Description
This article describes cases where Wired 802.1x Authentication scenarios would bring a failure in VLAN change through Radius due to incompatibility of the NAS format used by Huawei even though there is an Accept-Accept along with attributes sent back by FortiNAC.
Scope
FortiNAC, Huawei, Huawei S5731.
Solution
The first thing in verifying integration with a Network device is by Validating Credentials in the model configuration tab and checking that L2 Polling and optionally L3 polling are working as expected.
However, there are some cases when VLAN changes are expected to be performed by RADIUS protocol. When the user is authenticated successfully through 802.1x, FortiNAC as the local Radius server will return an Accept-Accept containing Radius attributes and VLAN access value to indicate the new VLAN to be assigned/switched.
With Huawei (model S5731), such cases can occur where an Accept-Accept returned with all expected Radius Attributes but the VLAN is not switching on the port.
This could be happening depending on the configuration of 'nas-port-format' parameter in the switch.
Example with a host connected to Interface GigabitEthernet0/0/44 on Huawei Switch.
a) Port information collected from FortiNAC CLI for affected switch: dumpports -ip <Switch_IP>.
port[6] suffix = 50 Descrip = FortiLabSwitch GigabitEthernet0/0/44 attribute count = 21
DBID = YYY Port Type = 6
Name = FortiLabSwitch
Label = IF#44
Phys Address = YY:YY:YY:YY:YY:YY
IP Address = 10.10.10.1
Community Strings: TESTCOMM
Name = 1.3.6.1.2.1.2.2.1.1 value = 50
Name = 1.3.6.1.2.1.2.2.1.3 value = 6
Name = 1.3.6.1.2.1.2.2.1.6 value = YY:YY:YY:YY:YY:YY
Name = 1.3.6.1.2.1.2.2.1.7 value = 1
Name = 1.3.6.1.2.1.2.2.1.8 value = 2
Name = 1.3.6.1.2.1.2.2.1.2 value = GigabitEthernet0/0/44
Name = 1.3.6.1.2.1.2.2.1.22 value = 0.0
Name = 1.3.6.1.2.1.31.1.1.1.1 value = GigabitEthernet0/0/44
Name = 1.3.6.1.2.1.31.1.1.1.18 value =
b) Access request coming from Switch example:
(264) Received Access-Request Id 155 from 10.10.10.1:56346 to 192.168.10.2:1812 length 483
(264) User-Name = "FortiLAB\\test"
(264) NAS-Port = 180326
(264) Service-Type = Framed-User
(264) Framed-Protocol = PPP
(264) Framed-IP-Address = X.X.X.X
(264) Calling-Station-Id = "GG:GG:GG:GG:GG:GG"
(264) NAS-Identifier = "FortiLabSwitch "
(264) NAS-Port-Type = Ethernet
(264) NAS-Port-Id = "slot=0;subslot=0;port=44;vlanid=X;interfaceName=GigabitEthernet0/0/44"
By design, FortiNAC expects the 'ifIndex' parameter in the authentication requests. By using another 'nas-port-format', the Huawei switch is sending the 'dot1dIndex' instead of 'ifIndex'. This will cause FortiNAC to interpret the port ID value incorrectly. In such cases, the Switch will not switch the VLAN.
FortiNAC will normally match the ifIndex to port suffix and find the correct port GigabitEthernet0/0/44.
1) There is currently no workaround on FortiNAC to interpret such cases with 'dot1dIndex' sent in authentication requests.
2) The solution is to make the appropriate changes on Huawei side by changing the parameter as below (this should be tested depending on the customer environment):
radius-server template test_group
radius-server nas-port-format old
radius-server nas-port-id-format old
calling-station-id mac-format hyphen-split mode2 uppercase
radius-server authentication <Server_IP> 1812 source ip-address X.X.X.X weight 80
radius-server authorization attribute-decode-sameastemplate
radius-server authorization calling-station-id decode-mac-format bin
radius-server authorization <Server_IP> shared-key XXXX server-group test_group
See this article for an alternative solution.
Related documentation:
Huawei Wireless Integration - FortiNAC documentation.
Technical Note: Configure Huawei Switch to support VOIP phone.
Technical Tip: Configure Huawei Switch RADIUS attribute NAS-Port-Id to be recognized by FortiNAC.
