This article describes that in Meraki AP integration, FortiNAC sometimes may not update the Host state to offline when it receives the Syslog message 'events type=disassociation'.
Since FortiNAC is not able to read live sessions from Meraki APs (L2 polling not supported by the APs), it will learn the Host session status through live messages coming as Syslog.
FortiNAC and Meraki AP integration.
There is a protection mechanism 'connect time delay' that handles the race conditions between RADIUS and Syslog messages. If FortiNAC receives a Syslog disassociation message from the Meraki AP within a certain amount of time (30 seconds) after the RADIUS authentication is completed, the Syslog message will be ignored.
In normal conditions, the hosts will not disconnect so quickly after being authenticated and connected to the network. This mechanism will help eliminate false disconnections in cases when the syslog gets delayed.
There is an attribute called 'ConnectTimeDelay' that can be set to a lower value on the device/AP that can override the default delay of 30 seconds.
It can be set to 10000 (10secs) using the following command:
execute enter-shell
$ device -ip <IP of the AP> -setAttr -name ConnectTimeDelay -value 10000
Helpful debugs:
diagnose debug plugin enable SyslogServer
diagnose debug plugin enable BridgeManager
Logs:
yams.SyslogServer FINER :: 2024-01-01 10:00:10:300 :: #132 :: SyslogServer received: 192.5.10.5 <134>1 1715682219.265391587 B1_APK201 events type=disassociation radio='0' vap='3' client_mac='A0:B0:C0:22:33:44' band='2' ...
yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: BridgeManager.disconnectLocalClient called for client A0:B0:C0:22:33:44 290
yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: disconnectClient() client = Client4 port = Component:
yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager.makeClientLost skipping immature disconnect for A0:B0:C0:22:33:44
yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: updateRadiusManagedAttr() 907
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: InterfaceEntry has attached clients
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser logging off A0:B0:C0:22:33:44 290
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser skipping A0:B0:C0:22:33:44 290
As seen from the logs, FortiNAC chooses to not disconnect the host treating it as an 'immature disconnect'.
Related documentation:
Cisco Meraki MR Access Points Integration
Technical Tip: Wireless clients unable to connect to Meraki APs after upgrade to 9.4.x
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.