Description |
This article describes a behavior observed when using FortiNAC to apply Downloadable ACLs (DACLs) via RADIUS to a Cisco switch port. |
Scope | Version: 9.x, F7.2. |
Solution |
FortiNAC's Local RADIUS service provides the ability to apply DACLs using the Cisco-AVPair RADIUS attribute. DACLs are defined within the Response Values of the attribute. FortiNAC does not limit the number of Response Values or the size of the DACL added.
Packet Capture Example: Vendor-Specific Attribute (26), length: 45, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 37, Value: ip:inacl#27-permit tcp any eq 443 any
Vendor-Specific Attribute (26), length: 45, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 37, Value: ip:inacl#28-permit tcp any any eq 443
Vendor-Specific Attribute (26), length: 31 (bogus, goes past end of packet) <--
When this happens, not all the DACLs are applied to the port.
Workaround: Limit the number and size of DACLs added to the attribute such that the packet does not exceed 1518 bytes. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.