FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff
Article Id 291042
Description

 

This article describes that in FortiNAC integrations with Meraki switches (cloud-managed) some RADIUS reauthentication may happen randomly. This will disrupt the connection in the end hosts (a few seconds between the re-authentication).

 

Scope

 

FortiNAC and setups that have Meraki switches integrated.

 

Solution

 

While troubleshooting this behavior both on the RADIUS logs and the packet capture is shown that the CoA is sent by FortiNAC as a legit request.

This is the CoA attribute shown in the packet capture:

 

AVP: t=Acct-Terminate-Cause(49) l=6 val=Admin-Reset(6)
Type: 49
Length: 6
Acct-Terminate-Cause: Admin-Reset (6)

 

On the master log it is shown that these CoA requests are triggered for some of the connected hosts after a L2 polling on the switch. In these switch models, the polling is done through SNMP.

In this case, two hosts appear listed on port 12 of the switch and one of the MAC addresses is a multicast address:

 

yams INFO :: 2023-12-27 17:20:20:043 :: #86 :: SW1 iface = 12 mac = 01:00:5E:xx:xx:xx status = 3 opStatus = 1
yams INFO :: 2023-12-27 17:20:20:043 :: #86 :: adding macObj:01:00:5E:xx:xx:xx to list key=12

-

yams INFO :: 2023-12-27 17:20:20:548 :: #86 :: SW1 iface = 12 mac = DA:76:55:xx:xx:xx status = 3 opStatus = 1
yams INFO :: 2023-12-27 17:20:20:548 :: #86 :: adding macObj:DA:76:55:xx:xx:xx to list key=12

 

com.bsc.plugin.radius.RadiusServer$RadiusElementListener 10.7.8.1 RadiusServer updating client DA:76:55:xx:xx:xxyams.merakiSwitch INFO :: 2023-12-27 17:20:22:037 :: #103 :: ClearSessThread taking action on mac 01:00:5E:xx:xx:xx(optimizedForPA=false) on device SW1
yams.RadiusManager INFO :: 2023-12-27 17:20:22:037 :: #103 :: ClearSessThread2 RadiusServer sendDisconnect to device 192.168.55.5 for client 01:00:5E:xx:xx:xx

 

When checking the switch port on FortiNAC GUI, another MAC address appears randomly (multicast MAC address and showing wrong location) that triggers a new policy evaluation and treats this port as connection state 'Multiple Hosts'.


Other types of switches usually will not report any multicast MAC address after an L2 polling.

Since this behavior cannot be changed in the Meraki switch, a change in FortiNAC to ignore learning multicast MAC addresses is needed. Configuration is done in System -> Settings -> User/Host Management -> MAC address Exclusion -> [Exclude Multicast Addresses] then restart the FortiNAC application.

 

exclude.PNG

Debug commands:

 

> nacdebug -name RadiusAccess true
> nacdebug -name RadiusManager true

> device -ip <x.x.x.x> -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

Related document:

Meraki MS Switch