What is Change of Authorization (CoA)

Change of Authorization (CoA) is a network security mechanism that allows administrators to dynamically modify the access privileges, network permissions, or security policies of an active user or device session in real time—without disconnecting the session or requiring reauthentication. In BFSI environments, CoA enables immediate response to security events, compliance violations, or policy changes by adjusting what authenticated devices and users can access while they remain connected to branch networks, ATMs, or digital banking infrastructure.​

How does Change of Authorization (CoA) work

CoA operates as an extension of the RADIUS authentication protocol, reversing the traditional communication flow. Normally, network devices like switches and access points send authentication requests to a RADIUS server; with CoA, the RADIUS server or policy engine (such as Cisco ISE or similar NAC platforms) can send unsolicited commands back to network devices to change session attributes for already-connected endpoints.​

When a CoA event is triggered—such as a device failing a security posture check, a policy update from the security team, or detection of anomalous behavior—the RADIUS server sends a CoA-Request packet to the network access device managing that session. This request includes instructions such as applying a different VLAN assignment, pushing downloadable access control lists (dACLs) to restrict traffic, forcing session reauthentication, quarantining the device, or completely terminating the connection. The network device processes the CoA request and responds with either a CoA-ACK (acknowledgment) if successful or CoA-NAK (non-acknowledgment) if the change cannot be applied.​

For BFSI institutions, this happens seamlessly: a teller workstation that loses antivirus protection can be immediately moved to a quarantine VLAN with restricted access to only remediation servers, or an ATM exhibiting suspicious communication patterns can have its core banking access revoked—all without service interruption for legitimate transactions continuing elsewhere on the network.​

Why CoA matters for BFSI

Banks and financial institutions operate 24/7 digital channels, branch networks, and payment infrastructure where unplanned downtime directly impacts customer transactions, regulatory SLAs, and brand trust. CoA provides the agility to enforce security and compliance policies in real time without the service disruption that would result from forcing mass logoffs or waiting for devices to reconnect.​

From a cybersecurity perspective, CoA is critical for containing threats rapidly: if endpoint detection systems flag a compromised branch PC or if fraud analytics identify suspicious ATM behavior, CoA allows security teams to isolate or restrict the device immediately, limiting lateral movement and data exfiltration before manual intervention. This aligns with RBI's emphasis on proactive cyber defense and timely incident response capabilities. Similarly, when devices fall out of compliance—missing security patches, disabled firewalls, or expired certificates—CoA can automatically quarantine them until remediation is complete, maintaining the integrity of PCI DSS cardholder data environments and regulatory audit trails.​

Common BFSI use cases

• Automated compliance enforcement: When endpoint security agents detect that a branch employee's laptop has disabled antivirus software or is missing critical patches, CoA immediately moves the device to a restricted VLAN with access only to update servers, preventing non-compliant endpoints from touching core banking systems or customer data.
• Dynamic ATM and kiosk isolation: If network monitoring detects unusual traffic patterns from an ATM—such as connections to unauthorized IP addresses or malware indicators—CoA can instantly apply stricter access controls or quarantine the ATM while allowing other ATMs and branch operations to continue normally.
• Time-based and guest user access management: Guest Wi-Fi in bank lobbies or time-limited contractor access can be automatically terminated or downgraded when session time limits expire, and captive portal systems use CoA to grant full network access immediately after guest users complete registration and accept terms.
• Incident response and threat containment: When SIEM platforms or security operations centers identify a compromised user account or device exhibiting indicators of attack, security teams can trigger CoA to revoke privileges, apply deny ACLs, or force reauthentication with multi-factor verification—all without waiting for scheduled maintenance windows or user logoff.
• Policy rollout and group updates: When banks update security policies for entire user groups—such as changing VLAN assignments for payment processing staff or applying new firewall rules to branch managers—CoA allows centralized policy servers to push changes to all active sessions instantly, ensuring consistent enforcement across hundreds of branches and thousands of endpoints.

Simple analogy

Imagine a bank branch where employees are issued access badges in the morning. Traditionally, if you needed to change someone's access level—say, revoking their ability to enter the vault—you'd have to wait until they leave for the day and issue a new badge tomorrow. CoA is like having smart badges that can be remotely reprogrammed in real time: the moment a security concern arises or a role changes, the badge instantly reflects new permissions without the employee needing to return it or leave the building.​

Key takeaway

Change of Authorization empowers BFSI institutions to enforce security and compliance policies dynamically during active network sessions, enabling immediate containment of threats, automated remediation of non-compliant devices, and agile policy updates—all without disrupting legitimate banking operations or forcing service downtime.