Hello
We integrated Huawei AC6508 WLC with FortiNAC, using local RADIUS, but we facing some issue.
So I guess the that the predefined RFC_VLAN Attribute Group is not the good one to use with our WLC.
In the FortiNAC document "Huawei Controller Wireless Integration" guide they mentioned to leave the value "None" optionally, but in our case we need to include the target VLAN in the RADIUS response.
Any idea on what should be the attributes of the right Attribute Group to use?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
What is the FNAC firmware version?
What is the guide you have followed?
Please review this guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/51126d1c-4672-11ed-9d74-fa163e...
BR
Hello
It is FortiNAC 9.2.8.
The guide I followed is the one you shared above.
Hello,
I would review the WLC integration first.
This is the radius attribute that FNAC sends:
Why is the WLC complaining, is the WLC receiving this RFC?
There should be a log from WLC why is rejecting this RFC?
What does the WLC expect to have as a response?
BR
Hi
Indeed these are the good questions.
Thanks for the hint.. I'll check and comeback.
I guess the WLC log should provide more information to understand the issue.
BR
Hi,
A packet capture on both the FortiNAC and wireless controller, might also give some insight.
In addition to that, following debugs on FortiNAC would also give more details.
nacdebug -name RadiusManager true
nacdebug -name RadiusAccess true
go to the logs folder and tail the output.master file.
Don't forget to disable debugging after troubleshooting.
regards,
Sheikh
Hello
I found that the issue is in %ACCESS_VALUE%.
In fact the access value (Tunnel-Private-Group-ID) sent by FortiNAC's RADIUS to Huawei WLC is "VLAN 0015".
I tried to force force the Tunnel-Private-Group-ID to just "15" and it worked.
In model configuration FortiNAC lists the VLANs in this format: "VLAN 0015", so I guess it is sending this value as RADIUS response.
When FortiNAC reads the VLANs from the WLC, it takes the "VLAN name" as value, not VLAN ID, while on WLC I left the declared VLANs unnamed.
The default name "VLAN 00##" is shown by the WLC when there is no given name, then on VLAN assignment by FNAC's RADIUS, the same default name is not recognized by the WLC itself.
The solution was just to give a name to each VLAN.
Declaring the VLANs like this will not work "vlan batch 20 100 102". We must give a name to each VLAN in order to make it work. FortiNAC will use the assigned name as %ACCESS_VALUE" and WLC will recognize it.
Hello AEK,
Thank you for your update,
Definitely the WLC doesn't understand the "VLAN 00##" - VLANID format it prefers to have the VLAN only :)
GOOD job!
Well DONE!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.