Troubleshooting Tip: Dynamic assigned VLAN not working with third party radius server

magarwal · ‎10-31-2023

Description

This article describes troubleshooting steps if FortiSwitch is not moving the client to a dynamic assigned VLAN even when the configuration is correct and the radius server is sending the VLAN ID in the radius attribute.

Scope

All versions of FortiSwitch, third party radius servers (Cisco ISE is used as an example).

Solution

Start by taking the packet captures on the FortiSwitch end. Use them to validate if the correct VLAN is seen in the Access Accept message, and validate the 802.1x status on the port.

diag sniffer packet any ' < radius server IP> and (port 1812 or 1813)' 6 0 a

diag switch 802-1x status

port6 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 0
Dynamic Allowed Vlan list:
Dynamic Untagged Vlan list:
EAP pass-through : Enable
EAP egress-frame-tagged : Enable
EAP auto-untagged-vlans : Enable
Allow MAC Move From : Disable
Dynamic Access Control List : Disable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 16
Allowed Vlan list: 1,16,20,51,4092-4093
Untagged Vlan list: 4093
Guest VLAN
Auth-Fail Vlan :
AuthServer-Timeout Vlan :

Sessions info:
2c:9f:e1:8c Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=31 params:reAuth=3600

In the above output, it can be seen that the dynamic VLAN is 0 despite how the the correct VLAN (13) is sent in the radius accept message. This was validated in the packet captures on the FortiSwitch side.

Additionally, it can be seen that the tag value is 0x01 i.e 1 (refer to the packet capture screenshot above).

Make sure that the tag value set on the server end is 0 (0x00) as FortiSwitches do not support tag parsing.

Refer to the following configuration example on Cisco ISE:

Screenshot 2023-10-31 162024.png

After making the above configuration changes at the Cisco ISE end, test with the client again. The correct VLAN should be seen in the Dynamic VLAN field.