a CoA-Request, the NAD responds with a CoA-Response message. This indicates whether the requested attribute modifications were successful. Possible outcomes include:

• Acknowledged (CoA-ACK): Confirms the changes were applied successfully.
• Non-Acknowledged (CoA-NAK): Indicates the changes were not applied, often accompanied by an error code specifying the reason (e.g., invalid Session-Id).

NAD Enforcement

Once the NAD processes the CoA-Request, it adjusts the active session according to the updated attributes. For example:

• Bandwidth limits may be throttled or increased.
• User access may be elevated to premium features or restricted further.
• Sessions may be terminated if necessary.

Triggering Events

CoA actions are typically triggered by specific events, such as:

• Policy Updates: Modifications to access policies that require immediate application.
• Time-of-Day Restrictions: Limiting access to specific hours.
• Quota Exhaustion: Reducing bandwidth or terminating sessions when users exceed predefined data limits.
• Security Breaches: Isolating or restricting access for compromised devices.

Key Features and Components

Dynamic Policy Updates

RADIUS CoA allows administrators to implement policy changes mid-session, ensuring the network adheres to the latest standards without requiring user intervention.

Server-Initiated Changes

CoA is unique because it enables servers to push changes to NADs without prior client requests. This proactive approach enhances operational control.

Granular Control

CoA supports fine-tuned modifications of specific session attributes such as service levels, bandwidth, or filtering rules.

Improved Flexibility

By addressing the limitations of static authorization, RADIUS CoA lets businesses adapt to shifting network conditions and user requirements in real time.

Use Cases and Applications

RADIUS CoA has a variety of practical applications in enterprise networks, making it essential for efficient access control and resource management.

Bandwidth Control

CoA enables administrators to dynamically adjust bandwidth allocations based on real-time conditions:

• Premium users can be granted higher bandwidth.
• Excessive bandwidth usage can trigger throttling for fair resource distribution.

Time-Based Access

Network administrators can enforce time-of-day restrictions using CoA:

• Guest users may have access only during business hours.
• Sessions exceeding allocated time limits can be terminated.

Quarantine and Remediation

CoA plays a critical role in networks with security enforcement policies:

• Non-compliant or compromised devices can be quarantined by rerouting traffic to remediation servers, and CoA can also be used to restore normal access once the device is deemed compliant or the security issue is resolved.
• Once security requirements are met, normal access can be restored instantly.

Policy Enforcement Based on Events

With CoA, networks can dynamically respond to specific events:

• A security alert may revoke access for specific users or devices.
• User actions such as violating acceptable use policies can trigger restrictions automatically.

Key Terms Appendix

• RADIUS (Remote Authentication Dial-In User Service): A protocol that centralizes Authentication, Authorization, and Accounting for network users.
• CoA (Change of Authorization): An extension to RADIUS that enables dynamic updates to active user sessions.
• NAD (Network Access Device): A device that controls network access and communicates with the RADIUS server.
• Session Attribute: A characteristic associated with a user session, such as bandwidth or timeout settings.
• Unsolicited Message: A message initiated by the server rather than the client.
• Policy Enforcement: The application of defined rules and regulations.
• Session ID: A unique identifier for a user’s network access session.