Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
dwivedis
Staff
Staff

Created on ‎02-14-2025 01:07 AM Edited on ‎02-14-2025 01:08 AM By Community Manager

Article Id 376585

Troubleshooting Tip: Troubleshooting FortiSwitch CoA Packet Rejection from Secondary FortiNAC

Description
This article describes how to troubleshoot a FortiSwitch that is not responding to Change of Authorization (CoA) requests from a secondary FortiNAC server in a High Availability (HA) setup.
Scope
FortiSwitch, FortiNAC.
Solution
In a FortiNAC HA deployment, the FortiSwitch responds to CoA requests from the primary FortiNAC but ignores requests from the secondary FortiNAC.
 
Current Configuration (Non-Working):
 
config user radius
    edit "FNAC_RADIUS"
        set acct-interim-interval 86400
        config acct-server
            edit 2
                set status enable
                set server "192.168.10.23"  <-- Primary FortiNAC
                set secret ENC ...
            next
            edit 1
                set status enable
                set server "192.168.10.24"  <-- Secondary FortiNAC
                set secret ENC ...
            next
        end
        set auth-type pap
        set nas-ip 192.168.11.254
        set radius-coa enable
        set secret ENC ...
        set server "192.168.10.24"  <-- Secondary FortiNAC (Listed First)
        set secondary-secret ENC ...
        set secondary-server "192.168.10.23" <-- Primary FortiNAC (Listed Second)
    next
end
 
Solution:
The issue lies in how the radius servers and secrets are defined. The current configuration mixes primary and secondary server definitions within a single radius entry and also seems to prioritize the secondary server in the main configuration.  Instead, separate radius entries should be created for each FortiNAC server.
 
Corrected Configuration:
 
config user radius
    edit "radius"  <----- Entry for Primary FortiNAC.
        set radius-coa enable
        set secret ENC ...
        set server "192.168.10.23"
    next
    edit "radius2" <----- Entry for Secondary FortiNAC.
        set radius-coa enable
        set secret ENC ...
        set server "192.168.10.24"
    next
end
 
By creating separate radius entries for each FortiNAC server, the FortiSwitch will correctly handle CoA requests from both the primary and secondary servers.  
The secondary-secret and secondary-server settings are not needed when having distinct Radius entries for each server.
 
Make sure the secrets match the ones configured on the respective FortiNAC servers.
156
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.