Description
This article describes how to dynamically assign VLANs from FortiLink to the SSID clients authenticating through the FortiAuthenticator RADIUS server.
Scope
FortiGate, FortiAuthenticator, FortiAP, FortiSwitch.
Pre-requisites:
- FortiAuthenticator is connected to the FortiGate, and there are user groups configured on FortiAuthenticator.
- FortiAP and FortiSwitch are connected and have the required VLANs configured.
Reference:
Creating the user and user group on the FortiAuthenticator.
Solution
- Create a bridge mode SSID with WPA2 enterprise and configure the RADIUS server. Make sure to enable dynamic VLAN assignment.
GUI: Navigate to WiFi & Switch Controller -> SSIDs -> Create New.
CLI:
config wireless-controller vap
edit "SSID-Bridge"
set ssid "Home-Bridge"
set security wpa2-only-enterprise <-
set pmf enable
set voice-enterprise disable
set auth radius
set radius-server "LAB-FAC" <-
set local-bridging enable <-
set schedule "always"
set dynamic-vlan enable <-
next
end
-
Add the SSID in the required FortiAP profile and apply the profile on the managed FortiAPs:
config wireless-controller wtp-profile
edit "FAP231F-default"
config radio-1
set band 802.11ax,n,g-only
set vap-all manual
set vaps "SSID-Bridge" <-
end
config radio-2
set band 802.11ax-5G
set vap-all manual
set vaps "SSID-Bridge" <-
end
next
end
config wireless-controller wtp
edit "FP231FTFxxxxxxxx"
set uuid 24a1ddc6-2274-51ee-33a2-f10d5ecb9f87
set admin enable
set wtp-profile "FAP231F-default" <-
config radio-1
end
config radio-2
end
next
end
-
Configure the FortiAP connected interface to allow the VLANs that need to be dynamically assigned.
GUI: Navigate to WiFi & Switch Controller -> FortiSwitch Ports -> Change Allowed VLANs.
CLI:
config switch-controller managed-switch
edit S124ENTQxxxxxxxx
config ports
edit "port3"
set vlan "MGMT" <-
set allowed-vlans "SSID-Guest" "VLAN10-SSID" <-
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr e0:23:ff:ed:37:ff
next
end
-
Configure FortiAuthenticator user group attributes:
For each user/user group(s), configure the following RADIUS attributes. These attributes specify the VLAN information sent to the FortiGate.
- Tunnel-Type.
- Tunnel-Medium-Type.
- Tunnel-Private-Group-Id.
Information about RADIUS attributes - https://datatracker.ietf.org/doc/html/rfc2868
Navigate to FortiAuthenticator -> Authentication -> User Groups -> Edit User Group -> Radius Attributes.
The tunnel-Private-Group-Id attribute specifies the VLAN ID. In this case, the VLAN ID is set to 30.
Connect the client to the configured SSID and provide the user credentials. In this example, a user ‘test’ is part of the user group that has the above-configured RADIUS attributes. Once successfully connected, the user should get an IP address from VLAN 30.
VLAN 30 Configuration:
config system interface
edit "SSID-Guest"
set vdom "root"
set ip 192.168.30.1 255.255.255.0 <-
set device-identification enable
set role lan
set snmp-index 34
set interface "fortilink" <-
set vlanid 30 <-
next
end
-
Can check the RADIUS Access-Accept packet to see the received RADIUS attribute values.
Some client machines may need to enable the 802.1x Protocol.
