1 00:00:06,820 --> 00:00:09,330 - [Instructor] RADIUS change of authorization 2 00:00:09,330 --> 00:00:13,880 or CoA is a feature that allows a RADIUS server 3 00:00:13,880 --> 00:00:17,710 to adjust an active client session. 4 00:00:17,710 --> 00:00:22,710 For instance, ISE can issue a CoA RADIUS attribute 5 00:00:23,000 --> 00:00:25,880 to an access device to force the session 6 00:00:25,880 --> 00:00:28,090 to be reauthenticated. 7 00:00:28,090 --> 00:00:29,340 An example is the use 8 00:00:29,340 --> 00:00:32,930 of CoA when the Threat Centric Network Access Control 9 00:00:32,930 --> 00:00:37,080 or TC-NAC detects a vulnerability. 10 00:00:37,080 --> 00:00:42,080 The TC-NAC is a feature that enables ISE to collect threat 11 00:00:42,190 --> 00:00:43,990 and vulnerability data 12 00:00:43,990 --> 00:00:46,630 from many third party threatened vulnerability 13 00:00:46,630 --> 00:00:48,610 scanners and software. 14 00:00:48,610 --> 00:00:53,520 The purpose of this feature is to allow ISE to have a threat 15 00:00:53,520 --> 00:00:55,750 and risk view into the host 16 00:00:55,750 --> 00:00:58,083 it is controlling access rights for. 17 00:00:59,160 --> 00:01:04,160 Note that the TC-NAC feature enables you to have visibility 18 00:01:04,170 --> 00:01:08,820 into any vulnerable hosts on the network 19 00:01:08,820 --> 00:01:10,780 and to take dynamic network 20 00:01:10,780 --> 00:01:13,830 quarantine actions when required. 21 00:01:13,830 --> 00:01:17,170 ISE can create authorization policies based 22 00:01:17,170 --> 00:01:19,060 on vulnerability attributes, 23 00:01:19,060 --> 00:01:22,660 such as the Common Vulnerability Scoring System 24 00:01:22,660 --> 00:01:25,810 or CVSS scores which are received 25 00:01:25,810 --> 00:01:27,830 from your third party threat 26 00:01:27,830 --> 00:01:30,780 and vulnerability assessment software. 27 00:01:30,780 --> 00:01:31,990 Threat severity levels 28 00:01:31,990 --> 00:01:35,640 and vulnerability assessment results can be used 29 00:01:35,640 --> 00:01:38,900 to dynamically control the access level 30 00:01:38,900 --> 00:01:41,340 of an endpoint or a user. 31 00:01:41,340 --> 00:01:45,010 When a vulnerability event is received for an endpoint 32 00:01:45,010 --> 00:01:48,920 Cisco ISE can then automatically trigger a change 33 00:01:48,920 --> 00:01:51,760 of authority for that endpoint 34 00:01:51,760 --> 00:01:54,963 as demonstrated in the diagram below.