Subscribe to Our Updates
Join our community and be the first to receive exclusive insights
You are subscribed now!
.svg){kind=small}
Products
Solutions
Resources
Software Platforms
WiFi
Change of Authorization (CoA), standardized in RFC 5176, is a RADIUS protocol extension that enables administrators to dynamically modify the access privileges, network permissions, or security policies of an active user or device session in real-time—without disconnecting the session or requiring re-authentication. Unlike traditional RADIUS authentication, where network devices initiate requests to servers, CoA reverses this flow: the RADIUS server sends unsolicited CoA-Request packets to network switches, access points, or controllers to immediately change VLAN assignments, apply restrictive ACLs, enforce bandwidth limits, trigger reauthentication, or terminate sessions based on security events, compliance violations, or policy updates.
In BFSI environments, CoA enables immediate response to security events, compliance violations, or policy changes by adjusting what authenticated devices and users can access while they remain connected to branch networks, ATMs, or digital banking infrastructure.
CoA operates as an extension of the RADIUS authentication protocol, reversing the traditional communication flow. Normally, network devices like switches and access points send authentication requests to a RADIUS server; with CoA, the RADIUS server or policy engine (such as Cisco ISE or similar NAC platforms) can send unsolicited commands back to network devices to change session attributes for already-connected endpoints.
When a CoA event is triggered—such as a device failing a security posture check, a policy update from the security team, or detection of anomalous behavior—the RADIUS server sends a CoA-Request packet to the network access device managing that session. This request includes instructions such as applying a different VLAN assignment, pushing downloadable access control lists (dACLs) to restrict traffic, forcing session reauthentication, quarantining the device, or completely terminating the connection. The network device processes the CoA request and responds with either a CoA-ACK (acknowledgment) if successful or CoA-NAK (non-acknowledgment) if the change cannot be applied.
For BFSI institutions, this happens seamlessly: a teller workstation that loses antivirus protection can be immediately moved to a quarantine VLAN with restricted access to only remediation servers, or an ATM exhibiting suspicious communication patterns can have its core banking access revoked—all without service interruption for legitimate transactions continuing elsewhere on the network.
Explore our Banking Network Solutions
Banks and financial institutions operate 24/7 digital channels, branch networks, and payment infrastructure where unplanned downtime directly impacts customer transactions, regulatory SLAs, and brand trust. CoA provides the agility to enforce security and compliance policies in real time without the service disruption that would result from forcing mass logoffs or waiting for devices to reconnect.
From a cybersecurity perspective, CoA is critical for containing threats rapidly: if endpoint detection systems flag a compromised branch PC or if fraud analytics identify suspicious ATM behavior, CoA allows security teams to isolate or restrict the device immediately, limiting lateral movement and data exfiltration before manual intervention. This aligns with RBI's emphasis on proactive cyber defense and timely incident response capabilities.
Similarly, when devices fall out of compliance—missing security patches, disabled firewalls, or expired certificates—CoA can automatically quarantine them until remediation is complete, maintaining the integrity of PCI DSS cardholder data environments and regulatory audit trails.
Imagine a bank branch where employees are issued access badges in the morning. Traditionally, if you needed to change someone's access level—say, revoking their ability to enter the vault—you'd have to wait until they leave for the day and issue a new badge tomorrow. CoA is like having smart badges that can be remotely reprogrammed in real time: the moment a security concern arises or a role changes, the badge instantly reflects new permissions without the employee needing to return it or leave the building.
Change of Authorization empowers BFSI institutions to enforce security and compliance policies dynamically during active network sessions, enabling immediate containment of threats, automated remediation of non-compliant devices, and agile policy updates—all without disrupting legitimate banking operations or forcing service downtime.
Explore our Banking Network Solutions
CoA-Request (RADIUS code 43) modifies an existing session's parameters such as VLAN, ACLs, or bandwidth without disconnecting the user, maintaining session continuity. Disconnect-Request (RADIUS code 40) immediately terminates the session, forcing the device to disconnect and reauthenticate. In BFSI environments, CoA-Request is preferred for wired networks where VLAN changes don't affect IP addressing, while Disconnect-Request is used for wireless networks to prevent IP address conflicts when moving devices between VLANs.
RFC 5176 is the Internet Engineering Task Force (IETF) standard titled "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)" published in January 2008. It formally defines the CoA protocol, message formats, attribute requirements, and implementation guidelines that enable RADIUS servers to send unsolicited commands to network devices for dynamic session modification. RFC 5176 supersedes the earlier RFC 3576 and provides the standardized foundation that allows multi-vendor interoperability between RADIUS servers and network access devices.
Traditional security responses require waiting for users to log off or scheduling maintenance windows to apply policy changes, creating gaps measured in hours or days where threats can propagate. CoA enables sub-second policy enforcement: when security systems detect threats or compliance violations, RADIUS servers immediately send CoA-Request packets that network devices process within milliseconds, applying restrictive policies, quarantining endpoints, or forcing reauthentication before attackers can escalate privileges or exfiltrate data. This real-time enforcement reduces average threat containment time by over 95% compared to manual intervention workflows.
Enterprise-grade switches, wireless LAN controllers (WLCs), access points, routers, and firewalls from major vendors support CoA when configured with RADIUS authentication. Cisco switches and WLCs, HPE Aruba Networking devices, Juniper Networks equipment, FortiSwitch, and other 802.1X-capable devices can process CoA-Request and Disconnect-Request messages. HFCL enterprise switches with 802.1X authentication and NAC integration support CoA for dynamic VLAN assignment, ACL updates, and session management, enabling real-time policy enforcement across branch banking networks.
Yes. Cisco Identity Services Engine (ISE), HPE Aruba ClearPass, Fortinet FortiAuthenticator, and other enterprise NAC platforms act as RADIUS CoA servers that send dynamic authorization commands to network devices. These platforms expose both GUI-based administrative controls (Live Logs with Reauth/Disconnect buttons) and REST APIs for automation, allowing security teams to manually trigger CoA actions or integrate with SIEM, SOAR, and endpoint management systems for automated policy enforcement based on security events, compliance status, or threat intelligence.
When a network device cannot process a CoA-Request—due to invalid session identifiers, unsupported attributes, processing errors, or shared secret mismatch—it responds with a CoA-NAK (RADIUS code 45) message to the RADIUS server. The server logs the failure, and depending on configuration, may retry the request, trigger alternative remediation workflows (such as Disconnect-Request), or generate administrative alerts for manual intervention. RFC 5176 mandates atomic operations: if a CoA-Request affects multiple matching sessions and fails for any one session, the entire request must fail and no changes are applied to any session, ensuring consistent policy enforcement.
Zero Trust principles require continuous verification and least-privilege access enforcement. CoA is a critical Zero Trust enabler that allows authentication systems to immediately revoke or adjust privileges when trust conditions change—such as device posture degradation, anomalous behavior detection, or context changes (location, time, network). By integrating CoA with identity providers, endpoint security agents, and behavioral analytics platforms, organizations implement dynamic authorization where every session is continuously evaluated and automatically adjusted to maintain Zero Trust "never trust, always verify" principles without requiring manual policy updates or user reauthentication.