Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
jballini
Staff
Staff

Created on ‎10-07-2024 01:01 PM

Article Id 344860

Troubleshooting Tip: Dynamic assigned VLAN is not working with Ivanti as radius server

Description This article describes the issue when Dynamic assigned VLAN is not working with Ivanti as a Radius server
Scope

FortiSwitch is not assigning the port user connected to the correct VLAN ID although the configuration is correct and Ivanti logs show that the user is authenticated successfully and assigned to the correct VLAN.
Solution

Once the 802.1x is successfully configured, test with the user.

 

FortiSwitch # diagnose switch 802-1x status.

   port16: Mode: port-based (mac-by-pass disable) 

           Link: Link up

           Port State: authorized: (  ) 

           Dynamic Authorized Vlan : 0

           EAP pass-through : Enable

           EAP auto-untagged-vlans : Enable

           Quarantine VLAN (4093) detection : Enable

           Native Vlan : 1

           Allowed Vlan list: 1

           Untagged Vlan list: 

           Guest VLAN :

           Auth-Fail Vlan :

           AuthServer-Timeout Vlan :

 

           Sessions info:

           xx:xx:xx:xx:xx:xx     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=12 params:reAuth=3600

 

In addition to the FortiSwitch output, when checking Packet Capture logs taken from FortiGate, it is possible to see that Ivanti is sending VLAN ID information as '<vlan-id>\000' or '<vlan-name>\000'. The sample is below.

 

Attribute Value Pairs.png

Resolution:

  1. On Ivanti from Endpoint Policy -> Network Access -> Radius Dictionary, select radius.dct and then select radius.dct near the Current Dictionary file and export the file to the PC.

 

radius.png

  1. Open the file downloaded on Notepad or Notepad++ tool, and search for the Tunnel-Private-Group-ID line. Change the default parameter as [data=stringnz] and save the file as a new file named fortiswitch.dct.

     

    More Tunnel Attributes.png

     

  2. Select New Radius Dictionary from Endpoint Policy -> Network Access -> Radius Dictionary and create a new dictionary named fortiSwitch.dct then select the Browse button and import the file edited in step 2. and save changes.

     

    New radius dictionary.png

     

  3. Create a New Radius Vendor from Endpoint Policy -> Network Access -> Radius Vendor named FortiSwitch and choose fortiswitch.dct as Dictionary and save changes.

     

    Radius Vendor.png  

  4. Assign Radius Vendor Profile to Radius Client FortiSwitch under Endpoint Policy -> Network Access -> Radius Client ->{FortiSwitch-Name}.

     

     

Radius Client.png

Result.

 

FortiSwitch # diagnose switch 802-1x status

   port16: Mode: port-based (mac-by-pass disable) 

           Link: Link up

           Port State: authorized: (  ) 

           Dynamic Authorized Vlan : 201

           EAP pass-through : Enable

           EAP auto-untagged-vlans : Enable

           Quarantine VLAN (4093) detection : Enable

           Native Vlan : 201

           Allowed Vlan list: 201

           Untagged Vlan list: 

           Guest VLAN :

           Auth-Fail Vlan :

           AuthServer-Timeout Vlan :

           Sessions info:

           xx:xx:xx:xx:xx:xx     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=12 params:reAuth=3600

 

Attribute Value Pairs.png

 

83
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.