Description
This article describes a simple example of how it is possible to leverage CoA to reauthenticate a user's session to apply Dynamic Access Lists through the RADIUS protocol.
Starting from version 7.4 FNAC-F supports CoA Messages to dynamically change user authorization.
Scope
FortiNAC-F, FortiSwitch, FortiGate.
Solution
By using CoA, it is possible to dynamically change user authorization. There is no need to wait for the NAS to initiate a re-authentication process or for the host to manually disconnect/connect.
In this scenario, the Fortinet proprietary attribute will be leveraged: 'Fortinet-Host-Port-AVPair 42 string' with the action to reauthenticate the port.
Once the User session is unauthenticated, it will be sent through RADIUS Accept-Accept the DACL configuration on the port level.
The attribute configured in the Radius Server for CoA would be as follows:
|
Fortinet-Host-Port-AVPair |
action=reauth-port |
The FortiSwitch unit forces the reauthentication of the current session. |
Additional attributes and configuration options are provided in this document.
Note: The same DACL deployment can be also achieved with older FortiNAC versions where CoA is not supported. In those cases, FortiNAC will use DM (Disconnect messages) to immediately terminate the user session. The host will then trigger a new connection to get access to the new policy.
CoA provides more flexibility in actions that can be performed on the NAS and additionally reauthenticating the session is more accurate and provides a better user experience. In some occasions when using Disconnect messages the host may not trigger a new connection request and manually disconnecting/Connecting from the network would then clear the issue for that endpoint.
Step 1. FortiSwitch Configuration.
DACLs must enabled on 802.1x ports to apply different configurations using Attributes set per logical network in FortiNAC.
config switch interface
edit port2
config port-security
set port-security-mode 802.1X
set dacl enable
end
next
end
In this example, it is used the following attribute to apply DACLs:
- NAS-Filter-Rule (supports 80 characters).
NAS-Filter-Rule += “<deny | permit> in <ip | ip-protocol-value> from any to <any | host | <ip-addr> | ipv4-addr/mask> [<tcp/udp-port | tcp/udp-port range>] [cnt]
Using NAS-Filter-Rule, define all the DACLs entries in the Radius Server configuration(FortiNAC).
An additional option is to use 'Filter-Id'. In that case, all ACLs would need to be configured in FortiSwitch.
Fortswitch Documentation including more configuration options:
Step 2: FortiNAC configuration.
In this example, it is used a NAC policy that applies following DACL when the host role changes to 'Not_Compliant'.
permit in udp from any to any 67-68
deny in ip from any to any
First, it is necessary to create a Radius Attribute Group entry for the DACL.
These are the ACLs that FortiNAC will return with RADIUS Accept-Accept once the session is reauthenticated successfully.
Go to Network -> Radius -> Attribute Groups (or edit an already created Attribute Group from the FortiGate model config).
Create a new entry with the ACLs separated by a comma ','.
After that, create a Radius Attribute Group entry for the CoA Message to dynamically reauthenticate the user session.
Go to Network -> Radius -> Attribute Groups (or edit an already created Attribute Group entry from the FortiGate model config on the matching logical network that the NAC policy will apply).
In this test, the Host will be applied the Logical network 'ACL_ISOLATE' after changing its role. FortiNAC will then build the CoA message from the Logical network configuration (RFC5176 Attribute Group) to reauthenticate the session.
(Optional) CoA Configuration and FortiNAC logic when generating the CoA message.
RFC5176 support in FortiNAC includes some additional configuration options for multiple connections and daisy chain connections.
There are 4 configuration options.
- Base RFC5176 Custom Config - Applies in case FortiNAC detects only 1 host on the port.
- Logical network RFC5176 Config - Applies in case FortiNAC detects only 1 host on the port and that host matches the respective logical configuration. This will override (1. Base RFC5176 Custom Config).
- Multiple Connections RFC5176 - Applies in case FortiNAC detects more than 1 Host on the port and that host is not registered as a default IP phone type.
- Daisy Chain RFC5176 - Applies when FortiNAC detects more than 1 Host on the port and that host is registered as a default IP phone type.
When FortiNAC sees a need for a VLAN change for a particular host it will re-evaluate the Policies and apply the new logical configuration.
It will then build the CoA Message to change user session authorization.
The logic FortiNAC uses can be described by the diagram below:
Step 3. Configuration Verification.
To validate the results, trigger a host posture change by manually modifying the Host Role in FortiNAC GUI:
This will trigger a VLAN change and policy re-evaluation. The Host will match the new Policy which applied the Logical Configuration containing the RFC5176 Attribute for the CoA message 'Re-Auth' and the Radius Attribute group for 'DACL'.
