FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where the user is utilizing wireless authentication via radius through FortiNAC while using a loopback interface as source IP under user radius settings:
config system interface edit "loopback-root" set vdom "root" set ip 10.250.255.1 255.255.255.255 set allowaccess ping https ssh snmp http fgfm fabric set type loopback set role lan set snmp-index 54
config user radius edit "FortiNAC" set server "10.50.10.26" set secret ENC set radius-coa enable set source-ip "10.250.255.1"
Scope
FortiNAC.
Solution
However, upon connecting to wifi SSID it authenticates to radius successfully through FortiNAC and matches against the proper network access policies but the devices never leave the isolation subnet and get stuck in isolation VLAN.
From packet capture, it is possible to see that FortiNAC is sending Disconnect-Request but Fortigate is not replying with Disconnect-ACK over port 3799 UDP which is typically used for COA requests.
Make sure that port 3799 UDP is allowed on the corresponding policy destined to the loopback interface:
config firewall policy edit <ID> set name "FortiNAC to Firewall" set uuid set srcintf "NAME" set dstintf "loopback-root" set action accept set srcaddr "h-10.50.10.26-FortiNAC" set dstaddr "h-10.250.255.1-rootFW-Loopback"
set schedule "always" set service "PING" "SNMP" "SSH" "tcp-9443" --> add one more service: UDP:3799. set utm-status enable set inspection-mode proxy set profile-type group set profile-group "csj-inside-standard" set logtraffic all set logtraffic-start enable
