Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor II

Created on ‎09-19-2025 03:08 AM Edited on ‎09-19-2025 03:09 AM

FortiNAC-F Not Sending 3799 CoA Requests on Wired Switches

Despite VLAN switching being active for some reason FortiNAC is not sending 3799 CoA requests on any of my wired switches (I have no issues with access points, 3799 requests are being sent there). If I connect the same device wirelessly, it will do this. For example, when a host connects to switch X, it assigns to the registered VLAN and 5-10 seconds later recognizes by the DPR. However unless I manually disable and enable the port, the host doesn't switch to the appropriate VLAN. Even when I manually change the role of host X, it doesn't detect this as a new activity and doesn't send a 3799 request. As I mentioned, this issue only occurs with the switches, specifically Aruba switches (both old and new generation). When I check the logs, I can see that FortiNAC isn’t even sending the 3799 CoA request. What could be the issue?

 

Screenshot_3.png

 

Screenshot_4.png

 

Labels:
308
0 Kudos
16 REPLIES 16
Hawada1
Staff & Editor
Staff & Editor

Created on ‎09-30-2025 08:11 AM

Check from FortiNAC CLI and run the following tcpdump command to see which attributes are being sent by FortiNAC, if correct attributes are sent, then you need to check with Aruba why the switch is not accepting the request

# execute tcpdump -i -v any host <Aruba-switch-ip> and port 3799 or 1700

89
0 Kudos
barisben
New Contributor II
In response to Hawada1

Created on ‎09-30-2025 08:32 AM 

        CoA-Request (43), id: 0xc8, Authenticator: 880cfffd8fd488db2628116384e52                                                                                                             c25
          Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (43                                                                                                             )
            Vendor Attribute: 5, Length: 4, Value: ....
          Vendor-Specific Attribute (26), length: 16, Value: Vendor: Unknown (43                                                                                                             )
            Vendor Attribute: 4, Length: 8, Value: 10.8.4.2
          Vendor-Specific Attribute (26), length: 20, Value: Vendor: Unknown (43                                                                                                             )
            Vendor Attribute: 1, Length: 12, Value: fc9ffd45cc9b
          Vendor-Specific Attribute (26), length: 25, Value: Vendor: 3rd Generat                                                                                                             ion Partnership Project 2 (3GPP2) (5535)
            Vendor Attribute: 31, Length: 17, Value: FC-9F-FD-45-CC-9B
          Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (14                                                                                                             823)
            Vendor Attribute: 40, Length: 4, Value: ....

 

Thats why switch responds Missing Attribute.

86
0 Kudos
Hawada1
Staff & Editor
Staff & Editor

Created on ‎09-30-2025 08:58 AM

I do see that Attribute 5 and 40 were sent empty. Please capture the CoA traffic + RADIUS traffic and upload the pcap.

# execute tcpdump -i -v any host <Aruba-switch-ip> and port 3799 or 1700 or 1812 or 1645 -w radius.pcap
https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Run-tcpdump-in-FortiNAC-F-and-save-captur...

78
0 Kudos
barisben
New Contributor II
In response to Hawada1

Created on ‎09-30-2025 09:00 AM

I will. On the other hand, Aruba says I have Aruba-Port-Bounce attribute but FortiNAC has Aruba-Port-Bounce-Host attribute and I can not modify it or create a new one with named Aruba-Port-Bounce. Maybe the problem is this.

 

https://arubanetworking.hpe.com/techdocs/AOS-CX/10.16/HTML/security_8100-8360/Content/Chp_Sppt_RADIU...

75
0 Kudos
barisben
New Contributor II
In response to Hawada1

Created on ‎10-01-2025 06:23 AM Edited on ‎10-01-2025 06:27 AM

Hi, Switch IP -> 10.8.4.2, FNAC-F IP -> 10.6.7.18; I use this attributes and Attribute 5 (NAS-Port) were sent empty. I tried with NAS-Port-ID too but nothing changed. Also Cisco-AVs not working too. It sent empty them too. Pcap file;

 

https://drive.google.com/file/d/1yJFJLiRE5qm-Kd2XHNK6AfdJSnsDYCza/view

 

NAS-Port
        
%AUTH%
NAS-IP-Address
        
%AUTH%
User-Name
        
%AUTH%
Calling-Station-Id
        
%AUTH%
51
0 Kudos
Hawada1
Staff & Editor
Staff & Editor

Created on ‎10-01-2025 12:46 AM

Unfortunately, FortiNAC does not support the "Aruba-Port-Bounce" VSA. However, you can check whether your switch model supports the Cisco-AVPair shown below. I have seen that some AOS-CX switches do support these AVPs

  1. Cisco-AVPair='subscriber:command=bounce-host-port'
  2. Cisco-AVPair='subscriber:command=disable-host-port'
  3. Cisco-AVPair='subscriber:command=reauthenticate' and Cisco-AVPair='subscriber:reauthenticate-type=<last|rerun>
61
0 Kudos
Hawada1
Staff & Editor
Staff & Editor

Created on ‎10-01-2025 08:47 AM

I would recommend submitting a FortiNAC ticket to check the behavior.
Please create a support ticket and add all the captured logs.

br,
Hawada

44
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.