Radius COA functionality on Zyxel AP

Zyxel_Judy Posts: 546
Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Security 50 Answers First Comment
 Zyxel Employee

Based on the need of user @mikebutash , we would like to propose the implementation of Radius COA functionality on Zyxel AP. This topic was raised in the following discussion:   

Radius COA functionality to deauth clients immediately? — Zyxel Community

If anyone likes this idea, please feel free to leave a comment or click vote.   



3 votes

Active · Last Updated


  • Hi,

    This would be a great addition to the current functionality to allow useful NAC implementations.

    Could I also suggest that support for CoA not be limited to terminating sessions, but to also allow forcing EAP reauthentication and/or changing attributes?

    Specifically, for the first scenario, a CoA request can get the authenticator (the AP/switch) to send an EAP request to the supplicant (the 802.1X client) to reauthenticate. This could also serve as the means to deassociate the client, if the subsequent EAP authentication fails.

    As far as the second scenario goes, the CoA request could, for example, include a Tunnel-Private-Group-ID AVP to change the VLAN assignment of the client.

    What do you think of these suggestions?



  • Zyxel_Nami
    Zyxel_Nami Posts: 195
    Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 5 Answers
     Zyxel Employee

    Hello Luci,

    Thank you for sharing your insightful suggestions regarding the implementation of Radius CoA functionality on Zyxel AP. Your ideas about integrating EAP Reauthentication and VLAN Assignment with CoA are indeed innovative and valuable.

    While I understand the potential benefits of these features, I regret to inform you that, as of this writing, Radius CoA is not currently planned to be included in our roadmap.

    However, I want to assure you that your feedback is essential to us, and we will keep it in consideration for future developments. In the meantime, you may explore the below parameters of Nebula AP to see if the RADIUS packet from your radius server includes the necessary attributes to achieve your goals of managing client connections.

    • Service-Type: service type
    • Framed-IP-Address: station’s IP address
    • User-Name: user name
    • Calling-Station-Id: station’s MAC address

    Your engagement with our community and your willingness to contribute ideas are highly appreciated.

    Best Regards