|
By default, the Huawei switch sends the Radius Attribute NAS-Port-Id in the below format, which is not recognized by FortiNAC:
NAS-Port-Id = [slot=0;subslot=0;port=6;vlanid=69;interfaceName=GigabitEthernet0/0/6] (RadAttr Type=string) (FNAC doesn't correctly map the device to the interface.)
To fix this issue, modify the configuration on the Huawei switch to send the NAS-Port-Id in the correct format as shown below:
NAS-Port-Id = [GigabitEthernet0/0/4] (RadAttr Type=string) (Correct RADIUS format)
The Huawei switch config should look like this:
radius-server template rd1
radius-server shared-key cipher password
radius-server authentication 192.168.x.x 1812 weight 80
radius-server accounting 192.168.x.x 1813 weight 80
radius-server nas-port-id-format vendor 9 <==
calling-station-id mac-format colon-split mode2
return
In specific cases like the model S5731 or other similar models, two other commands need to be added in the switch config:
radius-server attribute translate
radius-attribute disable NAS-Port send
This is due to the fact that this model will send another RADIUS attribute during authentication: [NAS-Port = [177128] (RadAttr Type=integer)] that does not contain any valid information to be used by FortiNAC. This will result in the policy being applied in the wrong location.
|
