Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

Created on ‎09-23-2024 11:57 PM

FortiNAC with Aruba 4100 Problem

Hey, we have 2930F Switches and working well with FortiNAC. On the other hand, we have 6100s working on Aruba Central with these settings (screenshots) on FortiNAC and working well too. So device profiling rules and others are set. We put 4100 to the location but have a problem. If we set none group memberships and set a manually vlan then no problem but when force to register then not getting vlan. This is the FortiNAC settings;

 

Screenshot_15.png

 

Screenshot_16.png

 

And this is the 4100's configuration for port authentication (ofc radius server added in the config);

 

aaa authentication port-access dot1x authenticator
    enable
aaa authentication port-access mac-auth
    auth-method pap
    enable
interface 1/1/5
    no shutdown
    vlan access 1
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access dot1x authenticator
        cached-reauth
        quiet-period 10
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        quiet-period 10
        reauth
        enable

 

Labels:
488
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎09-24-2024 03:15 AM

Based on the behavior this seems like an integration issue for this particular switch. Is it correctly modeled by FortiNAC or a similar model is chosen to model it?

Can you extract and share the OID of this switch?

If the switch is not currently supported you can refer to this article and open a ticket with TAC support.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
449
barisben
New Contributor
In response to ebilcari

Created on ‎09-24-2024 03:47 AM

1.3.6.1.4.1.47196. We have already same switch and it works on NAC with the same configurations. But this one is not.

446
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎09-24-2024 08:27 AM

This OID value is stopping at the vendor part, the full OID of the device model can be extracted by running a SNMP walk command from FortiNAC CLI like:

> snmpwalk -v2c -c 'yyy' x.x.x.x system

*where x.x.x.x should be replaced with SW IP, yyy with the community name

 

If another switch from the same model/OID is working normally than check the configurations and verify that both CLI and SNMP credentials are validated for the affected switch. The registration VLAN (115) should be pre configured in the switch.

 

You can also run a packet capture to check the RADIUS communication between FortiNAC and the switch in real time by using the following command:

> tcpdump host x.x.x.x and port 1812 -nnv

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
418
ndumaj
Staff
Staff
In response to barisben

Created on ‎09-25-2024 12:47 AM

Hello @barisben ,

Are the SWs on the same firmware version?
Also, I would check the SNMP string and Admin CLI privileges. You should provide RW access and full administrative rights.

BR

- Happy to help, hit like and accept the solution -
368
Hatibi
Staff
Staff

Created on ‎09-26-2024 07:08 AM Edited on ‎09-26-2024 07:21 AM

In your device model picture you have shared, there is a informational message that states "DM or CoA" are not supported for this device.

 

In this case FortiNAC will not be able to change the access vlan through RADIUS after the host registers since the host posture change will not trigger DM or CoA to terminate or establish new auth session.

 

Additionally the CLI configuration for "Registration" and "Quarantine" is set to "None". So when FNAC enforces isolation and host is rogue there will be no CLI config pushed to the switch in order to apply port/host based config.

 

You can do the following:

1. Use custom CLI configuration to apply VLAN changes: 

Doc: https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/367352/cli-configuration

Article: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Flex-CLI-configuration-not-applying-to-po...

 

2. See if the device modeling is not permanent and there is another OID where RADIUS DM/CoA is supported. 

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Options-for-devices-unable-to-be-modeled-in...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Add-a-Device-in-Topology-Using-an-Existing-...

 

329
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.