All,
I am facing an issue with my Dynamic VLAN + 802.1x setup on a FortiWifi 60-E whereby the client is never actually assigned to the intended VLAN.
They are authenticating all OK and I can see from packet captures (and also on the external NAC server itself) that the RADIUS attributes are returned to the Forti unit all OK in the 'Access-Accept' reply as follows:
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "20"
VLAN 20 is configured as an interface (with DHCP) under the Dynamic SSID itself. So my expectation is that the client should be assigned an IP address from DHCP on this interface. From the client end they are never assigned an IP address and remain with a self assigned IP.
Any ideas on how to proceed with troubleshooting?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Tunnel-Private-Group-Id should contain the name of the interface, that is configured with a given vlan id.
Example:
config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set security wpa2-only-enterprise
set auth radius
set radius-server "peap"
set schedule "always"
set dynamic-vlan enable <---------
next
end
----------------
config system interface
edit "wifi2-vlan100" <-----------
set vdom "vdom1"
set ip 10.100.80.1 255.255.255.0
set role lan
set snmp-index 28
set interface "wifi.fap.02"
set vlanid 100 <---------
next
end
-----------------
The radius should return wifi2-vlan100 as a value for the Tunnel-Private-Group-Id attribute
Ahmad
Created on 05-04-2022 07:15 AM Edited on 05-04-2022 07:30 AM
Hi Ahmad,
Thank you for your reply. So I have changed the VLAN interface to be called '20' which now matches the Tunnel-Private-Group-Id attribute of '20'. Unfortunately I still have the same issue where I pass authentication all OK, but self assigned IP address on the client.
Any other ideas please?
Please provide the output of these commands:
show wireless-controller vap
show system interface
Also, please run the packet capture on the Fortigate, and capture radius server reply, when the user authenticates on the wireless and attach the capture file to the thread, so we can check what is sent by the radius.
Ahmad
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.