| Description | This article describes how to find the correct RADIUS Attribute values stored by FortiNAC and create a 'User Host Profile' by using the correct RADIUS Attribute values. |
| Scope | FortiNAC, FortiNAC -F. |
| Solution |
When FortiNAC receives a RADIUS Request, it stores the RADIUS Attribute that comes from with RADIUS Request. However, when FortiNAC receives well-known RADIUS Attributes in Request as a string, during the post-authentication process, it stores these attributes as integers in its database.
As seen below, FortiNAC receives a RADIUS Request 'NAS-Port-Type' and 'Service-Type' as strings. radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) User-Name = "host/test1.fnac.lab" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) NAS-IP-Address = 192.168.0.254 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) NAS-Identifier = "10.0.11.2/5246-firuze" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Called-Station-Id = "04-D5-90-88-07-C0:mab" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) NAS-Port-Type = Wireless-802.11 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Service-Type = Framed-User radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) NAS-Port = 1 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Fortinet-SSID = "mab" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Fortinet-AP-Name = "FP421ETF19028850" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Calling-Station-Id = "6C-88-14-A1-D7-D0" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11N_2G" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Acct-Session-Id = "676EC1040000005B" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Acct-Multi-Session-Id = "E202188748C81D39" radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) WLAN-Pairwise-Cipher = 1027076 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) WLAN-Group-Cipher = 1027076 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) WLAN-AKM-Suite = 1027073 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Framed-MTU = 1400 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) EAP-Message = 0x021b00060d00 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) State = 0x848c1d4d8197100853864a710aa88bd3 radius.log-20250102-091912-Fri Dec 27 18:59:03 2024 : Debug: (550) Message-Authenticator = 0xa9a7397c7b66eb411d1c7ec63d36ff6a
However, FortiNAC will store these attributes in its database as integers based on the below tables during the post-authentication process.
To confirm or find the correct stored RADIUS Attributes in FortiNAC, under 'Users & Hosts -> Endpoint Fingerprints', 'Right-click' on the RADIUS Fingerprint and select 'Show Attributes'.
Also, the 'User Host Profile' should be created by using the Integer values that FortiNAC displays in RADIUS Fingerprints as shown below. If it is configured with the string values that come with RADIUS Request, the 'User Host Profile' can not match with the host.
|
