Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎01-11-2024 02:36 AM

FortiNAC with Huawei AC6508 WLC

Hello

We integrated Huawei AC6508 WLC with FortiNAC, using local RADIUS, but we facing some issue.

  • When we set Default Attribute Group to RFC_VLAN we notice in RADIUS logs that FortiNAC sends the right response to the WLC, however the WLC still asks the user to authenticate, like it the WLC didn't recognize the RADIUS response
  • When we set Default Attribute Group to None we notice that the WLC put the authenticated user in the default service VLAN, so it works

So I guess the that the predefined RFC_VLAN Attribute Group is not the good one to use with our WLC.

In the FortiNAC document "Huawei Controller Wireless Integration" guide they mentioned to leave the value "None" optionally, but in our case we need to include the target VLAN in the RADIUS response.

 

Any idea on what should be the attributes of the right Attribute Group to use?

AEK
AEK
Labels:
683
0 Kudos
8 REPLIES 8
ndumaj
Staff
Staff

Created on ‎01-12-2024 06:04 AM

Hi,

What is the FNAC firmware version?
What is the guide you have followed?
Please review this guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/51126d1c-4672-11ed-9d74-fa163e...

BR

- Happy to help, hit like and accept the solution -
654
AEK
SuperUser
SuperUser
In response to ndumaj

Created on ‎01-12-2024 06:19 AM

Hello

It is FortiNAC 9.2.8.

The guide I followed is the one you shared above.

AEK
AEK
650
0 Kudos
ndumaj
Staff
Staff

Created on ‎01-12-2024 06:53 AM

Hello,
I would review the WLC integration first.
This is the radius attribute that FNAC sends:
Radius Attribute.png

 

Why is the WLC complaining, is the WLC receiving this RFC?
There should be a log from WLC why is rejecting this RFC?
What does the WLC expect to have as a response?

BR

- Happy to help, hit like and accept the solution -
643
AEK
SuperUser
SuperUser
In response to ndumaj

Created on ‎01-12-2024 10:56 AM Edited on ‎01-14-2024 12:44 AM

Hi

Indeed these are the good questions.

Thanks for the hint.. I'll check and comeback.

AEK
AEK
635
0 Kudos
ndumaj
Staff
Staff

Created on ‎01-14-2024 12:08 AM

I guess the WLC log should provide more information to understand the issue.

BR

- Happy to help, hit like and accept the solution -
611
Sheikh
Staff
Staff

Created on ‎01-14-2024 11:07 AM

Hi,

 

A packet capture on both the FortiNAC and wireless controller, might also give some insight.

 

In addition to that, following debugs on FortiNAC would also give more details.

nacdebug -name RadiusManager true

nacdebug -name RadiusAccess true

 

go to the logs folder and tail the output.master file.

Don't forget to disable debugging after troubleshooting.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
585
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-15-2024 06:34 AM

Hello

I found that the issue is in %ACCESS_VALUE%.

In fact the access value (Tunnel-Private-Group-ID) sent by FortiNAC's RADIUS to Huawei WLC is "VLAN 0015".

I tried to force force the Tunnel-Private-Group-ID to just "15" and it worked.

In model configuration FortiNAC lists the VLANs in this format: "VLAN 0015", so I guess it is sending this value as RADIUS response.

When FortiNAC reads the VLANs from the WLC, it takes the "VLAN name" as value, not VLAN ID, while on WLC I left the declared VLANs unnamed.

The default name "VLAN 00##" is shown by the WLC when there is no given name, then on VLAN assignment by FNAC's RADIUS, the same default name is not recognized by the WLC itself.

 

The solution was just to give a name to each VLAN.

Declaring the VLANs like this will not work "vlan batch 20 100 102". We must give a name to each VLAN in order to make it work. FortiNAC will use the assigned name as %ACCESS_VALUE" and WLC will recognize it.

AEK
AEK
542
ndumaj
Staff
Staff

Created on ‎01-15-2024 06:37 AM

Hello AEK,
Thank you for your update,
Definitely the WLC doesn't understand the "VLAN 00##" - VLANID format it prefers to have the VLAN only :)

GOOD job!
Well DONE!

- Happy to help, hit like and accept the solution -
539
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.