Skip to main content
BKP09
BKP09
Explorer
July 9, 2025
Solved

FortiNAC - RADIUS AUTH for vlan assigment issue

  • July 9, 2025
  • 1 reply
  • 1134 views

Hello Community,
Please for your support.
Just a brief explanation of the topology and the case at first. We have a NAC VM Cluster, in which we have enrolled our inventory switches. we want dynamic vlan assignment for the users, based on an the Role attribute that each user has ( attribute 60 = vlan 60). Switches has the respective AAA config and i can see on the NAC that the radius accept is sent when the user is connected to the port. Users have the supplicant configuration for the Radius authentication as well. Thing is that when the user connects on the switch, NAC does not assign any vlan dynamic as it should and it marks the port as down  (not connected), on the nac gui even though on the switch side the port is still up and working on the vlan that it was. normal policies work as it should ( for instance vlan assignment on Cisco IP phones). 

Below some screenshots that may helpimage_2025-07-09_165744010.pngimage_2025-07-09_170245645.pngimage_2025-07-09_170407957.pngimage_2025-07-09_170450297.png

 
The above case is when we try to connect only one device per port. When we have an ip phone along with the laptop the port becomes error disabled and nothing works as well, bellow the switch logs for this case:image_2025-07-09_171126936.png

Any ideas will be highly appreciated. 
Some tests a couple of weeks ago with the exact same laptop worked fine but now this is the case.
thanks in advance.

 

Best answer by ebilcari

If authentication on the port is successful, the switch should be able to learn the MAC addresses of the connected hosts, allowing FNAC to poll this information successfully. Please check the switch MAC address table to verify that the hosts MAC addresses are present.

1 reply

ebilcari
Staff
ebilcari
Staff
July 22, 2025

What are the results when the same host connects directly to the switch port, without being daisy chained through an IP phone? What is the host's status, and how is it initially registered in FNAC?

Additionally, verify the switch configuration to ensure that multiple hosts are allowed to authenticate on a single port.

Emirjon
    BKP09
    BKP09Author
    Explorer
    July 30, 2025

    Hello and sorry for the late repsone. Issue partially resolved by changing the "aaa server radius dynamic-author port" to the default one. Regarding the view issue i did not find any solution yet. Even though the authentication is completed successfully the view from FortiNAC still is "blind". When we enforce a port, everything appears to be functioning correctly with Dot1X (connectivity is fine) and the switch view shows no problems. However, in the FNAC interface, the port appears as not connected.

      ebilcari
      Staff
      ebilcari
      Staff
      July 30, 2025

      Can FNAC access the switch via SNMP and CLI? Do the hosts appear on port after a manual L2 poll of the switch?

      Emirjon
      Terms & ConditionsAccessibility statement