Dear team,
I noticed that Cisco Switch are not accept Radius CoA/Disconnect Message from FortiNAC-F 7.4. I'm not sure if we need to have any customer RADIUS Attribute to pass to the Cisco Switch. I would like to share debug of pcap and Switch here.
Anyone who has experience this issue, Please kindly share
Note: RFC5176 Mode: system defined and Switch is configured CoA Port 3799
Thank You
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Lyyiheang,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
It is now working when i add command aaa nas port extended.
Thank Everyone for help
Mac auth is not going to continue being viable much longer, if it could be said to be even viable at all now. All mobile devices sold within the last few years have the ability to use virtual mac addresses at the flip of a switch and I expect desktop operating systems will begin offering this as a standard feature as well. It's possible to do on basically any OS currently but not built in https://mobdro.bio/ .
Hello Lyyiheang,
checking the CoA NAK response it complains about the session identifier.
For this you can use either "User Name" or the "Calling-station-ID".
Additionally i see you are adding in the CoA message itself the Access list attributes. This is not correct. In the CoA message you need to add an action such as bouncing the port or re-authentication. Then you add the Access lists in the Radius response (Accept-Accept) once the host re-authenticates.
This article provides you with the example when FortiSwitch is acting as NAS:
For FortiSwitch we use the Fortinet proprietary arrtibute
Fortinet-Host-Port-AVPair |
action=reauth-port |
In your case of Cisco you can try any the following:
Command |
Cisco VSA |
---|---|
Bounce host port |
Cisco:Avpair=“subscriber:command=bounce-host-port” |
Disable host port |
Cisco:Avpair=“subscriber:command=disable-host-port” |
Reauthenticate host |
Cisco:Avpair=“subscriber:command=reauthenticate” |
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1570 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.