Skip to main content
AEK
SuperUser
AEK
SuperUser
January 11, 2024
Question

FortiNAC with Huawei AC6508 WLC

  • January 11, 2024
  • 7 replies
  • 4968 views

Hello

We integrated Huawei AC6508 WLC with FortiNAC, using local RADIUS, but we facing some issue.

  • When we set Default Attribute Group to RFC_VLAN we notice in RADIUS logs that FortiNAC sends the right response to the WLC, however the WLC still asks the user to authenticate, like it the WLC didn't recognize the RADIUS response
  • When we set Default Attribute Group to None we notice that the WLC put the authenticated user in the default service VLAN, so it works

So I guess the that the predefined RFC_VLAN Attribute Group is not the good one to use with our WLC.

In the FortiNAC document "Huawei Controller Wireless Integration" guide they mentioned to leave the value "None" optionally, but in our case we need to include the target VLAN in the RADIUS response.

 

Any idea on what should be the attributes of the right Attribute Group to use?

7 replies

ndumaj
Staff
ndumaj
Staff
January 12, 2024

Hi,

What is the FNAC firmware version?
What is the guide you have followed?
Please review this guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/51126d1c-4672-11ed-9d74-fa163e15d75b/FortiNAC_Huawei_Wireless_Integration_v9.pdf

BR

    AEK
    SuperUser
    AEKAuthor
    SuperUser
    January 12, 2024

    Hello

    It is FortiNAC 9.2.8.

    The guide I followed is the one you shared above.

    AEK
    ndumaj
    Staff
    ndumaj
    Staff
    January 12, 2024

    Hello,
    I would review the WLC integration first.
    This is the radius attribute that FNAC sends:
    Radius Attribute.png

     

    Why is the WLC complaining, is the WLC receiving this RFC?
    There should be a log from WLC why is rejecting this RFC?
    What does the WLC expect to have as a response?

    BR

      AEK
      SuperUser
      AEKAuthor
      SuperUser
      January 12, 2024

      Hi

      Indeed these are the good questions.

      Thanks for the hint.. I'll check and comeback.

      AEK
      ndumaj
      Staff
      ndumaj
      Staff
      January 14, 2024

      I guess the WLC log should provide more information to understand the issue.

      BR

        Sheikh
        Staff
        Sheikh
        Staff
        January 14, 2024

        Hi,

         

        A packet capture on both the FortiNAC and wireless controller, might also give some insight.

         

        In addition to that, following debugs on FortiNAC would also give more details.

        nacdebug -name RadiusManager true

        nacdebug -name RadiusAccess true

         

        go to the logs folder and tail the output.master file.

        Don't forget to disable debugging after troubleshooting.

         

        regards,

         

        Sheikh

          AEK
          SuperUser
          AEKAuthor
          SuperUser
          January 15, 2024

          Hello

          I found that the issue is in %ACCESS_VALUE%.

          In fact the access value (Tunnel-Private-Group-ID) sent by FortiNAC's RADIUS to Huawei WLC is "VLAN 0015".

          I tried to force force the Tunnel-Private-Group-ID to just "15" and it worked.

          In model configuration FortiNAC lists the VLANs in this format: "VLAN 0015", so I guess it is sending this value as RADIUS response.

          When FortiNAC reads the VLANs from the WLC, it takes the "VLAN name" as value, not VLAN ID, while on WLC I left the declared VLANs unnamed.

          The default name "VLAN 00##" is shown by the WLC when there is no given name, then on VLAN assignment by FNAC's RADIUS, the same default name is not recognized by the WLC itself.

           

          The solution was just to give a name to each VLAN.

          Declaring the VLANs like this will not work "vlan batch 20 100 102". We must give a name to each VLAN in order to make it work. FortiNAC will use the assigned name as %ACCESS_VALUE" and WLC will recognize it.

          AEK
            ndumaj
            Staff
            ndumaj
            Staff
            January 15, 2024

            Hello AEK,
            Thank you for your update,
            Definitely the WLC doesn't understand the "VLAN 00##" - VLANID format it prefers to have the VLAN only :)

            GOOD job!
            Well DONE!

              Bosch
              Bosch
              New Member
              May 9, 2025

              Hello,

              I have the same issue : I have modified "VLAN 0102" to name of the clan on Huawei WLC  but the user are unable to connect via the SSID!

              AEK
              SuperUser
              AEKAuthor
              SuperUser
              May 11, 2025

              Hi Bosch

              What do you see in WLC logs? Does it recognize the RADIUS response? Or does't still request user to authenticate?

              AEK
              Bosch
              Bosch
              New Member
              May 13, 2025

              Hello AEK,

               

              The WLC received the radius attributes, and the user not able to connect!

               

              May 08 2025 17:26:42.150.637+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Receive a packet(IP:FORTINAC-IP,Port:1812,Code:authentication accept,ID:83,Template:fortinac )

               

              May 08 2025 17:26:42.150.638+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

                RADIUS Received a Packet.

               

              May 08 2025 17:26:42.150.639+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

                Template name: fortinac

                Server Template: 1

                Server IP   : FORTINAC-IP

                Server Port : 1812

                Client IP   : WLC-IP

                vrf : 0

                Protocol: Standard

                Code    : 2

                Len     : 267

                ID      : 83

                [MS-MPPE-Recv-Key                   ] [52] [e0 c8 3d 43 2c 39 58 9d 19 8b 14 5f fa db 06 f9 a0 55 d7 d3 c6 31 77 87 59 14 03 38 87 7f 8d e5 69 a6 9f f4 a4 c4 ff 1a 55 87 d0 3a 35 e3 a9 5e ca 45 ]

                [MS-MPPE-Send-Key                   ] [52] [ee 1e 7b 2f d3 3b 9f 91 b8 ba 64 51 a4 ab 89 70 d3 19 ac 95 b8 62 75 09 03 1f 7d 00 46 e4 ff bc 52 48 08 7d 9c a1 62 22 be da ce 98 37 0b b8 a3 f0 b5 ]

                [EAP-Message                        ] [6 ] [03 d5 00 04 ]

                [Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]

                [Framed-MTU                         ] [6 ] [1190]

                [MS-MPPE-Send-Key                   ] [36] [f1 ea 65 45 f7 a3 4a 82 3c 6b 08 c0 15 67 9d 4e e2 b0 c6 18 39 d1 1f 18 3a 11 d9 be ce 82 6c c5 89 d2 ]

               

              May 08 2025 17:26:42.150.640+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

                [MS-MPPE-Recv-Key                   ] [36] [fe 6d 8a 84 ba ef ae 9c fa 85 f7 76 15 69 c4 59 4f 7a 14 f3 71 5d 85 e7 1a 76 18 55 28 71 ff e5 93 6c ]

                [Tunnel-Type                        ] [6 ] [13]

                [Tunnel-Private-Group-ID            ] [5 ] [102]

                [Tunnel-Medium-Type                 ] [6 ] [6]

               

              May 08 2025 17:26:42.150.641+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Supported attr.

               

              May 08 2025 17:26:42.150.642+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Supported attr.

               

              May 08 2025 17:26:42.150.643+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;Attr not support in this packet.

              (Framed-MTU(12)).

               

              May 08 2025 17:26:42.150.644+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Supported attr.

               

              May 08 2025 17:26:42.150.645+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Supported attr.

               

              May 08 2025 17:26:42.150.646+01:00 AC6508 RDS/7/DEBUG:Slot=0,Vcpu=4;

              [RDS(Evt):] Send a msg(Auth accept)

               

               

               

              Terms & ConditionsAccessibility statement