| Description | This article describes the details of the integration with a Cisco WLC while using RADIUS authentication. If the integration is not properly done, the Change of Authorization CoA/DM message will not be sent by FortiNAC. In this example, the host is registered through the portal, and after successful registration, the network/VLAN remains unchanged. |
| Scope | FortiNAC and Cisco WLC. |
| Solution |
After the host gets successfully registered, as seen also from the Events or the master.output logs and matches the new Network access Policy, it can be seen from the Airspace debug output that FortiNAC decides not to disconnect this host:
yams INFO :: #789 :: DevicePluginThread0 in CiscoWLCSwitchingPolicy.checkRegisteredVlans for client 01:02:03:04:05:06 host = test@mail.com 01:02:03:04:05:06 and device 10.1.1.11 yams.RadiusAccess :: #456 :: GetNasPortId: Returning null
The reason for this behavior is related to the wrong location of this host; it will appear as connected to a VLAN, not connected to the SSID. This is because the Cisco WLC is not configured to send the SSID information in the 'Called-Station-Id' RADIUS attribute. This can be quickly verified by running a packet capture from FortiNAC CLI or checking through 'RadiusAccess' logs in the output.master log file:
yams.RadiusAccess. :: #777 :: [Access-Request] Authenticate Request (17 RadAttrs):
This can be changed in the Cisco WLC configuration, as also shown in this external article, to send the MAC address of the AP and the SSID information:
Related document: |
