Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

FortiNAC with Aruba 4100 Problem

Hey, we have 2930F Switches and working well with FortiNAC. On the other hand, we have 6100s working on Aruba Central with these settings (screenshots) on FortiNAC and working well too. So device profiling rules and others are set. We put 4100 to the location but have a problem. If we set none group memberships and set a manually vlan then no problem but when force to register then not getting vlan. This is the FortiNAC settings;

 

Screenshot_15.png

 

Screenshot_16.png

 

And this is the 4100's configuration for port authentication (ofc radius server added in the config);

 

aaa authentication port-access dot1x authenticator
    enable
aaa authentication port-access mac-auth
    auth-method pap
    enable
interface 1/1/5
    no shutdown
    vlan access 1
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access dot1x authenticator
        cached-reauth
        quiet-period 10
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        quiet-period 10
        reauth
        enable

 

5 REPLIES 5
ebilcari
Staff
Staff

Based on the behavior this seems like an integration issue for this particular switch. Is it correctly modeled by FortiNAC or a similar model is chosen to model it?

Can you extract and share the OID of this switch?

If the switch is not currently supported you can refer to this article and open a ticket with TAC support.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
barisben

1.3.6.1.4.1.47196. We have already same switch and it works on NAC with the same configurations. But this one is not.

ebilcari

This OID value is stopping at the vendor part, the full OID of the device model can be extracted by running a SNMP walk command from FortiNAC CLI like:

> snmpwalk -v2c -c 'yyy' x.x.x.x system

*where x.x.x.x should be replaced with SW IP, yyy with the community name

 

If another switch from the same model/OID is working normally than check the configurations and verify that both CLI and SNMP credentials are validated for the affected switch. The registration VLAN (115) should be pre configured in the switch.

 

You can also run a packet capture to check the RADIUS communication between FortiNAC and the switch in real time by using the following command:

> tcpdump host x.x.x.x and port 1812 -nnv

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj

Hello @barisben ,

Are the SWs on the same firmware version?
Also, I would check the SNMP string and Admin CLI privileges. You should provide RW access and full administrative rights.

BR

- Happy to help, hit like and accept the solution -
Sx11
Staff
Staff

In your device model picture you have shared, there is a informational message that states "DM or CoA" are not supported for this device.

 

In this case FortiNAC will not be able to change the access vlan through RADIUS after the host registers since the host posture change will not trigger DM or CoA to terminate or establish new auth session.

 

Additionally the CLI configuration for "Registration" and "Quarantine" is set to "None". So when FNAC enforces isolation and host is rogue there will be no CLI config pushed to the switch in order to apply port/host based config.

 

You can do the following:

1. Use custom CLI configuration to apply VLAN changes: 

Doc: https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/367352/cli-configuration

Article: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Flex-CLI-configuration-not-applying-to-po...

 

2. See if the device modeling is not permanent and there is another OID where RADIUS DM/CoA is supported. 

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Options-for-devices-unable-to-be-modeled-in...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Add-a-Device-in-Topology-Using-an-Existing-...

 

sx11
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors