Hey, we have 2930F Switches and working well with FortiNAC. On the other hand, we have 6100s working on Aruba Central with these settings (screenshots) on FortiNAC and working well too. So device profiling rules and others are set. We put 4100 to the location but have a problem. If we set none group memberships and set a manually vlan then no problem but when force to register then not getting vlan. This is the FortiNAC settings;
And this is the 4100's configuration for port authentication (ofc radius server added in the config);
aaa authentication port-access dot1x authenticator enable aaa authentication port-access mac-auth auth-method pap enable interface 1/1/5 no shutdown vlan access 1 aaa authentication port-access auth-precedence mac-auth dot1x aaa authentication port-access dot1x authenticator cached-reauth quiet-period 10 reauth enable aaa authentication port-access mac-auth cached-reauth quiet-period 10 reauth enable
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on the behavior this seems like an integration issue for this particular switch. Is it correctly modeled by FortiNAC or a similar model is chosen to model it?
Can you extract and share the OID of this switch?
If the switch is not currently supported you can refer to this article and open a ticket with TAC support.
1.3.6.1.4.1.47196. We have already same switch and it works on NAC with the same configurations. But this one is not.
This OID value is stopping at the vendor part, the full OID of the device model can be extracted by running a SNMP walk command from FortiNAC CLI like:
> snmpwalk -v2c -c 'yyy' x.x.x.x system
*where x.x.x.x should be replaced with SW IP, yyy with the community name
If another switch from the same model/OID is working normally than check the configurations and verify that both CLI and SNMP credentials are validated for the affected switch. The registration VLAN (115) should be pre configured in the switch.
You can also run a packet capture to check the RADIUS communication between FortiNAC and the switch in real time by using the following command:
> tcpdump host x.x.x.x and port 1812 -nnv
Hello @barisben ,
Are the SWs on the same firmware version?
Also, I would check the SNMP string and Admin CLI privileges. You should provide RW access and full administrative rights.
BR
In your device model picture you have shared, there is a informational message that states "DM or CoA" are not supported for this device.
In this case FortiNAC will not be able to change the access vlan through RADIUS after the host registers since the host posture change will not trigger DM or CoA to terminate or establish new auth session.
Additionally the CLI configuration for "Registration" and "Quarantine" is set to "None". So when FNAC enforces isolation and host is rogue there will be no CLI config pushed to the switch in order to apply port/host based config.
You can do the following:
1. Use custom CLI configuration to apply VLAN changes:
Doc: https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/367352/cli-configuration
2. See if the device modeling is not permanent and there is another OID where RADIUS DM/CoA is supported.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.