FNAC-F v7.2.8 not sending COA after policy match

doncacciatoconsuting · ‎02-14-2025

I am hitting the correct NAC policy which should send a COA to my Fortigate Wifi controller to change the vlan. Logical Network portion working correctly. PCAPs on gate and NAC not showing any traffic being initiated.

Other policies are properly sending the COA. Are there any known bugs with 7.2?

Here is the final lines from the Policy Details debug log.

Looking up LogicalNetworkConfiguration for LogicalNetwork prod-wifi
Using SSID Name:root:corp_wifi, id: 439
Returning LogicalNetworkConfiguration: AccessConfiguration
- Task ID:[null]
- Network:[prod-wifi]
- Access Value:[VLAN_230]
- Access Action:[2]
- Alias:[false]
- Send Groups To Firewall:[false]
- RadiusAttributeGroupId:[1]
- Version:[11]
- Tags: []
- Firewall Groups: []

Don

Anthony_E · ‎02-16-2025

Hello Don,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

ndumaj · ‎02-17-2025

Hello @doncacciatoconsuting ,

Enable the debugs:
exec enter-shell

nacdebug -name PolicyHelper true
nacdebug -name RadiusAccess true

nacdebug -name RadiusManager true

Device -ip <IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer" <-------- replace <IPaddress> with FGT IP
Reproduce the issue.
Search for "RadiusServer sendDisconnect" or "RadiusServer radiusCoA" sent for the FGT-FAP device if it is initiated any.

Does the host get the proper vlan if you manually do disconnect and connect to the network?

BR

- Happy to help, hit like and accept the solution -

FNAC-F v7.2.8 not sending COA after policy match

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website