Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎08-26-2025 05:10 AM

FortiNAC and WLC without CoA

Hi FNAC Admis

  • FortiNAC-F 7.2.9
  • Ruckus ZD1200 v10.x

The WLC doesn't support CoA. So if I understand well the FNAC will send a RADIUS disconnect request in order to change the client's VLAN. But this doesn't happen.

The test I've made is to fail the scan of the client. When the client is in wire network it is sent to quarantine, however when it is on WiFi it is not sent to quarantine and not even disconnected.

Furthermore when the host is at risk and I try disconnect and reconnect to the SSID, it is put in the production VLAN instead of the isolation VLAN.

Followed FortiNAC's "Ruckus Zone Director Wireless Controller Integration" document, but it doesn't mention anything about the issue and its resolution.

AEK
AEK
Labels:
307
0 Kudos
2 Solutions
ebilcari
Staff
Staff

Created on ‎08-27-2025 03:24 AM

In this integration (Ruckus), FNAC is expecting the support for CoA/DM to disconnect the hosts. Does this WLC support CoA/DM, or is it rejecting the requests due to a possible misconfiguration?
To facilitate troubleshooting you can also try to manually send a CoA/DM with the following command:
> sendcoa -ip x.x.x.x -mac YY:YY:YY:YY:YY:YY -dis
* replace x.x.x.x with the IP of the WLC and YY:YY.. with the MAC address of the end host (host should be connected when this command is sent).

 

If this WLC does not support any form of CoA/DM, the integration will be limited in functionality.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

263
ebilcari
Staff
Staff
In response to AEK

Created on ‎08-28-2025 04:54 AM

Good to hear that the DM configurations have been sorted out. Policy evaluation is triggered when a host status changes (e.g. Rogue, At-risk) or when a network event is received (such as SNMP traps, new authentications, syslog messages, or L2 polling). This is expected behavior. Making configuration changes in UHP or NAP does not trigger a policy evaluation for the hosts that are expected to match.

To simulate a real scenario, you can register a rogue host or verify compliance using agent scanning.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

186
7 REPLIES 7
ebilcari
Staff
Staff

Created on ‎08-27-2025 03:24 AM

In this integration (Ruckus), FNAC is expecting the support for CoA/DM to disconnect the hosts. Does this WLC support CoA/DM, or is it rejecting the requests due to a possible misconfiguration?
To facilitate troubleshooting you can also try to manually send a CoA/DM with the following command:
> sendcoa -ip x.x.x.x -mac YY:YY:YY:YY:YY:YY -dis
* replace x.x.x.x with the IP of the WLC and YY:YY.. with the MAC address of the end host (host should be connected when this command is sent).

 

If this WLC does not support any form of CoA/DM, the integration will be limited in functionality.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
264
AEK
SuperUser
SuperUser
In response to ebilcari

Created on ‎08-27-2025 03:42 AM

Thanks for your feedback, Emirjon.

This WLC doesn't support CoA but it should support DM as per my research.

So is there something additional to configure in FortiNAC to force it use DM instead of CoA? Or does FNAC use DM automatically when the WLC doesn't support CoA?

AEK
AEK
258
0 Kudos
ebilcari
Staff
Staff
In response to AEK

Created on ‎08-27-2025 03:48 AM

Actually FNAC (7.2) will send DM messages, this apply also for the manual command (sendcoa). As long as the WLC supports DM and the relevant attributes are correctly parsed during authentication, it should function as expected. Full support for standard CoA was introduced in branch 7.6.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
255
AEK
SuperUser
SuperUser
In response to ebilcari

Created on ‎08-27-2025 03:50 AM

Thanks Emirjon

I'll troubleshoot with provided command and share the result.

AEK
AEK
251
AEK
SuperUser
SuperUser

Created on ‎08-28-2025 04:17 AM

Hi Emirjon

 

After troubleshooting I found that the DM is supported on my WLC Ruckus ZD1200, and it actually works.

So for example when I change the target network in the policy, it actually changes the VLAN for the affected host but only once L2 polling is done, never instantly. And I can see with tcpdump that the DM message is sent to the WLC just after L2 poll is done.

 

As far as I remember in my old integration the VLAN changes instantly for WiFi users, but it seems with my ZD1200 it is done on L2 poll.

Any idea why this behavior?

 

PS:

  • I'm using RADIUS proxy here (if the info is relevant)
  • On my L2 switches the VLAN switching is working just perfect (no RADIUS here)
AEK
AEK
194
ebilcari
Staff
Staff
In response to AEK

Created on ‎08-28-2025 04:54 AM

Good to hear that the DM configurations have been sorted out. Policy evaluation is triggered when a host status changes (e.g. Rogue, At-risk) or when a network event is received (such as SNMP traps, new authentications, syslog messages, or L2 polling). This is expected behavior. Making configuration changes in UHP or NAP does not trigger a policy evaluation for the hosts that are expected to match.

To simulate a real scenario, you can register a rogue host or verify compliance using agent scanning.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
187
AEK
SuperUser
SuperUser
In response to ebilcari

Created on ‎08-28-2025 06:27 AM

You are right. It works fine when disabling host.

Thanks again Emirjon!

AEK
AEK
178
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.