Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andizer
New Contributor II

Fortiauthenticator COA

Hello,

we are going crazy over a problem.

Following situation:

We got a central wlc, all web portals + User-Authentication is managed by fortiauthenticator.

This works fine, but as soon as the guest account expires the coa is not working.

"failed to send disconnect message to nas"

 

Fortiauthenticator send the coa to the access point, a sniffing on this has shown that the traffic also arrives..

but the wifi guest user stays authenticated.

 

I would also have expected the coa to be sent to the wlc.

 

We are grateful for any help or idea.

 

Thanks and best regards

2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hello Andizer,

 

CoA is sent to NAS who did authentication towards RADIUS Service (FortiAuthenticator in your case).

Access-Accept should contain Termination-Action AVP with value, in your case it should be probably "0" to terminate session immediately. So check captured packets for RADIUS communication and content.
If CoA was sent from FortiAuthenticator and received on NAS side but guest session was not terminated, nor reauthenticated (if Terminal-Action is "1" instead of "0"). Then NAS might not be able to process CoA at all. Check documentation to your NAS (WLC/AP) if it is CoA handling capable. Maybe CoA is just not enabled in your NAS configuration, and so received CoA message is just ignored.

 

Quite nice example for wired and wireless with workflow diagrams is here:

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/588173/radius-termination-action-avp...

 

 

From the FortiAuthenticator point of view I think you do have Guest users inside some User Group with type set to Guest, and Usage Profile applied through the group to those users. So the time limit / expiration of the user account comes from those settings.

On RADIUS Service > Clients, where you have defined your NAS, you should have RADIUS Accounting and disconnect handling (CoA) switched on (default is off).

And your NAS is also set to send Accounting to FortiAuthenticator.

 

xsilver_FTNT_0-1651216732992.png

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Andizer

Hello,

first of all thanks for your answer.

I also suspect that the access point simply cannot do anything with the coa (fortiap431f). The SSIDs run in bridged mode, could this be the problem? Otherwise I'll expand my post with a few logs and config insights.

WLC - SSID

Andizer_0-1651219037500.png

 

Radius Config (On WLC)

Andizer_1-1651219182908.png

 

Accounting Monitor Log (FAC)

04/29/2022 09:37:17 [452802304] FortiAuthenticator rad_accounting [1294] [DEBUG]: [RX] Packet source: 192.168.0.14:35753, code: 4, id: 6, length: 131
04/29/2022 09:37:17 [452802304] FortiAuthenticator rad_accounting [1294] [DEBUG]: [RX] Successfully queued request 6 from 192.168.0.14:35753
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Worker 0] processing item from 192.168.0.14:35753, state: 1, type: 1
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Worker 0] source type: 0
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: Acct-Status-Type (Vendor: 0, Attr id: 40), Value: "Start"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: User-Name (Vendor: 0, Attr id: 1), Value: "tim"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: NAS-IP-Address (Vendor: 0, Attr id: 4), Value: "10.100.69.130"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: Framed-IP-Address (Vendor: 0, Attr id: 8), Value: "172.16.2.15"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: NAS-Identifier (Vendor: 0, Attr id: 32), Value: "w14.669"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: Called-Station-Id (Vendor: 0, Attr id: 30), Value: "E8-ED-D6-E0-56-48:AS_Privat"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: Calling-Station-Id (Vendor: 0, Attr id: 31), Value: "CA-90-D9-B1-BE-C1"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: NAS-Port (Vendor: 0, Attr id: 5), Value: "2000"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: NAS-Port-Type (Vendor: 0, Attr id: 61), Value: "Wireless-802.11"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [fn_rad] Attr: Acct-Session-Id (Vendor: 0, Attr id: 44), Value: "626A7D44:00000011"
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [INFO]: Created session: '626A7D44:00000011' for user 'tim'
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Worker 0] generating response to request from 192.168.0.14:35753
04/29/2022 09:37:17 [452941568] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Worker 0] successfully queued TX item 35753:6, state: 1, type: 1
04/29/2022 09:37:17 [453011200] FortiAuthenticator rad_accounting [1294] [DEBUG]: [TX] processing item with source 192.168.0.14:35753
04/29/2022 09:37:17 [453011200] FortiAuthenticator rad_accounting [1294] [DEBUG]: [TX] item state: 1, type: 1
04/29/2022 09:38:30 [453027200] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Maintenance] Publish accounting state to file
04/29/2022 09:38:30 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Updated accounting sessions file. Status = 0
04/29/2022 09:38:31 [453027200] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Maintenance] Publish accounting state to file
04/29/2022 09:38:31 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Updated accounting sessions file. Status = 0
04/29/2022 09:39:34 [453027200] FortiAuthenticator rad_accounting [1294] [DEBUG]: Add session 626A7D44:00000011 (user tim) to fixup list due to meet expiration date.
04/29/2022 09:40:04 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Disabling user: 'tim' due to meeting expiration date
04/29/2022 09:40:11 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Failed to send disconnect message to NAS
04/29/2022 09:40:11 [453027200] FortiAuthenticator rad_accounting [1294] [DEBUG]: [Maintenance] Save expired accounting sessions to DB
04/29/2022 09:40:11 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Archived session: '626A7D44:00000011' for user 'tim'
04/29/2022 09:40:11 [453027200] FortiAuthenticator rad_accounting [1294] [INFO]: Archived 1 sessions (0 failed)

 

Radius Accounting messages + Support radius disconnect messages is active.

 

Thank you and best regards

Labels
Top Kudoed Authors