Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Adolfo_Z_H
Staff
Staff

Created on ‎08-28-2025 10:12 PM Edited on ‎09-10-2025 10:35 PM By Moderator

Article Id 407800

Troubleshoot Tip: Most common causes CoA request fail to disconnect or change VLAN for an authorized device

Description

 

This article describes the most common causes of CoA request failures to disconnect or change the VLAN for an authorized device.

 

Scope

 

FortiGate as a wireless controller.

 

Solution

 

As a starting point, follow the relevant  community articles and documentation above about how to properly configure the RADIUS accounting service on FortiGate devices:

Configuring a RADIUS server

 

Use the following community article to obtain relevant debugs to be analyzed by following this guide.

Troubleshooting Tip: Debugging RADIUS Change of Authorization (CoA)

 

Scenario 1. DAS: Request Authenticator invalid - Improper Account client configuration.

 

Observe these kinds of messages on the RADIUS DAS daemon debugging.

 

68143.655 RADIUS message: code=40 (Disconnect-Request) identifier=43 length=65
Attribute 31 (Calling-Station-Id) length=19 pos 0x89c8436
Value: '1C-1B-B5-93-01-CA'
Attribute 1 (User-Name) length=20 pos 0x89c8449
Value: 'PUERTO\\test-nac-01'
Attribute 8 (Framed-IP-Address) length=6 pos 0x89c845d
Value: 10.45.10.10
68143.656 DAS: Request Authenticator invalid! 
68143.656 DAS: Request Authenticator invalid!

 

It means the FortiGate accounting client is not properly configured. RADIUS configuration should be as expected on the RADIUS accounting server configuration.

 

config user radius
    edit "FortiNAC"
        set server "10.1.2.6"
        set secret ENC XXX
        set nas-ip 10.2.255.1
        set acct-interim-interval 60
        set radius-coa enable
        set radius-port 1812
        set auth-type ms_chap_v2
        set source-ip "10.2.255.1"
        set acct-all-servers enable
            config accounting-server <--- RADIUS accounting client configuration.
                edit 1   

                    set status enable
                    set server "10.1.2.6"
                    set secret ENC XXX
                    set source-ip "10.2.255.1"
                next
            end
    next
end

 

After correcting configurations, an accounting session should be located and deleted by the RADIUS daemon process.

 

5642.660 RADIUS message: code=40 (Disconnect-Request) identifier=195 length=65
   Attribute 31 (Calling-Station-Id) length=19 pos 0x89c8436
      Value: '1C-1B-B5-93-01-CA'
   Attribute 1 (User-Name) length=20 pos 0x89c8449
      Value: 'PUERTO\\test-nac-01'
   Attribute 8 (Framed-IP-Address) length=6 pos 0x89c845d
      Value: 10.87.1.11
95642.661 DAS: No Message-Authenticator attribute found
95642.661 DAS: -1 sslvpn session(s) deleted.
95642.661 DAS: 0 auth session(s) deleted.
95642.661 DAS: No Message-Authenticator attribute found
95642.661 Sending data - hexdump(len=2268):

 

Scenario 2. Session-Context-Not-Found(503) - There is insufficient information to locate an active accounting session.

 

Use the following filter on FortiGate CLI to obtain a full copy of RADIUS packets exchanged between FortiGate and the RADIUS Accounting and Authentication server.

 

diagnose sniffer packet any 'port 3799 or port 1812 or port 1813' 6 0 a

 

Use the following Wireshark filter to display relevant CoA and Auth RADIUS Packets.

 

radius.code == 40 || radius.code == 40 || radius.code == 41 || radius.code == 2

Frame 18: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 10.2.255.1 (10.2.255.1), Dst: 10.1.2.6 (10.1.2.6)
User Datagram Protocol, Src Port: 3799, Dst Port: 54937
RADIUS Protocol
    Code: Disconnect-NAK (42)
    Packet identifier: 0xc3 (195)
    Length: 50
    Authenticator: 5e8cd704e1bfaa5d53ea8761b03d4221
    [This is a response to a request in frame 17]
    [Time from request: 2.011762000 seconds]
    Attribute Value Pairs
        AVP: t=Error-Cause(101) l=6 val=Session-Context-Not-Found(503)
        AVP: t=Event-Timestamp(55) l=6 val=Mar  1, 2023 12:17:12.000000000 Hora estándar central (México)
        AVP: t=Message-Authenticator(80) l=18 val=66a451d00d57119ad659890f847b115f

The most common reason is that the MAC address format sent by the RADIUS account server is not recognized. By default, the recognized FortiGate MAC address format is xx-xx-xx-xx-xx-xx.

 

CoA request from the Accounting server must only contain the following attributes to successfully locate a valid accounting session on FortiGate.

 

Attribute 31 (Calling-Station-Id)

Attribute 1 (User-Name)

Attribute 8 (Framed-IP-Address)

 

After correcting configurations on the RADIUS server side, the accounting session should be located and deleted. Refer to the following RADIUS DAS debug messages.

 

99498.016 RADIUS message: code=40 (Disconnect-Request) identifier=199 length=65
   Attribute 31 (Calling-Station-Id) length=19 pos 0x89c8436
      Value: '1C-1B-B5-93-01-CA'
   Attribute 1 (User-Name) length=20 pos 0x89c8449
      Value: 'PUERTO\\test-nac-01'
   Attribute 8 (Framed-IP-Address) length=6 pos 0x89c845d
      Value: 10.45.10.10
99498.017 DAS: No Message-Authenticator attribute found
99498.017 DAS: -1 sslvpn session(s) deleted. 

 

using an association debug  a disconnection request for Wi-Fi client should be observed on wireless control plane 


99498.120 99497.120 1c:1b:b5:93:01:ca <dc> STA del 1c:1b:b5:93:01:ca ws (0-10.2.1.131:5246) vap CORPWPA2ENTERP rId 1 wId 1
99498.121 99497.121 1c:1b:b5:93:01:ca cwAcDelWSSO del_auth_logon vf 0 ip 10.45.10.10 user 'PUERTO\test-nac-01' group ''
99498.121 Sending data - hexdump(len=2268):

 

Scenario 3. The authenticated device does not end on the correct VLAN.

 

This scenario can not be corrected on FortiGate config as the access-accept message is generated by the RADIUS Authentication server.

Use a packet sniffer to analyze AVP values sent by the RADIUS server on access-accept messages.

 


Frame 88: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) on interface Fake IF, text2pcap, id 0
Ethernet II, Src: e9:34:4b:56:6d:2d (e9:34:4b:56:6d:2d), Dst: 00:00:00_00:00:01 (00:00:00:00:00:01)
Internet Protocol Version 4, Src: 10.1.2.6 (10.1.2.6), Dst: 10.2.255.1 (10.2.255.1)
User Datagram Protocol, Src Port: 1812, Dst Port: 9122
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x72 (114)
    Length: 196
    Authenticator: 58436882e10b6c42150644c39598b65b
    [This is a response to a request in frame 87]
    [Time from request: 0.000000000 seconds]
    Attribute Value Pairs
        AVP: t=User-Name(1) l=20 val=PUERTO\test-nac-01
        AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
        AVP: t=Tunnel-Private-Group-Id(81) l=4 val=45
        AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)

 

For the FortiGate device to honor VLAN configuration on the RADIUS server, all AVP values shown in bold must be sent on the access accept response from the RADIUS server. If a VLAN change is expected, the RADIUS server should change AVP values accordingly.

135
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.