Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
mkpotlapelli
Staff
Staff

Created on ‎06-01-2020 09:35 AM

Article Id 192126

Troubleshooting Tip: Dynamic assigned VLAN not working with Aruba ClearPass as radius server

Description
This article describes troubleshooting steps if FortiSwitch is not moving the client to dynamic assigned VLAN although configuration is correct and ClearPass is sending VLAN ID in radius return attribute.

Fortinet Documentation
https://docs.fortinet.com/product/fortiswitch/6.4

Page#255 'Dynamic Vlan assignment': https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/a7c76c1d-754c-11ea-9384-005056...

Solution
Refer to the documentation and configure radius authentication with dynamic assigned VLAN.
- Once the 802.1x is successfully configured, test with a client.
# diagnose switch 802-1x status

   port47: Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: authorized: (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Quarantine VLAN (4093) detection : Enable
           Native Vlan : 1
           Allowed Vlan list:
           Untagged Vlan list: 4093
           Guest VLAN :
           Auth-Fail Vlan :

           Sessions info:
           c8:5b:76:ef:65:c7     Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=9 params:reAuth=3600
Client is successfully authenticated but Dynamic Authorized VLAN shows 0 although ClearPass radius server is sending the dynamic assigned VLAN in radius accept message.

Resolution:
1) On ClearPass server:-> Export attributes file (RadiusDictionary.xml) from location – Administration > Dictionaries > Radius > IETF 
2) In below attributes at the end replace extraData="has_tag" to extraData =" " and save the file.  

Tunnel-Private-Group-Id
Tunnel-Type
Tunnel-Medium-Type

For example.
=================================================================================================================
<Attribute profile="in out" type="String" name="Tunnel-Private-Group-Id" id="81" extraData="has_tag"/>
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Type" id="64" extraData="has_tag">
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Medium-Type" id="65" extraData="has_tag">

At the end of the line replace extraData="has_tag" with extraData =" "

<Attribute profile="in out" type="String" name="Tunnel-Private-Group-Id" id="81" extraData=" "/>
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Type" id="64" extraData=" ">
<Attribute profile="in out" type="Unsigned32" name="Tunnel-Medium-Type" id="65" extraData=" ">
=================================================================================================================
3) Upload latest attributes file (RadiusDictionary.xml) on ClearPass and re-test the client.
Now, Dynamic Authorized VLAN has been pushed correctly and client will be moved to respective VLAN.
# diag switch 802-1x status

port47: Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 99
EAP pass-through mode : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 99
Allowed Vlan list:
Untagged Vlan list: 4093
Guest VLAN :
Auth-Fail Vlan :

Sessions info:
c8:5b:76:ef:65:c7 Type=802.1x,TLS,state=AUTHENTICATED,etime=4,eap_cnt=9 params:reAuth=3600

Labels:
4372
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.