Visitor III

Solved

Fortinac and Cisco WLC 9800

Forum|Forum|16 days ago
May 23, 2026
5 replies
161 views

I have guest ssid on the cisco wlc9800 and if there are user want connect to this ssid then the user will authenticate by captive portal with entra id.

After the authentication successfull the client should be move from isolation network to guest network, in my case the client was moved to guest network if i see from fortinac policy but the client itself still connect to isolation network.

Already ask to cisco support then they said the cisco not receive the coa to change the vlan. Anyone know here how to change thje vlan to teh cisco wlc9800?

Best answer by HS08

I follow this article Disconnect Methods | FortiNAC-F 7.2.0 | Fortinet Document Library and the vlan change is working now but even the vlan change is working then there are no CoA send from FNAC to the WLC 9800 (confirmed by cisoc tac by enabling the debug).

I believe the vlan change happened by FNAC by sending signal to disconnect to the client and when the client reconnect then the client got a new vlan.

AEK

SuperUser

Try use packet sniffer (like tcpdump on FNAC) to see it it is sending CoA.

Which version is your FNAC?

AEK

HS08Author

Visitor III

what comand can i use for tcpdump? My fnac using version v7.6.6

AEK

SuperUser

CoA is supported starting from FNAC-F 7.4.

The command is exec tcpdump …

AEK

ebilcari

Staff

Also to quickly test the CoA/DM use the following command from FNAC CLI:

# exe ent
$ sendcoa -ip x.x.x.x -mac YY:YY:YY:YY:YY:YY -dis

*replace x.x.x.x with the IP of the WLC and YY:YY.. with the MAC address of the connected host.

The host need to be connected and authenticated, for the WLC to accept it.

If the issue is related only to CoA/DM, after the host completes registration, disconnecting and reconnecting to the same SSID should place it in the guest network. If this does not occur, it indicates that something is missing in the registration or policy matching. Some troubleshooting steps can be found on this article:

Emirjon

HS08AuthorAnswer

Visitor III

I follow this article Disconnect Methods | FortiNAC-F 7.2.0 | Fortinet Document Library and the vlan change is working now but even the vlan change is working then there are no CoA send from FNAC to the WLC 9800 (confirmed by cisoc tac by enabling the debug).

I believe the vlan change happened by FNAC by sending signal to disconnect to the client and when the client reconnect then the client got a new vlan.

AEK

SuperUser

Need to confirm with tcpdump because it should send it.

Or your firewall is probably blocking port 3799.

AEK

SuperUser

It seems the port for Cisco WLC is 1700, not 3799 (standard).

On the other hand, did you set the ClearMethod to “radius” in CLI as described in the Cisco WLC integration guide?

device -ip <WLC C9800 IP address> -setAttr -name ClearMethod -value radius

https://docs.fortinet.com/document/fortinac-f/7.6.0/cisco-wireless-controller-integration/582212/step-4-model-the-device

Hope it helps.

AEK

ebilcari

Staff

The default port that FNAC tries to CoA/DM with this WLC is port 1700

fnac76:~$ cat /bsc/campusMgr/master_loader/properties_plugin/radiusDevice.properties | grep Airespace | grep -ia "coa\|disconnect"
//com.bsc.plugin.radius.RadiusServer.processDisconnect.Airespace=true
com.bsc.plugin.radius.RadiusServer.disconnectAttrs.Airespace=31
com.bsc.plugin.radius.RadiusServer.CoAPort.Airespace=1700

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded