|
It is necessary to enable some debug commands on FortiNAC before to troubleshoot:
> nacdebug -name RadiusAccess true
> nacdebug -name RadiusManager true
Troubleshoot guest authentication to captive portal page:
1) User receives Isolation VLAN upon his initial connection to guest SSID:
yams.RadiusAccess.12:34:56:78:9A:BC.RadiusAccessEngine FINE :: 2021-08-17 12:38:18:212 :: #2296 :: [Post-Auth] Returns: [Access-Accept]
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:38:18:212 :: #2296 :: [Access-Accept] Post-Auth Response (3 RadAttrs):
2) After submitting the guest credentials, it is possible to see that no RADIUS packet is sent/received (CoA or Access-Request).
3) After the guest user receives the validated Contact details Page and select 'OK', a Radius Access-Request & Access-Accept and disconnect-request are sent by FortiNAC:
This leads the FortiAP to disconnect the session and causes a new authentication request to be sent on behalf of the user machine.
A MAB authentication access-request will be sent from the FortiAP towards FortiNAC.
The user machine is not responsible for the new auth request, but the client should detect that he has been disconnected and needs to re-connect to the SSID (this happens automatically).
A new Access-Request is sent for MAB by the FortiAP:
--------------------------------------------------------------------------------------
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3468 :: [Access-Request] Authenticate Request (12 RadAttrs):
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- Fortinet-AP-Name = [FAP] (RadAttr Type=string)
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- User-Name = [12-34-56-78-9A-BC ] (RadAttr Type=string)
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- User-Password = [***] (RadAttr Type=User-Password)
FortiNAC sends the Access-Accept including the Guest VLAN:
-----------------------------------------------------------------------------
yams.RadiusAccess.12:34:56:78:9A:BC.RadiusAccessEngine FINE :: 2021-08-17 12:40:36:481 :: #3467 :: [Post-Auth] Returns: [Access-Accept]
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: [Access-Accept] Post-Auth Response (3 RadAttrs):
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481:: #3467 :: -- Tunnel-Medium-Type = [IEEE-802] (RadAttr)
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481:: #3467 :: -- Tunnel-Private-Group-Id = [12] (RadAttr)
yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- Tunnel-Type = [VLAN] (RadAttr)
Disconnect-request and disconnect-ACK received after the Access-Accept:
yams.RadiusManager INFO :: 2021-08-17 12:40:38:481 :: #298 :: ClearSessThread2 Disconnect request to 10.11.28.254 for 12:34:56:78:9A:BC succeeded
4) FortiGate acting as a wireless controller (WLC) receives the RADIUS Attributes in the Access-Accept and changes the VLAN on the FortiAP.
Some iOS devices will not receive an IP address from the guest VLAN after authentication, that is due to iOS devices not initiating a new DHCP request toward the Production DHCP server that is responsible for providing addresses to the guest device.
In that case, it is necessary to set the registration lease time in FortiNAC's config wizard to a low value, like 3 minutes.
|
