I have a ClearPass setup with Fortinet products (FortiGate, FortiSwitch, and FortiAP). Goal is to configure wired and wireless authentication with OnGuard health check. Wired authentication with health check is successful with the whole flow being as follows:

1. User is not connected to internet. User has OnGuard installed on Windows PC. User health status is unknown. User connects to ethernet cable and gets authenticated initially but as UNKNOWN health, thus the enforcement policy enforces the UNKNOWN VLAN profile.
2. Agent gets connected to ClearPass OnGuard when in UNKNOWN VLAN and performs the health check required. User in this example is healthy. Thus it will send to the ClearPass that the user is healthy. The health check policy is hit and it enforces a CoA bounce port message to the FortiSwitch port the user is connected to.
3. The user gets disconnected for a few seconds then reconnects with the new information that the PC is healthy, thus it gets its IP from the HEALTHY VLAN.

We want to replicate this process but for wireless authentication for the FortiAP with health check, but the automatic CoA message is not disconnecting the user. Change of authorization is greyed out when attempting to change status after authentication. 

I have tried the ArubaOS wireless attributes and there are no ports or anything blocked on the firewall and there are no ACLs or any restriction.

What can I do to solve this problem or troubleshoot it more.

Best Regards,

Ali Serhan