Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nemesis31
New Contributor II

FortiAP Dynamic vlan not working with Cisco ISE radius server

Hi Experts,

 

We've got a managed fortiswitch and FortiAP. The same vlans are being used for wired and wireless that are associated with Fortilink. Dynamic vlan assignment works normally when I connect a PC to the Fortiswitch but, wireless DVLAN assignment is not working. FortiAP is connected to port1 on the switch.


Fortigate IP: 10.200.211.200
FSW : 192.168.200.40
FortiAP: 192.168.200.66

 

Note: I've already tried with the NAS-IP changed to 192.168.200.40 and it remains the same.
Based on the log messages on the ISE, the Fortinet is not responding to COArequest sending a nas-identifier mismatch (CoANAK). Attaching the radius, wireless and switchport configuration. 

COANack.PNGCOA-Request.PNG

 

FGT-Config.PNG

4 REPLIES 4
ebilcari
Staff
Staff

FSW will handle RADIUS by it's own, FGT will only push the configuration. The NAS-IP is from the switch.

In case of FAP, all the RADIUS are handled by FGT. Make sure you are using the right IP specified on ISE as NAS IP. Make sure you have also enabled coa and set up the nas-ip in FGT RADIUS config

config user radius
edit "FNAC"
..
set nas-ip 10.0.0.1
set radius-coa enable 

You can also enable this debug command for CoA in FGT:

# diag debug application radius-das -1

# diag debug enable

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Nemesis31
New Contributor II

The NAS configuration has been addressed and the CoA-request is acknowledged by the fortigate now but, it still does not trigger re-authentication of the client. I created a device profile to send a "disconnect-request" instead of COA-request and observed that it causes the client to disconnect from the ssid and reconnect to it instead of a seamless re-auth. This is causing the posture agent to break. I am seeing this issue only over wireless. Wired clients connected over fortiswitch work as expected. What are some radius attributes that I can use to trigger a reauth ?

 

COA-request.PNG

ebilcari

I guess you are expecting for FAP to support something similar to:  "Cisco:Avpair=“subscriber:command=reauthenticate”"

As I know for the moment this is supported only for FSW (Administration guide), I haven't seen something similar for FAP yet.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Nemesis31
New Contributor II

Yes, something similar. I would assume there should be a standard radius attribute for reauth that the fortigate would understand.

Labels
Top Kudoed Authors