FortiNAC will send the CoA Message to which the Switch responds with CoA ACK while at the same time reauthenticating the user session:
In FortiGate Log&Report -> FortiSwitch events, it is possible to see the following Notice level log:
FortiNAC evaluates the new authentication attempt and responds in the RADIUS Accept-Accept with the following attributes containing the ACLs:
FortiSwitch debugs During reauthentication stage:
S108XXX # dia de console timestamp enable
S108EXXXX # dia de ap fnbamd -1
S108EXXXX # dia de en
S108EXXXX # 2024-06-26 16:27:46 fnbamd_fsm.c[1548] handle_req-Rcvd auth req 62615050 for user DESKTOP-J47UPA9\srogers cred_len:0: in group Radius_Group port=port2 opt=512 prot=8
.
.
2024-06-26 16:27:46 fnbamd_radius.c[1758] fnbamd_radius_auth_send-Compose RADIUS request
2024-06-26 16:27:46 fnbamd_dbg_hex_pnt[42] EAP msg from radius client (28)-
2024-06-26 16:27:46 fnbamd_radius.c[2043] fnbamd_radius_auth_send-Radius auth_send check DNS :10.10.10.6:
2024-06-26 16:27:46 fnbamd_radius.c[1706] fnbamd_rad_dns_cb-10.10.10.6->10.10.10.6
2024-06-26 16:27:46 fnbamd_radius.c[1602] __send_udp-sending radius udp IPv4 request: fd=11.
2024-06-26 16:27:46 fnbamd_radius.c[1645] __fnbamd_rad_send-Sent radius req to server 'Radius_NAC': fd=11, is_ipv6:0, IP=10.10.10.6(10.10.10.6:1812) code=ACCESS_REQUEST id=184 len=173 user="DESKTOP-J47UPA9\srogers" using EAP
.
.
2024-06-26 16:27:46 fnbamd_radius.c[2289] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_CHALLENGE
2024-06-26 16:27:46 fnbamd_dbg_hex_pnt[42] EAP msg from radius server (6)-
2024-06-26 16:27:46 fnbamd_auth.c[2407] fnbamd_auth_handle_radius_result-->Result for radius svr 10.10.10.6(0) is FNBAM_CHALLENGED
.
.
2024-06-26 16:27:46 fnbamd_radius.c[1758] fnbamd_radius_auth_send-Compose RADIUS request
2024-06-26 16:27:46 fnbamd_dbg_hex_pnt[42] EAP msg from radius client (46)-
2024-06-26 16:27:46 fnbamd_radius.c[1602] __send_udp-sending radius udp IPv4 request: fd=11.
2024-06-26 16:27:46 fnbamd_radius.c[1645] __fnbamd_rad_send-Sent radius req to server 'Radius_NAC': fd=11, is_ipv6:0, IP=10.10.10.6(10.10.10.6:1812) code=ACCESS_REQUEST id=192 len=209 user="DESKTOP-J47UPA9\srogers" using EAP
2024-06-26 16:27:46 fnbamd_fsm.c[1976] handle_auth_rsp-handle_auth_rsp: from file descriptor:11:
2024-06-26 16:27:46 fnbamd_auth.c[2372] fnbamd_auth_handle_radius_result-Result for vlanId :60: vlanIdName::
2024-06-26 16:27:46 fnbamd_radius.c[269] check_response_authenticator-Response authenticator check result:0:.
2024-06-26 16:27:46 fnbamd_radius.c[2289] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_ACCEPT
2024-06-26 16:27:46 fnbamd_radius.c[2400] fnbamd_radius_auth_validate_pkt-Class attribute size:0:
2024-06-26 16:27:46 fnbamd_radius.c[2418] fnbamd_radius_auth_validate_pkt-Filter attribute avp_sz:65: size:62:value:permit in udp from any to any 67-68,deny in ip from any to any:current:1:
2024-06-26 16:27:46 fnbamd_dbg_hex_pnt[42] EAP msg from radius server (4)-
2024-06-26 16:27:46 fnbamd_auth.c[2407] fnbamd_auth_handle_radius_result-->Result for radius svr 10.10.10.6(0) is FNBAM_SUCCESS
2024-06-26 16:27:46 fnbamd_auth.c[2427] fnbamd_auth_handle_radius_result-Passed group matching
After the reauthentication process is finished, it is possible to finally make the verifications on the port level on FortiSwitch.
- Verify 802.1x port state.
