Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff

Created on ‎06-05-2024 07:12 AM

Article Id 319211

Technical Tip: Meraki AP, Hosts disconnection not being reflected

Description

 

This article describes that in Meraki AP integration, FortiNAC sometimes may not update the Host state to offline when it receives the Syslog message 'events type=disassociation'.

Since FortiNAC is not able to read live sessions from Meraki APs (L2 polling not supported by the APs), it will learn the Host session status through live messages coming as Syslog. 

 

Scope

 

FortiNAC and Meraki AP integration.

 

Solution

 

There is a protection mechanism 'connect time delay' that handles the race conditions between RADIUS and Syslog messages. If FortiNAC receives a Syslog disassociation message from the Meraki AP within a certain amount of time (30 seconds) after the RADIUS authentication is completed, the Syslog message will be ignored.

 

In normal conditions, the hosts will not disconnect so quickly after being authenticated and connected to the network. This mechanism will help eliminate false disconnections in cases when the syslog gets delayed.

 

There is an attribute called 'ConnectTimeDelay' that can be set to a lower value on the device/AP that can override the default delay of 30 seconds.

It can be set to 10000 (10secs) using the following command:

 

execute enter-shell
$ device -ip <IP of the AP> -setAttr -name ConnectTimeDelay -value 10000

 

Helpful debugs:

 

diagnose debug plugin enable SyslogServer

diagnose debug plugin enable BridgeManager

 

Logs:

 

yams.SyslogServer FINER :: 2024-01-01 10:00:10:300 :: #132 :: SyslogServer received: 192.5.10.5 <134>1 1715682219.265391587 B1_APK201 events type=disassociation radio='0' vap='3' client_mac='A0:B0:C0:22:33:44' band='2' ...

 

yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: BridgeManager.disconnectLocalClient called for client A0:B0:C0:22:33:44 290
yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: disconnectClient() client = Client4 port = Component:

yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager.makeClientLost skipping immature disconnect for A0:B0:C0:22:33:44
yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: updateRadiusManagedAttr() 907
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: InterfaceEntry has attached clients
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser logging off A0:B0:C0:22:33:44 290
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser skipping A0:B0:C0:22:33:44 290 

 

As seen from the logs, FortiNAC chooses to not disconnect the host treating it as an 'immature disconnect'.

 

Related documentation:

Cisco Meraki MR Access Points Integration

Technical Tip: Wireless clients unable to connect to Meraki APs after upgrade to 9.4.x

63
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.