Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
Honored Contributor

FortiNAC, Aruba IAP integration issue

Hello Fortinet community

 

We have FNAC 9.2.7 and want to integrate few Aruba IAPs. (MODEL: 315, ArubaOS 6.5.4.6, and 8.9).
Followed FortiNAC Aruba IAP integration guide by Fortinet.
After IAPs was added to FNAC via SNMP and SSH, FNAC seems not able to read VLAN & Port information, as nothing is displayed in "Ports" tab. L2 polling doesn't work neither. Consequently, FNAC RADIUS always assigns default wireless access value for all rogue or registered hosts.
The issue is the same on all our Aruba IAPs.

 

From the RADIUS server log we can see the below interesting messages.

:: Device virtualization not supported
:: Policy access config lookup skipped - [ArubaTest eth0] not a member of 'Role Based Access' port group

 

When trying Read VLANs or L2 Poll, the "tail -f output.master" command gives the following interesting message just after "show summary" output.

yams INFO :: p: default-threadpool; w: Idle ArubaIAP.updateVlanID exception com.bsc.api.database.NoSuchDatabaseObjectException: No Objects found

 

Any useful idea would be appreciated.

 

 
AEK
AEK
1 Solution
Anonymous
Not applicable

Also paramaount  to Aruba IAP integration is the vip configuration of the cluster

Make sure Aruba cluster is configured properly and VIP is the master node

 

The same VIP IP should be modeled in FNAC , so the element tab should have the same IP as VIP

 

https://docs.fortinet.com/document/fortinac/9.4.0/aruba-instant-ap-wireless-integration

View solution in original post

4 REPLIES 4
Anonymous
Not applicable

Hello 

 

1. check if SSID where host connects is member of Forced Registration group and Role Based Access

Forced Registration:

https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/837785/system-groups

Ports that participate in forced registration when unregistered hosts connect.

 

-The desired VLANs are configured in the WLC/SWITCH.

-The desired VLANs are listed in the WLC 's model configuration in Topology.

-The desired VLANs have the required VLAN IDs specified as their access value.

-VLAN switching enabled is selected under the element tab in the WLC's model configuration.

-Radius authentication is enabled in the WLC 's model configuration

-The credentials are correct (under WLC's model configuration credentials tab, click validate credentials).

• If SNMP credentials fail, please check credentials.

• If CLI credentials fail, please check credentials.

 

If the above steps are correct then please enable the radius debugs in Network>Radius to High.

Enter in FNAC cli:

 

logs

campusmgrdebug -name RadiusManager true

campusmgrdebug -name RadiusAccess true

campusmgrdebug -name PolicyHelper true

campusmgrdebug -name BridgeManager true

 

Tests the issue with one host by connecting to SSID and provide the MAC address of the test host.

 

When finished attach the FNAC system logs as described here:

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755

Anonymous
Not applicable

Also paramaount  to Aruba IAP integration is the vip configuration of the cluster

Make sure Aruba cluster is configured properly and VIP is the master node

 

The same VIP IP should be modeled in FNAC , so the element tab should have the same IP as VIP

 

https://docs.fortinet.com/document/fortinac/9.4.0/aruba-instant-ap-wireless-integration

AEK
Honored Contributor

Thanks for the hint Ed. Appreciate your quick and efficient help.

My Aruba was in prod without configured VIP.

Added VIP to IAP and modeled in FNAC successfully.

Best regards

 

AEK
AEK
Anonymous
Not applicable

Glad you got it solved and congrats on the great work done on your side

Thanks for being a contributor to our community

Cheers!

Labels
Top Kudoed Authors