In traditional RADIUS the client can make an AAA request to a RADIUS server, be grated basic connectivity, and life would move on. If the posture of the endpoint of the endpoints circumstances changed, there was no mechanism in RADIUS to update the authorization policy. To address this issue, RADIUS Change of Authorization (CoA) was developed. RADIUS CoA is defined in RFC 5176. CoA messages are used by the AAA framework to dynamically modify subscriber sessions.
CoA and Cisco Identity Services Engine
CoA is a big part of using Cisco ISE. After an endpoint successfully authenticates, the can be given basic connectivity, providing ISE the time it needs to profile and posture the endpoint. Once ISE profiles and/or postures the device, ISE sends a CoA message to the Network Access Device (NAD). The CoA message contains new policy based on the profile or posture. The policy can be a dACL, and VLAN assignment, an SGT and so on. The following image depicts a high level CoA process.
CoA and Central Web Authentication
CoA is also used to perform Centralized Web Authentication (CWA). When the initial authentication fails, ISE can be configured to fallback to a web based authentication. In this situation ISE would push an initial policy that would only allow web traffic and have that traffic redirected to ISE. This creates a captive portal. ISE also sends the URL of an authentication portal to the NAD that can then be pushed to the use browser session. Once successful guest authentication takes place ISE uses CoA to push a new policy to the NAD, updating the policy from captive portal to guest access or otherwise. The following image depicts a high level CWA.
As you can tell, CoA is a major part of ISE functionality. This is part of the reason that a switch infrastructure might need to be upgraded to support ISE. Not all switches support the CoA capability and without it you are limited to basic authentication and authorization.