Technical Tip: Use RADIUS Accounting to dynamically update port state when hosts disconnect

Hatibi · ‎11-19-2024

Description

This article shows how to configure and validate RADIUS accounting configuration in order to update the Switchport state when a host disconnects.

Scope

FortiNAC-F.

Solution

The RADIUS protocol is one of the methods that FortiNAC uses for learning endpoints connecting to the Network.

When a host connects, FortiNAC will parse the attributes from the incoming RADIUS Access-Request in order to update the Port state as 'Link up' and show the connecting host with the respective Icon depending on its state.

When a host disconnects, FortiNAC can leverage the RADIUS Accounting stop messages as an endpoint connectivity notification method and change the port state to "Link down".

Admin status is on and Link status is down, indicating that nothing is connected.

This dynamic way of learning the port state change is very important in order for FortiNAC to establish visibility and apply appropriate controls on the port.

An example could be the case where the administrator wants to reset the VLAN on the port to the 'Default' or 'Registration' Vlan when there is no host connected.

The 'Default' VLAN will be applied on the port when the port is made a member of the 'Reset Forced Default' in FortiNAC port group membership and there is no host connected.

However, that does not happen immediately. A timer of 60 seconds(default) will be reached before the VLAN is reset.

'VLAN Reset Delay (Sec)' is defined in System->Settings->Network Device

Network device

Without RADIUS accounting, FortiNAC will rely on L2 polling SNMP traps or any other method/protocol supported by the Switch in order to dynamically update the port state.

In the below example, a Host disconnects from a FortiSwitch in FortiLink Mode.

By enabling tcpdump in FortiNAC it is possible to verify that FortiNAC is responding to the Accounting Stop message when a host disconnects from the Switch by unplugging the ethernet cable.

naclab1# execute tcpdump -i any port 1813 -v

10.10.250.50.35490 > naclab1.forti.lab.radius-acct: RADIUS, length: 162
Accounting-Request (4), id: 0x5c, Authenticator: 8dda0bf6ff6edXXXX
Acct-Status-Type Attribute (40), length: 6, Value: Stop
Acct-Session-Id Attribute (44), length: 10, Value: 00000XX
User-Name Attribute (1), length: 9, Value: srogers
NAS-Identifier Attribute (32), length: 18, Value: S108EPXXXXXX
NAS-Port-Id Attribute (87), length: 7, Value: port2
NAS-Port Attribute (5), length: 6, Value: 2
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
NAS-IP-Address Attribute (4), length: 6, Value: _gateway
Called-Station-Id Attribute (30), length: 19, Value: E8-1C-BA-XX-XX-XX
Calling-Station-Id Attribute (31), length: 19, Value: C8-A3-62-04-D7-20
Acct-Input-Octets Attribute (42), length: 6, Value: 2197174
Acct-Output-Octets Attribute (43), length: 6, Value: 11111XXXX
Acct-Input-Packets Attribute (47), length: 6, Value: 12XXX
Acct-Output-Packets Attribute (48), length: 6, Value: 79XXX
Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset
Event-Timestamp Attribute (55), length: 6, Value: Wed Nov 6 17:00:49 2024
17:00:49.381670 port1 Out IP (tos 0x0, ttl 64, id 31351, offset 0, flags [none], proto UDP (17), length 48)

naclab1.forti.lab.radius-acct > 10.10.250.50.35490: RADIUS, length: 20
Accounting-Response (5), id: 0x5c, Authenticator: 25a8509fd43cd1a4bbc7ef0cbf463ec7

In FortiNAC output.master the following events will be logged:

yams.RadiusAccess.C8:A3:62:04:D7:20 FINE :: 2024-11-06 17:00:49:374 :: #828 :: GetClient: Client found for MAC [C8:A3:62:04:D7:20]
yams.RadiusAccess.C8:A3:62:04:D7:20 FINE :: 2024-11-06 17:00:49:374 :: #828 :: Processing Accounting [Stop] for client C8:A3:62:04:D7:20 [ID=217]

Once FortiNAC responds to the Accounting STOP request, it will update the Port view in GUI by showing the port state as 'Link Down'.

When configuring RADIUS accounting in FortiNAC, check the following.

Radius Accounting service (radius-acct) is enabled on Port1:

naclab1 # show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local snmp ssh
next
edit port2
set ip 10.20.20.2/24
set allowaccess dhcp dns http https nac-agent ping
next
end

Check that FortiNAC is listening for packets on accounting port 1813:

naclab1:~$ netstat -panu | grep 1813
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 0.0.0.0:1813 0.0.0.0:* -
udp6 0 0 :::1813 :::* -

This can also be verified on the GUI in Network -> RADIUS -> Service logs:

Figure 1. Validate if FortiNAC is listening for Requests on UDP Port 1813

In some versions, FortiNAC might not start listening on port 1813 when using the Local Radius configuration.

In such cases, it is required to enable the Radius Proxy service or 'Proxy Accounting' service and create a RADIUS proxy server configuration.

This is required only for Local Radius to start listening on port 1813. This issue is reported in engineering report 1069166 and will be fixed in FortiNAC versions 7.4.1 GA and greater.

Related Documentation:

RADIUS Server Configuration

Troubleshooting Tip: Viewing FortiNAC-F local RADIUS logs from GUI

Technical Tip: FortiNAC RADIUS debug errors and solutions