Security

Hey all, I am having an issue with MAC Authentication. One of our SSIDs uses open system and MAC authentication. User roles are set by FortiNAC. Users connecting to the open SSID will not have their role updated properly. However, I tried disabling IPv6 and the open SSID then works perfectly fine. IPv6 is necessary so leaving it disabled is not an option.

The OS version is 8.4.0.4 and the system is not in production yet.

Attached are logs of "show auth-tracebuf <MAC>" from connecting my phone to the network. Each connection from my phone was made after removing and re-adding my phone to FortiNAC so that it would be in the same state when attempting to connect.

Any help at all would be appreciated.

Attachment(s)

Auth Working No IPv6.txt   5 KB 1 version

Auth Not Working IPv6 enabled.txt   6 KB 1 version

If I compare the two traces, I see in the working one two times a mac-auth-success, in the IPv6 one just one; which corresponds with your observation.

I would have a look at you RADIUS/NAC logs. I think those probably will give more information why the MACAuth succeeds in one example and doesn't in the IPv6 case. If this NAC system triggers a CoA, it could be that it has issues when triggering for IPv6, or you did not enable ipv6 on the controller. Does show users on the controller show you the ipv6 addresses? And which role? What is the role content?

It's probably most efficient if you do a live troubleshooting session with someone who understands the roles, authentication and reading the logs on your Aruba and also how your NAC solution works.