New Member

Question

FortiNAC, FortiGate and FortiAP - CoA request fail with "Session Context Not Found"

Forum|Forum|9 months ago
September 12, 2025
3 replies
1241 views

Hi Guys

I'm testing FortiNAC with a FortiGate (as a wireless controller) and FortiAP's.

During testing, I noticed that coa does not work as desired. The VLAN is only changed during disconnect/connect of the client.

I use the command "sendcoa -ip 172.xx.xx.xx -mac XX:XX:XX:XX:XX:XX -dis" on FortiNAC.

With "execute tcpdump -i any port 3799 -v" I get the following output:

tcpdump: data link type LINUX_SLL2
dropped privs to admin
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:44:49.640276 port1 Out IP (tos 0x0, ttl 64, id 43159, offset 0, flags [DF], proto UDP (17), length 78)
s-test-fncesx01.42844 > _gateway.3799: RADIUS, length: 50
Disconnect-Request (40), id: 0x25, Authenticator: aafde2cc1e57197d88bdfac5632f91ab
Calling-Station-Id Attribute (31), length: 19, Value: XX:XX:XX:XX:XX:XX
User-Name Attribute (1), length: 11, Value: host/XXXX

10:44:51.641526 port1 In IP (tos 0x0, ttl 64, id 3676, offset 0, flags [none], proto UDP (17), length 78)
_gateway.3799 > s-test-fncesx01.42844: RADIUS, length: 50
Disconnect-NAK (42), id: 0x25, Authenticator: c433a7cf357955e717cc13daf18e461c
Error-Cause Attribute (101), length: 6, Value: Error cause 503: Session Context Not Found
Event-Timestamp Attribute (55), length: 6, Value: Thu Sep 11 10:44:49 2025
Message-Authenticator Attribute (80), length: 18, Value: .0..j?a.u.....m.

Under "CLIENT EXTENDED ATTRIBUTES" I see only attribute 1 and attribute 31

(Command: "client -mac XX:XX:XX:XX:XX:XX")

If I interpret the page correctly https://community.fortinet.com/t5/FortiAP/Troubleshoot-Tip-Most-common-causes-CoA-request-fail-to/ta-p/407800 it says, attribute 8 is missing.

Any idea how I can fix that?

FortiNAC

ebilcari

Staff

Was the host connected and authenticated (active session) when you have tried the manual send of the CoA/DM?

To have more information you can also enable the following debug from the FGT side:

# diagnose debug application radius_das 8

Emirjon

Mike77Author

New Member

Hello Emirjon
Yes, the host is connected and authenticated.

Mike77Author

New Member

Hello Emirjon

I enabled debug with 255 because I have no output with 8.

ebilcari

Staff

I tried to emulate the same in a lab:

GW # 33611.536 DAS: Received 51 bytes from 10.1.2.71:51571
33611.539 RADIUS message: code=40 (Disconnect-Request) identifier=14 length=51
Attribute 31 (Calling-Station-Id) length=19 pos 0x10799726
Value: '88-xx-xx-xx-xx-xx'
Attribute 1 (User-Name) length=6 pos 0x10799739
Value: 'gimi'
Attribute 8 (Framed-IP-Address) length=6 pos 0x1079973f
Value: 10.5.60.51
33611.552 DAS: received msg with hdr_code 40
33611.555 DAS: No Message-Authenticator attribute found
33611.558 DAS: select framed_ip 10.5.60.51
33611.562 DAS: select calling_station_id 88-xx-xx-xx-xx-xx
33611.565 DAS: select user_name gimi

..

33613.648 DAS: Reply ACK to 10.1.2.71:51571
33613.652 RADIUS message: code=41 (Disconnect-ACK) identifier=14 length=44

It seems like the attribute 8 is used but it is also not listed in client details in FNAC:

CLIENT EXTENDED ATTRIBUTES
1 gimi
31 88-xx-xx-xx-xx-xx
Auth8021x 8
AuthAttrList 1,31
AuthType 2

Does FNAC has the L3 information for the host you are trying to disconnect, is the GW of the WiFi host on the same FGT?

L3 wifi.PNG

Emirjon

Mike77Author

New Member

Hello Emirjon

Yes, FNAC displays me the correct L3 information and the WiFi GW is on the same FGT Cluster.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded