Description

This article describes troubleshooting steps if FortiSwitch is not moving the client to the dynamic assigned VLAN although the configuration is correct and ClearPass is sending VLAN ID in the RADIUS return attribute.

Fortinet Documentation:
https://docs.fortinet.com/product/fortiswitch/6.4

Page 255 'Dynamic Vlan assignment':

FortiSwitchOS Administration Guide— Standalone Mode

Scope

FortiSwitch.

Solution

Refer to the documentation and configure radius authentication with dynamic assigned VLAN.

• Once the 802.1x is successfully configured, test with a client.

diagnose switch 802-1x status

   port47: Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: authorized: (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Quarantine VLAN (4093) detection : Enable
           Native Vlan : 1
           Allowed Vlan list:
           Untagged Vlan list: 4093
           Guest VLAN :
           Auth-Fail Vlan :

           Sessions info:
           c8:5b:76:ef:65:c7     Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=9 params:reAuth=3600

Client is successfully authenticated but Dynamic Authorized VLAN shows 0 although the ClearPass radius server is sending the dynamic assigned VLAN in a RADIUS accept message.

Resolution:

1. On ClearPass server -> Export attributes file (RadiusDictionary.xml) from location – Administration > Dictionaries > Radius > IETF.
2. In the below attributes at the end replace extraData="has_tag" with extraData =" " and save the file.  

Tunnel-Private-Group-Id
Tunnel-Type
Tunnel-Medium-Type

For example:

=================================================================================================================
<Attribute profile="in out" type="String" name="Tunnel-Private-Group-Id" id="81" extraData="has_tag"/>
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Type" id="64" extraData="has_tag">
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Medium-Type" id="65" extraData="has_tag">

At the end of the line replace extraData="has_tag" with extraData =" ".

<Attribute profile="in out" type="String" name="Tunnel-Private-Group-Id" id="81" extraData=" "/>
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Type" id="64" extraData=" ">
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Medium-Type" id="65" extraData=" ">
=================================================================================================================

3. Upload the latest attributes file (RadiusDictionary.xml) on ClearPass and re-test the client.

    

Now, Dynamic Authorized VLAN has been pushed correctly and the client will be moved to the respective VLAN.

diag switch 802-1x status

port47: Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 99
EAP pass-through mode : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 99
Allowed Vlan list:
Untagged Vlan list: 4093
Guest VLAN :
Auth-Fail Vlan :

Sessions info:
c8:5b:76:ef:65:c7 Type=802.1x,TLS,state=AUTHENTICATED,etime=4,eap_cnt=9 params:reAuth=3600

Note: Verify the below settings are configured.

Configure the NAS IP, as the system interface IP on FortiGate that points towards the RADIUS server:

In FortiGate  CLI:

config switch-controller security-policy local-access
    edit "default"
        set mgmt-allowaccess https ping ssh
        set internal-allowaccess https ping ssh radius-acct <--- Add radius-acct.
    next
end

In FortiSwitch CLI:

config system interface
    edit "internal"
        set mode dhcp
        set allowaccess ping https ssh radius-acct <--- Add radius-acct.
        set type physical
end