-
Troubleshooting:
Debugs:
diagnose debug console timestamp enable
diagnose wireless-controller wlac sta_filter <MAC-ADDR> 255
diagnose debug enable
2023-07-28 10:21:23 64883.662 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 50B) ==> ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.667 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 50B) <== ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.667 ee:ea:4b:d2:2b:42 <eh> recv IEEE 802.1X ver=1 type=0 (EAP_PACKET) data len=46
2023-07-28 10:21:23 64883.668 ee:ea:4b:d2:2b:42 <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=8 len=357
2023-07-28 10:21:23 64883.697 ee:ea:4b:d2:2b:42 <eh> RADIUS message (type=0) <== RADIUS Server code=2 (Access-Accept) id=8 len=188
2023-07-28 10:21:23 64883.697 ee:ea:4b:d2:2b:42 <eh> send IEEE 802.1X ver=2 type=0 (EAP_PACKET) data len=4
2023-07-28 10:21:23 64883.697 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 8B) ==> ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.697 ee:ea:4b:d2:2b:42 <eh> send 1/4 msg of 4-Way Handshake
2023-07-28 10:21:23 64883.698 ee:ea:4b:d2:2b:42 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117 replay cnt 1
2023-07-28 10:21:23 64883.698 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 121B) ==> ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.703 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 121B) <== ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.703 ee:ea:4b:d2:2b:42 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117
2023-07-28 10:21:23 64883.703 ee:ea:4b:d2:2b:42 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
2023-07-28 10:21:23 64883.704 ee:ea:4b:d2:2b:42 <eh> send 3/4 msg of 4-Way Handshake
2023-07-28 10:21:23 64883.704 ee:ea:4b:d2:2b:42 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=191 replay cnt 2
2023-07-28 10:21:23 64883.704 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 195B) ==> ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.707 ee:ea:4b:d2:2b:42 <eh> IEEE 802.1X (EAPOL 99B) <== ee:ea:4b:d2:2b:42 ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39
2023-07-28 10:21:23 64883.708 ee:ea:4b:d2:2b:42 <eh> recv IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95
2023-07-28 10:21:23 64883.708 ee:ea:4b:d2:2b:42 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
2023-07-28 10:21:23 58825.708 239 ee:ea:4b:d2:2b:42 <dc> STA chg ee:ea:4b:d2:2b:42 vap SSID-Bridge ws (0-192.168.20.2:15246) rId 1 wId 1 bssid 80:80:2c:36:18:39 AUTH
2023-07-28 10:21:23 58825.708 239 ee:ea:4b:d2:2b:42 cwAcKernChgSta,6706 ws (0-192.168.20.2:15246) SSID-Bridge ee:ea:4b:d2:2b:42 ret 0
2023-07-28 10:21:23 58825.708 239 ee:ea:4b:d2:2b:42 <cc> STA chg ee:ea:4b:d2:2b:42 vap SSID-Bridge ws (0-192.168.20.2:15246) rId 1 wId 1 80:80:2c:36:18:39 sec WPA2 RADIUS auth 1 ******
2023-07-28 10:21:23 58825.708 239 ee:ea:4b:d2:2b:42 <cc> STA_CFG_REQ(62) sta ee:ea:4b:d2:2b:42 add key (len=16) ==> ws (0-192.168.20.2:15246) rId 1 wId 1
2023-07-28 10:21:23 64883.713 ee:ea:4b:d2:2b:42 <eh> ***pairwise key handshake completed*** (RSN)
2023-07-28 10:21:23 58825.729 239 ee:ea:4b:d2:2b:42 cwAcAddWSSO mac ee:ea:4b:d2:2b:42 ip 192.168.30.3 usr 'test' grp 'NULL' authed 1
2023-07-28 10:21:26 58828.076 239 ee:ea:4b:d2:2b:42 cwAcAddWSSO mac ee:ea:4b:d2:2b:42 ip 192.168.30.3 usr 'test' grp 'NULL' authed 1
Packet captures:
diagnose sniffer packet any ‘host <radius-server-ip> and port 1812’ 6 0 l
The behavior of the tunnel mode SSID vs the Bridge Mode SSID in this scenario:
It is important to note that the SSID should be in bridge mode, as this functionality will not work with the tunnel mode SSID. Because the tunnel mode SSID creates a layer 3 virtual interface on the FortiGate, and thus VLANs would be matched that are bound to that SSID interface.
When the SSID is in bridge mode.
Bridge mode SSID does not create a layer 3 virtual interface; instead, it is bridged with another physical or logical interface on the FortiGate. Thus, when the tagged DHCP traffic comes on the FortiGate, it is sent to the VLAN interface and gets an IP from the DHCP pool.
When the SSID is in tunnel mode.
DHCP traffic comes from the AP encapsulated in the CAPWAP tunnel, which ends up on the CAPWAP interface. As it could not find the VLAN 30 interface bound to the SSID interface, the client is not able to get an IP address.
Based on the above explanation, the tunnel mode dynamic VLAN assignment will only map the VLAN interface that is on the SSID interface. If the users need to be mapped to other interfaces, such as FortiLink or other ports, then bridge mode SSID should be used.
Related article:
