New Member

Question

FortiNAC-F Not Sending 3799 CoA Requests on Wired Switches

Forum|Forum|8 months ago
September 19, 2025
12 replies
2635 views

Despite VLAN switching being active for some reason FortiNAC is not sending 3799 CoA requests on any of my wired switches (I have no issues with access points, 3799 requests are being sent there). If I connect the same device wirelessly, it will do this. For example, when a host connects to switch X, it assigns to the registered VLAN and 5-10 seconds later recognizes by the DPR. However unless I manually disable and enable the port, the host doesn't switch to the appropriate VLAN. Even when I manually change the role of host X, it doesn't detect this as a new activity and doesn't send a 3799 request. As I mentioned, this issue only occurs with the switches, specifically Aruba switches (both old and new generation). When I check the logs, I can see that FortiNAC isn’t even sending the 3799 CoA request. What could be the issue?

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Best Regards

barisbenAuthor

New Member

Still looking for a solution.

H

Hawada1

Staff & Editor

Hello barisben,

What is your current FortiNAC version?

Can you please do the following:
1) Please make sure the host is disconnected from the switch
2) clear the host entry in Hosts view
3) Access FortiNAC CLI and run the following tcpdump command:

# execute tcpdump -i any host <Aruba-switch-ip> and port 3799 or 1700
4) Connect the host and check if FortiNAC sends and disconnect-request packet to reauthenticate the host after authentication.

best regards,
hawada

barisbenAuthor

New Member

Normally as you can see in the screenshots, RFC5176 Mode was System Defined. I changed it to the Custom and "RFC5176 Attribute Group" was blank. When I change it to the for example RFC_VLAN now CoA messages are sending to the switch. But now problem is switch responses CoA-NAK because I think I need to send the right attributes like bounce. I can't find bounce attributes for Aruba anywhere.

H

Hawada1

Staff & Editor

Great that FortiNAC is now sending the CoA, For Disconnect-Request (40), the HP/Aruba Procurve/provision switch needs to have the following attributes 1,4,5,31:

User-Name Attribute (1)
NAS-IP-Address Attribute (4)
NAS-Port Attribute (5)
Calling-Station-Id Attribute (31)

AFAIK Aruba switches supports "Aruba-Port-Bounce" VSA-40, but you need to send it with additional radius attributes to be accepted by the switch.

Best regards,
hawada

barisbenAuthor

New Member

How can I get for example User-Name attribute response from the Radius message for sending CoA to the switch? Thats all options I have;

H

Hawada1

Staff & Editor

Check the following doc under "RADIUS Attribute Group Response Value" should help you in achieving what you want.
https://docs.fortinet.com/document/fortinac-f/7.6.0/rfc5176-coa-disconnect-message/600014/how-it-works

br,
Hawada

barisbenAuthor

New Member

As I understand that I need to use %AUTH% for all attributes and I did. But still getting CoA-NAK from switch.

fEgg5jy

H

Hawada1

Staff & Editor

Check from FortiNAC CLI and run the following tcpdump command to see which attributes are being sent by FortiNAC, if correct attributes are sent, then you need to check with Aruba why the switch is not accepting the request

# execute tcpdump -i -v any host <Aruba-switch-ip> and port 3799 or 1700

barisbenAuthor

New Member

        CoA-Request (43), id: 0xc8, Authenticator: 880cfffd8fd488db2628116384e52                                                                                                             c25           Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (43                                                                                                             )             Vendor Attribute: 5, Length: 4, Value: ....           Vendor-Specific Attribute (26), length: 16, Value: Vendor: Unknown (43                                                                                                             )             Vendor Attribute: 4, Length: 8, Value: 10.8.4.2           Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (43                                                                                                             )             Vendor Attribute: 1, Length: 12, Value: fc9ffd45cc9b           Vendor-Specific Attribute (26), length: 25, Value: Vendor: 3rd Generat                                                                                                             ion Partnership Project 2 (3GPP2) (5535)             Vendor Attribute: 31, Length: 17, Value: FC-9F-FD-45-CC-9B           Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (14                                                                                                             823)             Vendor Attribute: 40, Length: 4, Value: ....

Thats why switch responds Missing Attribute.

H

Hawada1

Staff & Editor

I do see that Attribute 5 and 40 were sent empty. Please capture the CoA traffic + RADIUS traffic and upload the pcap.

# execute tcpdump -i -v any host <Aruba-switch-ip> and port 3799 or 1700 or 1812 or 1645 -w radius.pcap
https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Run-tcpdump-in-FortiNAC-F-and-save-capture-as-a/ta-p/278061

barisbenAuthor

New Member

I will. On the other hand, Aruba says I have Aruba-Port-Bounce attribute but FortiNAC has Aruba-Port-Bounce-Host attribute and I can not modify it or create a new one with named Aruba-Port-Bounce. Maybe the problem is this.

https://arubanetworking.hpe.com/techdocs/AOS-CX/10.16/HTML/security_8100-8360/Content/Chp_Sppt_RADIUS_att/rad-ses-aut-att-vsa-fl-10.htm

H

Hawada1

Staff & Editor

Unfortunately, FortiNAC does not support the "Aruba-Port-Bounce" VSA. However, you can check whether your switch model supports the Cisco-AVPair shown below. I have seen that some AOS-CX switches do support these AVPs

Cisco-AVPair='subscriber:command=bounce-host-port'
Cisco-AVPair='subscriber:command=disable-host-port'
Cisco-AVPair='subscriber:command=reauthenticate' and Cisco-AVPair='subscriber:reauthenticate-type=<last|rerun>

H

Hawada1

Staff & Editor

I would recommend submitting a FortiNAC ticket to check the behavior.
Please create a support ticket and add all the captured logs.

br,
Hawada

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded