Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bfcs
New Contributor

FortiWifi 60-E + Dynamic VLAN with 802.1x

All,

 

I am facing an issue with my Dynamic VLAN + 802.1x setup on a FortiWifi 60-E whereby the client is never actually assigned to the intended VLAN.

 

They are authenticating all OK and I can see from packet captures (and also on the external NAC server itself) that the RADIUS attributes are returned to the Forti unit all OK in the 'Access-Accept' reply as follows:

 

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = "20"

 

VLAN 20 is configured as an interface (with DHCP) under the Dynamic SSID itself. So my expectation is that the client should be assigned an IP address from DHCP on this interface. From the client end they are never assigned an IP address and remain with a self assigned IP.

 

Any ideas on how to proceed with troubleshooting?

3 REPLIES 3
aahmadzada
Staff
Staff

Hi,

Tunnel-Private-Group-Id should contain the name of the interface, that is configured with a given vlan id.
Example:

 

config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set security wpa2-only-enterprise
set auth radius
set radius-server "peap"
set schedule "always"
set dynamic-vlan enable <---------
next
end
----------------
config system interface
edit "wifi2-vlan100" <-----------
set vdom "vdom1"
set ip 10.100.80.1 255.255.255.0
set role lan
set snmp-index 28
set interface "wifi.fap.02"
set vlanid 100 <---------
next
end
-----------------

The radius should return wifi2-vlan100 as a value for the Tunnel-Private-Group-Id attribute

 

Ahmad

Ahmad
bfcs

Hi Ahmad,

 

Thank you for your reply. So I have changed the VLAN interface to be called '20' which now matches the Tunnel-Private-Group-Id attribute of '20'. Unfortunately I still have the same issue where I pass authentication all OK, but self assigned IP address on the client.

 

Any other ideas please?

aahmadzada
Staff
Staff

Please provide the output of these commands:

 

show wireless-controller vap

show system interface

 

Also, please run the packet capture on the Fortigate, and capture radius server reply, when the user authenticates on the wireless and attach the capture file to the thread, so we can check what is sent by the radius.

 

Ahmad

Ahmad
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors