Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

FortiAP Dynamic vlan not working with Cisco ISE radius server

Hi Experts,


We've got a managed fortiswitch and FortiAP. The same vlans are being used for wired and wireless that are associated with Fortilink. Dynamic vlan assignment works normally when I connect a PC to the Fortiswitch but, wireless DVLAN assignment is not working. FortiAP is connected to port1 on the switch.

Fortigate IP:


Note: I've already tried with the NAS-IP changed to and it remains the same.
Based on the log messages on the ISE, the Fortinet is not responding to COArequest sending a nas-identifier mismatch (CoANAK). Attaching the radius, wireless and switchport configuration. 





FSW will handle RADIUS by it's own, FGT will only push the configuration. The NAS-IP is from the switch.

In case of FAP, all the RADIUS are handled by FGT. Make sure you are using the right IP specified on ISE as NAS IP. Make sure you have also enabled coa and set up the nas-ip in FGT RADIUS config

config user radius
edit "FNAC"
set nas-ip
set radius-coa enable 

You can also enable this debug command for CoA in FGT:

# diag debug application radius-das -1

# diag debug enable

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
New Contributor II

The NAS configuration has been addressed and the CoA-request is acknowledged by the fortigate now but, it still does not trigger re-authentication of the client. I created a device profile to send a "disconnect-request" instead of COA-request and observed that it causes the client to disconnect from the ssid and reconnect to it instead of a seamless re-auth. This is causing the posture agent to break. I am seeing this issue only over wireless. Wired clients connected over fortiswitch work as expected. What are some radius attributes that I can use to trigger a reauth ?




I guess you are expecting for FAP to support something similar to:  "Cisco:Avpair=“subscriber:command=reauthenticate”"

As I know for the moment this is supported only for FSW (Administration guide), I haven't seen something similar for FAP yet.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
New Contributor II

Yes, something similar. I would assume there should be a standard radius attribute for reauth that the fortigate would understand.

New Contributor

Hi @Nemesis31 ,


Possible for you to share the cisco ise configration for fortinet wireless solution?




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors