Technical Tip: How to fix FortiSwitch in FortiLink mode not responding to RADIUS Change of Authorization (CoA) sent by FortiNAC

RADIUS accounting must be configured on FortiGate and radius-acct service must be enabled on FortiGate and FortiSwitch interface communicating with FortiNAC otherwise the FortiSwitch will not respond to Disconnect-Request packets sent by FortiNAC.

The RADIUS (UDP 1812,1813/1645/1646) and CoA (UDP 3799) traffic must be allowed in both directions between FortiNAC and FortiSwitch directly, and NAT-ing should be disabled.

FortiNAC log message indicates that disconnect-request was sent, but no response back from FortiSwitch:

yams.RadiusManager INFO :: 2025-05-01 12:55:59:052 :: #3013 :: RadiusServer radiusCoA to <FSW IP> failed com.bsc.plugin.packets.RadiusException: Receive timed out

FortiGate Configuration:

config system interface
    edit "<FortiGate interface>"
        set allowaccess ping https ssh radius-acct
    next

config user radius
    edit "<RADIUS_server_name>"
        set acct-interim-interval <time interval>
        set radius-coa enable
            config accounting-server

                edit 1

                    set status enable

                    set server <FortiNAC-IP>

                    set secret XXX

                    set port 1813

                next
end

Regarding FortiSwitch configuration, either enable radius-acct service directly on the switch (This can be done by accessing the FortiSwitch GUI and enabling radius-acct service on the Fortilink interface) or append radius-acct to the switch controller (This will push the configuration to all the switches managed via FortiLink).

config switch-controller security-policy local-access

    edit default
append mgmt-allowaccess radius-acct
append internal-allowaccess radius-acct

end