Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
dodsonj
Staff
Staff

Created on ‎08-07-2024 08:41 AM Edited on ‎11-07-2024 07:36 AM

Article Id 331159

Technical Tip: Ubiquiti UniFi Access Point CoA Support

Description

This article describes FortiNAC support for Ubiquiti UniFi Access Point CoA. As of FortiNAC-F 7.2.7 and 7.4.1 firmware versions, Ubiquiti UniFi Access Point CoA is now supported, allowing FortiNAC to dynamically change VLANs, so that a wireless client does not need to disconnect and reconnect to a wireless access point to be assigned the appropriate VLAN based on either Network Access Policy or Host State.

 

However, if it is not possible to upgrade the FortiNAC, the below can be performed in previous firmware versions: 9.4.x, 7.2.x and 7.4.0 to achieve this functionality.
Scope FortiNAC, FortiNAC-F, Ubiquiti Unifi Controller and AP.
Solution

Before performing these steps, it is strongly recommended to take a backup or snapshot of the FortiNAC physical or virtual appliance and undertake the changes during a maintenance window.

 

FortiNAC-F.

 

In the CLI, enter the following commands:

 

execute enter-shell

 

vim /bsc/campusMgr/master_loader/.masterPropertyFile

 

The file should reflect the following:

 

#############################################################
# FILE_NAME=./properties_plugin/bridgeManager.properties
# {
# com.bsc.plugin.bridge.BridgeManager.verifyRegisterdClients=true
# }
#############################################################

 

Add the following to the file:

 

FILE_NAME=./properties_plugin/radiusDevice.properties
{
com.bsc.plugin.radius.RadiusServer.accountingAttrs.UbiquitiAP=4,31,32,44
com.bsc.plugin.radius.RadiusServer.disconnectAttrs.UbiquitiAP=4,31,32,44
}

 

The file should now reflect the the following:

 

#############################################################
# FILE_NAME=./properties_plugin/bridgeManager.properties
# {
# com.bsc.plugin.bridge.BridgeManager.verifyRegisterdClients=true
# }
#############################################################
FILE_NAME=./properties_plugin/radiusDevice.properties
{
com.bsc.plugin.radius.RadiusServer.accountingAttrs.UbiquitiAP=4,31,32,44
com.bsc.plugin.radius.RadiusServer.disconnectAttrs.UbiquitiAP=4,31,32,44
}

 

UniFi Controller:

 

In the GUI, ensure that RADIUS DAS/DAC (CoA) is enabled for the applicable SSID(s) by navigating to Wireless Networks -> SSID Name -> Advanced Options under the Legacy View if it is not readily available in the New View.

 

FortiNAC-F:

 

To sniff the CoA packets between the FortiNAC and the UniFi AP in the CLI, enter the following commands:

 

execute enter-shell

 

sudo tcpdump -nnvvi port1 host <unifi-ap-ip-address> and port 3799

 

To send a CoA disconnect, on another CLI, enter the following commands:

 

execute enter-shell

 

SendCoA -ip <unifi-ap-ip-address> -mac <client-mac-address> -dis

 

Alternatively, in the GUI, the above can be achieved by changing the client's Host State or Network Access Policy.

 

The FortiNAC will send a Disconnect-Request packet, and the UniFi AP will send back a Disconnect-ACK packet. If the UniFi AP sends back a Disconnect-NAK packet, identify the Error-Cause in the packet and investigate further.

 

For example: if the Error-Cause is Session-Context-Not-Found, this usually indicates that the necessary VLAN Only Networks have not been created on the UniFi Controller as per the Ubiquiti UniFi Access Point Integration guide.
429
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.