S108EXXXX # diagnose switch 802-1x status port2
port2 : Mode: port-based (mac-by-pass enable)
Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 60
Dynamic Allowed Vlan list: 60
Dynamic Untagged Vlan list: 60
EAP pass-through : Enable
Auth Order : MAB-dot1x
Auth Priority : Legacy
EAP egress-frame-tagged : Enable
EAP auto-untagged-vlans : Enable
Allow MAC Move From : Disable
Dynamic Access Control List : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 60
Allowed Vlan list: 1,60-62,70,4088-4093
Untagged Vlan list: 4093
Guest VLAN :
Auth-Fail Vlan :
AuthServer-Timeout Vlan :
Sessions info:
00:0c:29:5a:2e:6b Type=802.1x,PEAP,state=AUTHENTICATED,etime=58,eap_cnt=28 params:reAuth=3600
user="DESKTOP-J47UPA9\srogers",security_grp="Radius_Group",fortinet_grp=""
-
Verify DACL status on the port.
S108EXXXX # diagnose switch 802-1x status-dacl port2
port2 : Mode: port-based (mac-by-pass enable)
DACL :enable: :
Session: 00:0c:29:5a:2e:6b DACL total items :1:
NAS-Rule 639 stats: pkts:2007: bytes:0: :permit in udp from any to any 67-68,deny in ip from any to any:
Common Errors and Misconfigurations with CoA.
When configuring Custom attributes to be sent through CoA Messages, the following must be taken into account:
- The CoA message should contain the following:
- Session Identifier Attribute - Needed in order for the NAS (switch/WLC) to understand which authenticated session it will act upon.
- Vendor specific attribute - This is needed for the NAS to apply an action in order to change the authorization.
Example 1. Session Identifier Missing or wrong format. Error cause 503: Session Context Not Found
Coa traffic from Tcpdump/PCAP:
naclab1.forti.lab.60992 > 10.10.250.50.3799: RADIUS, length: 46
CoA-Request (43), id: 0x0e, Authenticator: dc8fc1687dc3f10028a64cdaaf3e5051
Vendor-Specific Attribute (26), length: 26, Value: Vendor: Fortinet (12356)
Vendor Attribute: 42, Length: 18, Value: action=reauth-port
10.10.250.50.3799 > naclab1.forti.lab.60992: RADIUS, length: 50
CoA-NAK (45), id: 0x0e, Authenticator: dc3498650df78dfbdf5718584d14d0bb
Error-Cause Attribute (101), length: 6, Value: Error cause 503: Session Context Not Found
Event-Timestamp Attribute (55), length: 6, Value: Tue Jun 11 14:10:32 2024
Message-Authenticator Attribute (80), length: 18, Value: ..QPRO.nv...N ..
In this example, the CoA-Request shows that only the Vendor Specific attribute is present, which is action=reauth-port.
Since FortiSwitch does not see which session this action will be applied to, it responds with Session Context Not Found.
Note: Session Context Not Found can also be returned when the RADIUS server is actually sending the Session Identifier Attribute but it is in a wrong format. Some switches will require the MAC to be of format XX:XX:XX:YY:YY:YY but some other vendors might expect xxxx.xxyy.yyyy
Vendor documentation should be checked when configuring this part.
Example 2. Missing Vendor-Specific attribute or wrong format. Error cause 401: Unsupported Attribute
naclab1.forti.lab.60992 > 10.10.250.50.3799: RADIUS, length: 39
CoA-Request (43), id: 0x1f, Authenticator: dd44786b3be359fdf31c6adce5abdd80
Calling-Station-Id Attribute (31), length: 19, Value: 80-5E-C0-D6-6E-06
10.10.250.50.3799 > naclab1.forti.lab.60992: RADIUS, length: 50
CoA-NAK (45), id: 0x1f, Authenticator: 9802df149069e9ed429a27fd6a6e3972
Error-Cause Attribute (101), length: 6, Value: Error cause 401: Unsupported Attribute
Event-Timestamp Attribute (55), length: 6, Value: Wed Jun 12 13:51:50 2024
In this case, the Session Identifier attribute Calling-Station-Id is present, but the action to be applied is missing.
In these cases the NAS will respond with Unsupported Attribute.
CoA-Requests are different in this part when compared with Disconnect Requests. Disconnect Requests can contain only the Session identifier attribute and they immediately terminate the user session.
Other information to be taken into account when working with CoA configuration in FortiNAC:
- Deleting a Host in the FortiNAC GUI will always trigger e Disconnect Message no matter the configuration on device model.
- When Multiple hosts are connected on the same port, the RFC5176 Logical network configuration is ignored.
- RFC5176 logical network configuration is not appended to the RFC5176 base configuration.
Related documents:
