Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff

Created on ‎10-17-2023 02:15 AM Edited on ‎10-17-2023 02:18 AM By Moderator

Article Id 278459

Technical Tip: Send a tagged VLAN via RADIUS

Description

 

This article describes the key traits of normal RADIUS responses that usually include the untagged VLAN for a port with the attribute 'Tunnel-Private-Group-Id'. There are specific cases when the RADIUS response should include a tagged VLAN instead. For example: an IP Phone that does not support Voice VLAN VSAs and is pre-configured with a tagged VLAN.

 

Scope

 

Any supported version of FortiNAC.

 

Solution

 

There is a standardized way to implement this as shown in RFC 4675. The attribute is Egress-VLAN-Name (type 58) or Egress-VLANID. The Egress-VLAN-Name parameter consists of a VLAN name entry and a flag that dictates whether frames on the VLAN are tagged or untagged.

 

This is also documented on the FortiSwitch Administration guide. See the guide for instructions on how to use the Egress-VLAN-Name attribute, which is easier (more human readable) than using Egress-VLANID.

In FortiSwitch, this can be achieved by adding the value 1 before the VLAN description. For example: if the description is 'Voice', the attribute should be configured with the string '1Voice'.

 

To achieve this, a new set of attribute groups needs to be created in FortiNAC:

 

groupa.PNG

Make sure that FortiNAC sends only this new set of attributes on the RADIUS replay. By default, FortiNAC will try to merge the default group attributes with the new attributes it finds in 'Additional RADIUS Attribute Group'.

 

merge2.PNG

 

The solution is to set the 'Default RADIUS Attribute Group' to None at the network device level and set the group attribute manually (in this case, the 'RFC_Vlan-FSW-T' group created manually) for the logical network of the Voice VLAN.

merge3.PNG

 

The RADIUS response should look like this:

 

10:58:00.509417 IP (tos 0x0, ttl 64, id 48974, offset 0, flags [none], proto UDP (17), length 68)
10.0.0.5.1812 > 192.168.1.102.43139: RADIUS, length: 40
Access-Accept (2), id: 0x58, Authenticator: 450688f3a54b47a401007509fb7a88a8
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
Egress-VLAN-Name Attribute (58), length: 8, Value: Tagged (0x31) Voice
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802

 

The authentication session should look like this:

 

port4 : Mode: mac-based (mac-by-pass enable)
Link: Link up
Port State: authorized: ( )
Dynamic Allowed Vlan list: 540
Dynamic Untagged Vlan list:
EAP pass-through : Enable
Auth Order : MAB-dot1x
Auth Priority : Legacy
EAP egress-frame-tagged : Enable
EAP auto-untagged-vlans : Enable
Allow MAC Move From : Disable
Dynamic Access Control List : Disable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 512
Allowed Vlan list: 512,540,4093
Untagged Vlan list: 512,4093
Guest VLAN :
Auth-Fail Vlan :
AuthServer-Timeout Vlan :

Switch sessions 1/80, Local port sessions:1/20
Client MAC Type Traffic-Vlan Dynamic-Vlan
80:5e:c0:d6:6f:39 MAB 540 540

Sessions info:
80:5e:c0:d6:6f:39 Type=MAB,,state=AUTHENTICATED,etime=12,eap_cnt=0 params:reAuth=3600
user="80-5E-C0-D6-6F-39",security_grp="FNAC-Radius",fortinet_grp=""

 

The VLAN config:

 

config switch vlan

edit 540

set description "Voice"

1181
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.