FortiNAC, FortiGate and FortiAP - CoA request fail with "Session Context Not Found"

Mike77 · ‎09-12-2025

Hi Guys

I'm testing FortiNAC with a FortiGate (as a wireless controller) and FortiAP's.

During testing, I noticed that coa does not work as desired. The VLAN is only changed during disconnect/connect of the client.

I use the command "sendcoa -ip 172.xx.xx.xx -mac XX:XX:XX:XX:XX:XX -dis" on FortiNAC.

With "execute tcpdump -i any port 3799 -v" I get the following output:

tcpdump: data link type LINUX_SLL2
dropped privs to admin
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:44:49.640276 port1 Out IP (tos 0x0, ttl 64, id 43159, offset 0, flags [DF], proto UDP (17), length 78)
s-test-fncesx01.42844 > _gateway.3799: RADIUS, length: 50
Disconnect-Request (40), id: 0x25, Authenticator: aafde2cc1e57197d88bdfac5632f91ab
Calling-Station-Id Attribute (31), length: 19, Value: XX:XX:XX:XX:XX:XX
User-Name Attribute (1), length: 11, Value: host/XXXX

10:44:51.641526 port1 In IP (tos 0x0, ttl 64, id 3676, offset 0, flags [none], proto UDP (17), length 78)
_gateway.3799 > s-test-fncesx01.42844: RADIUS, length: 50
Disconnect-NAK (42), id: 0x25, Authenticator: c433a7cf357955e717cc13daf18e461c
Error-Cause Attribute (101), length: 6, Value: Error cause 503: Session Context Not Found
Event-Timestamp Attribute (55), length: 6, Value: Thu Sep 11 10:44:49 2025
Message-Authenticator Attribute (80), length: 18, Value: .0..j?a.u.....m.

Under "CLIENT EXTENDED ATTRIBUTES" I see only attribute 1 and attribute 31

(Command: "client -mac XX:XX:XX:XX:XX:XX")

If I interpret the page correctly https://community.fortinet.com/t5/FortiAP/Troubleshoot-Tip-Most-common-causes-CoA-request-fail-to/ta... it says, attribute 8 is missing.

Any idea how I can fix that?

ebilcari · ‎09-12-2025

Was the host connected and authenticated (active session) when you have tried the manual send of the CoA/DM?

To have more information you can also enable the following debug from the FGT side:

# diagnose debug application radius_das 8

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mike77 · ‎09-14-2025

Hello Emirjon
Yes, the host is connected and authenticated.

Mike77 · ‎09-14-2025

Hello Emirjon

I enabled debug with 255 because I have no output with 8.

ebilcari · ‎09-17-2025

I tried to emulate the same in a lab:

GW # 33611.536 DAS: Received 51 bytes from 10.1.2.71:51571
33611.539 RADIUS message: code=40 (Disconnect-Request) identifier=14 length=51
Attribute 31 (Calling-Station-Id) length=19 pos 0x10799726
Value: '88-xx-xx-xx-xx-xx'
Attribute 1 (User-Name) length=6 pos 0x10799739
Value: 'gimi'
Attribute 8 (Framed-IP-Address) length=6 pos 0x1079973f
Value: 10.5.60.51
33611.552 DAS: received msg with hdr_code 40
33611.555 DAS: No Message-Authenticator attribute found
33611.558 DAS: select framed_ip 10.5.60.51
33611.562 DAS: select calling_station_id 88-xx-xx-xx-xx-xx
33611.565 DAS: select user_name gimi

..

33613.648 DAS: Reply ACK to 10.1.2.71:51571
33613.652 RADIUS message: code=41 (Disconnect-ACK) identifier=14 length=44

It seems like the attribute 8 is used but it is also not listed in client details in FNAC:

CLIENT EXTENDED ATTRIBUTES
1 gimi
31 88-xx-xx-xx-xx-xx
Auth8021x 8
AuthAttrList 1,31
AuthType 2

Does FNAC has the L3 information for the host you are trying to disconnect, is the GW of the WiFi host on the same FGT?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mike77 · ‎09-18-2025

Hello Emirjon

Yes, FNAC displays me the correct L3 information and the WiFi GW is on the same FGT Cluster.

ebilcari · ‎09-19-2025

Which firmware is FNAC running and have you set any custom configuration for RFC5176:

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mike77 · ‎09-19-2025

FNAC Version is v7.6.4.0782 (GA)

RFC configuration is set to system defined.

ebilcari · ‎09-19-2025

Is 'WiFi' a local or a proxy RADIUS server?
You can also try to enable RADIUS Accounting in the FGT to forward the messages to FNAC. The attribute (8) should come as an Accounting attribute:

11:55:08.960429 port1 In IP (tos 0x0, ttl 63, id 1297, offset 0, flags [none], proto UDP (17), length 346)
10.0.10.1.20372 > fnac74p.eb.eu.radius-acct: RADIUS, length: 318
Accounting-Request (4), id: 0x65, Authenticator: 386e13c3c670946c1501f0aa1efe833a
Acct-Status-Type Attribute (40), length: 6, Value: Start
Acct-Authentic Attribute (45), length: 6, Value: RADIUS
User-Name Attribute (1), length: 6, Value: gimi
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.10.1
...
Framed-IP-Address Attribute (8), length: 6, Value: 10.5.60.51

You can also try to customize the DM message attributes at least for testing as shown here.

I tried to remove the attribute 8 from the custom response, and it seems that FGT 7.2.11 still accepts it:

12:10:27.946526 port1 Out IP (tos 0x0, ttl 64, id 41799, offset 0, flags [DF], proto UDP (17), length 73)
fnac74p.eb.eu.51571 > 10.0.10.1.3799: RADIUS, length: 45
Disconnect-Request (40), id: 0x17, Authenticator: e4f206d440a9902bf442268303925079
Calling-Station-Id Attribute (31), length: 19, Value: 88-xxxxx
User-Name Attribute (1), length: 6, Value: gimi
.
12:10:29.949953 port1 In IP (tos 0x0, ttl 63, id 49094, offset 0, flags [none], proto UDP (17), length 72)
10.0.10.1.3799 > fnac74p.eb.eu.51571: RADIUS, length: 44
Disconnect-ACK (41), id: 0x17,

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mike77 · ‎09-19-2025

WiFi ist the Virtual Radius Server on the FNAC.

I checked the radius message that is incoming to FNAC. There is no "Framed-IP-Address Attribute (8)".
Looks like a FGT or AP misconfiguration.

FortiNAC, FortiGate and FortiAP - CoA request fail with "Session Context Not Found"

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website