Skip to main content
bfcs
bfcs
New Member
May 4, 2022
Question

FortiWifi 60-E + Dynamic VLAN with 802.1x

  • May 4, 2022
  • 2 replies
  • 1977 views

All,

 

I am facing an issue with my Dynamic VLAN + 802.1x setup on a FortiWifi 60-E whereby the client is never actually assigned to the intended VLAN.

 

They are authenticating all OK and I can see from packet captures (and also on the external NAC server itself) that the RADIUS attributes are returned to the Forti unit all OK in the 'Access-Accept' reply as follows:

 

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = "20"

 

VLAN 20 is configured as an interface (with DHCP) under the Dynamic SSID itself. So my expectation is that the client should be assigned an IP address from DHCP on this interface. From the client end they are never assigned an IP address and remain with a self assigned IP.

 

Any ideas on how to proceed with troubleshooting?

2 replies

aahmadzada
Staff
aahmadzada
Staff
May 4, 2022

Hi,

Tunnel-Private-Group-Id should contain the name of the interface, that is configured with a given vlan id.
Example:

 

config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set security wpa2-only-enterprise
set auth radius
set radius-server "peap"
set schedule "always"
set dynamic-vlan enable <---------
next
end
----------------
config system interface
edit "wifi2-vlan100" <-----------
set vdom "vdom1"
set ip 10.100.80.1 255.255.255.0
set role lan
set snmp-index 28
set interface "wifi.fap.02"
set vlanid 100 <---------
next
end
-----------------

The radius should return wifi2-vlan100 as a value for the Tunnel-Private-Group-Id attribute

 

Ahmad

bfcs
bfcsAuthor
New Member
May 4, 2022

Hi Ahmad,

 

Thank you for your reply. So I have changed the VLAN interface to be called '20' which now matches the Tunnel-Private-Group-Id attribute of '20'. Unfortunately I still have the same issue where I pass authentication all OK, but self assigned IP address on the client.

 

Any other ideas please?

aahmadzada
Staff
aahmadzada
Staff
May 4, 2022

Please provide the output of these commands:

 

show wireless-controller vap

show system interface

 

Also, please run the packet capture on the Fortigate, and capture radius server reply, when the user authenticates on the wireless and attach the capture file to the thread, so we can check what is sent by the radius.

 

Ahmad

Terms & ConditionsAccessibility statement