You may need to contact Fortinet to figure out what is required for the disconnect message.
Original Message:
Sent: Mar 20, 2025 07:30 AM
From: Ali Serhan
Subject: ClearPass x FortiGate and FortiAPs
That is correct. I have uploaded an xml file manually to the RADIUS dictionaries in ClearPass to include Fortinet attributes. The attributes are stated by Fortinet but they work only with FortiSwitch ports, but still not sure for wireless what should be done.
Original Message:
Sent: Mar 12, 2025 11:15 AM
From: chulcher
Subject: ClearPass x FortiGate and FortiAPs
ClearPass doesn't have a Dynamic Authorization template tied to the Fortinet vendor, and the wireless probably doesn't use the standard IETF option. You'll likely need to determine what is required for the disconnect message against that vendor.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 12, 2025 09:24 AM
From: Ali Serhan
Subject: ClearPass x FortiGate and FortiAPs
yes already enabled
wired authentication with CoA is already working just the wireless is not working
Original Message:
Sent: Mar 12, 2025 09:20 AM
From: shpat
Subject: ClearPass x FortiGate and FortiAPs
When adding the Device in Clearpass (in this case the Fortinet Wifi controller) is the COA enabled ?
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Mar 12, 2025 09:06 AM
From: Ali Serhan
Subject: ClearPass x FortiGate and FortiAPs
Hello Shpat
I just checked the document you shared and tested the AVPs. Didn't work. The problem is that the dynamic authorization is greyed out.
These are the AVPs I tried in multiple permutations but still didn't work.
These are the attributes I'm using for the wired and its working fine, but of course not working for the wireless.
Original Message:
Sent: Mar 12, 2025 08:31 AM
From: shpat
Subject: ClearPass x FortiGate and FortiAPs
Hi Ali
Are you using the correct AVP for terminating Wireless Session? This is the Fortinet Radius Termination Action AVP in Wired and Wireless Scenarios. Did you had a check on this?
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/588173/radius-termination-action-avp-in-wired-and-wireless-scenarios
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Mar 12, 2025 08:21 AM
From: Ali Serhan
Subject: ClearPass x FortiGate and FortiAPs
I have a ClearPass setup with Fortinet products (FortiGate, FortiSwitch, and FortiAP). Goal is to configure wired and wireless authentication with OnGuard health check. Wired authentication with health check is successful with the whole flow being as follows:
- User is not connected to internet. User has OnGuard installed on Windows PC. User health status is unknown. User connects to ethernet cable and gets authenticated initially but as UNKNOWN health, thus the enforcement policy enforces the UNKNOWN VLAN profile.
- Agent gets connected to ClearPass OnGuard when in UNKNOWN VLAN and performs the health check required. User in this example is healthy. Thus it will send to the ClearPass that the user is healthy. The health check policy is hit and it enforces a CoA bounce port message to the FortiSwitch port the user is connected to.
- The user gets disconnected for a few seconds then reconnects with the new information that the PC is healthy, thus it gets its IP from the HEALTHY VLAN.
We want to replicate this process but for wireless authentication with health check, but the automatic CoA message is not disconnecting the user. Change of authorization is greyed out when attempting to change status after authentication.
I have tried the ArubaOS wireless attributes and there are no ports or anything blocked on the firewall and there are no ACLs or any restriction.
What can I do to solve this problem or troubleshoot it more.
Best Regards,
Ali Serhan