300-430 · Question #356
Refer to the exhibit. A network administrator must migrate a Cisco Catalyst 9800 WLC from local client profiling to RADIUS profiling through Cisco ISE. The engineer must enable RADIUS CoA based on det
The correct answer is B. reauth. When Cisco ISE detects a client profile change, it must trigger a CoA to immediately apply the updated authorization policy. The reauth CoA type forces client re-authentication without dropping the connection, allowing ISE to assign the correct policy based on the Windows profile
Question
Refer to the exhibit. A network administrator must migrate a Cisco Catalyst 9800 WLC from local client profiling to RADIUS profiling through Cisco ISE. The engineer must enable RADIUS CoA based on detecting the client type as Windows to update the access policy based on profile detection immediately. Which CoA type configuration must the engineer apply on Cisco ISE?
Exhibit
Options
- Ano CoA
- Breauth
- Cport
- Dbounce
- Epreauth
How the community answered
(50 responses)- A2% (1)
- B82% (41)
- C4% (2)
- D2% (1)
- E10% (5)
Why each option
When Cisco ISE detects a client profile change, it must trigger a CoA to immediately apply the updated authorization policy. The reauth CoA type forces client re-authentication without dropping the connection, allowing ISE to assign the correct policy based on the Windows profile detection.
No CoA disables Change of Authorization entirely, meaning ISE will not trigger any policy update when it detects the Windows client type, failing the requirement for immediate policy enforcement.
Reauth CoA sends a RADIUS Disconnect or CoA-Request that forces the wireless client to re-authenticate against ISE, which causes ISE to evaluate the updated profiling result (Windows device type) and apply the appropriate authorization policy immediately. Unlike port bounce, reauth is non-disruptive to the network session and is the recommended CoA type for policy updates triggered by profiling on wireless clients connected to a Catalyst 9800 WLC. This satisfies the requirement to update access policy immediately upon profile detection without unnecessarily interrupting connectivity.
Port CoA bounces the physical switch port, which is disruptive and designed for wired infrastructure - it disconnects all clients on that port and is not appropriate for a wireless RADIUS profiling scenario where only re-authentication is needed.
Bounce CoA also triggers a port bounce, which disconnects the client from the network and forces a full reconnect cycle - this is more disruptive than necessary and not the correct approach when the goal is simply to re-evaluate authorization policy based on updated profile data.
Preauth is not a standard Cisco ISE CoA type for post-authentication profiling - it is not a valid CoA configuration option in this context and would not achieve the goal of updating access policy after client type detection.
Concept tested: Cisco ISE RADIUS CoA type for client profiling policy update
Source: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_profiler.html
Topics
Community Discussion
No community discussion yet for this question.
