Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jucker
New Contributor III

Created on ‎05-19-2024 12:30 PM

FortiNAC Port configured for dot1x and portal guest access issue

Hello,

 

I have  a use case where i have Cisco switch port configured with dot1x and mab and i need to 

seq 1 if the user is AD then vlan 25

seq 2 if Printer then vlan 26

seq 3  Guest access portal registration logged successfully then vlan 27

 

The issue i have is if i connect a laptop without dot1x supplicant i always get mac authentication success with the same default vlan on the port, i can access the guest portal and self register/login without any issue but the vlan change never occurs, only after shut no shut the port then on the new authentication procces FNAC detect and change the port vlan to 27 since the host already registered on the last portal authentication.

 

Do you have any thought ?
Thank you!
Regards!

 

@ebilcari

 

Labels:
1209
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Jucker

Created on ‎05-20-2024 12:25 AM Edited on ‎05-20-2024 12:26 AM

Based on your description it seems that the RADIUS CoA is missing or is getting ignored by the switch. Guest hosts will be handled with MAB authentication, normally they should get the registration VLAN first and after successful registration a CoA will be sent. The next authentication that will happen instantly after the CoA, will send the guest VLAN. You can run a packet capture in FNAC to see if CoA is sent or not:

> tcpdump port 1812 or port 3799 or port 1700 and host x.x.x.x

 

replace x.x.x.x with the IP of the switch, Cisco may use port 3799 (standard) or 1700 and sometimes need to be specified manually on the switch configuration.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1099
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎05-19-2024 01:31 PM

Hi Jucker

When FortiNAC changes a VLAN on a port it shuts down the port and brings it up again, so that the client refreshes its DHCP address. As far as I remember this operation is done via SNMP query.

If I am not misunderstanding your concern, your FNAC is not doing so. If this is the case then your FNAC may not have RW SNMP right on the switch. In order to confirm this, on FNAC try right click on a port and shut it down, then see if it is done successfully. If it is not then check FNAC's RW SNMP permission.

AEK
AEK
1186
Jucker
New Contributor III
In response to AEK

Created on ‎05-19-2024 01:37 PM

Hello @AEK ,

 

The port is configured with dot1x the Radius CoA would take care of the vlan change.


If i remove the dot1x configuration, then the snmp shut no shut the port.

Im not sure if this is not supported with a port used for 802.1x and guest portal at the same time.

 

Regards!

 

 

1183
0 Kudos
ebilcari
Staff
Staff
In response to Jucker

Created on ‎05-20-2024 12:25 AM Edited on ‎05-20-2024 12:26 AM

Based on your description it seems that the RADIUS CoA is missing or is getting ignored by the switch. Guest hosts will be handled with MAB authentication, normally they should get the registration VLAN first and after successful registration a CoA will be sent. The next authentication that will happen instantly after the CoA, will send the guest VLAN. You can run a packet capture in FNAC to see if CoA is sent or not:

> tcpdump port 1812 or port 3799 or port 1700 and host x.x.x.x

 

replace x.x.x.x with the IP of the switch, Cisco may use port 3799 (standard) or 1700 and sometimes need to be specified manually on the switch configuration.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1100
Jucker
New Contributor III
In response to ebilcari

Created on ‎05-20-2024 08:37 PM

Hello @ebilcari ,

 

Thank you, i did not pay attention to the CoA password should be as the password on the inventory device integration.

However the vlan got changed on the port correctly, but the Guest laptop ip address is not updated until i shut no shut the port or ipconfig /renew, on the tcpdump the FNAC sends Disconnect-Request and the switch respond with Disconnect-ACK.

Should i configure CLI to shutdown/no shutdown the port from FNAC or i need to push the cisco attribute in the authorization to bounce the port ?

 

Best Regards!

1043
0 Kudos
ebilcari
Staff
Staff
In response to Jucker

Created on ‎05-21-2024 12:29 AM

In fact these messages are Disconnect Messages (DM Code 41) and not pure CoA, more information can be found here.

Most of the network devices should bounce the port when receive the DM. You can check the switch configuration/documentation to verify it. CoA content is build automatically by sniffing RADIUS traffic and can not be manually specified in FNAC. Enabling RADIUS accounting on the switch to send messages to FNAC can help in cases when CoA packet is not properly build.

 

The DHCP lease time for isolation network is set 60 seconds, so technically the host will try to renew its IP in 45 seconds even if the port is not bounced. As long as the VLAN is changed successfully, it will request for a new IP.

reg-lease.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1035
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.