Skip to main content
diojanruiz
diojanruiz
New Member
January 20, 2026
Question

Radius COA messages Fortiink FortiNAC

  • January 20, 2026
  • 2 replies
  • 493 views

Hi Friends,

We currently have a solution implemented with FortiNAC integrated with Fortigate and FortiSwitch through FortiLink. Change of Authorization (CoA) events are correctly configured in compliance with RFC 5176, and dynamic VLAN changes are working as expected. However, a specific behavior is observed when a host is deleted from the FortiNAC inventory: in this scenario, FortiNAC sends a Disconnect-Request, but this message is never acknowledged by the switch, even though CoA operations function correctly in other scenarios such as host state changes or VLAN reassignment.

 

Fortinac Version 7.6.3.0779 

Fortigate Version v7.4.9 

FortiSwitch Version 7.4.7

 

This is a capture when the client change from vlan register to vlan employee
COA response.png

This is a capture when I delete the host from FortiNAC GUI

 
 

COA no response.png

 

Regards

 

2 replies

AEK
SuperUser
AEK
SuperUser
January 20, 2026

Hi

A quite similar issue has been resolved in 7.6.5.

1188470FortiNAC and FortiGate CoA Disconnect Request failed error code = 0.0.1.f7.

 

Ref:  https://docs.fortinet.com/document/fortinac-f/7.6.5/release-notes/306067/resolved-issues-version-f-7-6-5

Hope it helps.

AEK
ebilcari
Staff
ebilcari
Staff
January 21, 2026

This fix appear to be related to wireless integrations with FortiAP and SSID configurations.

Emirjon
ebilcari
Staff
ebilcari
Staff
January 21, 2026

From the FNAC perspective, the CoA/DM content and attributes appear the same on both cases. Since it is accepted previously but ignored by the switch when the host is disabled, I assume this is because the host is not seen as authenticated on the switch at that moment. In any case, a Disconnect-NAK should normally be returned by the switch instead of being silently ignored. You can also save the packet capture and export it, in order to check the packets content for both cases: Technical Tip: Useful CLI commands in FortiNAC-OS for troubleshooting

 

You can also enable the following debug on the FSW while repeating the tests:

# diag debug application radius_das 8

# diag debug enable

 

Check the authentication status in the switch port:

# diag switch [switch-info] 802-1x [S42…] status port

Emirjon
diojanruiz
diojanruizAuthor
New Member
January 22, 2026

Hi Ebilcari,

I was able to verify the event in the switch logs to determine why, when the host is removed from FortiNAC, a Disconnect-Request is sent and a Disconnect-NAK is received in response.

Please find the screenshot attached for your review.

COA From Debug Switch.png

All attribute configurations are like this.
Config Radius.png

Regards,

ebilcari
Staff
ebilcari
Staff
January 22, 2026

Since the source and destination IPs are hidden, have you verified that in both the working and non‑working cases the IPs of FNAC and the FSW are the same, and that there is no NAT between them?

Emirjon
Terms & ConditionsAccessibility statement