topic Re: Fortinac and WLC 9800 controller in Wireless

Fortinac and WLC 9800 controller

terrance-mccallum — Thu, 12 Dec 2024 19:05:55 GMT

New network tech here, just implemented a NAC system along with a WLC9800 model. My NAC system put all unknown devices into a quarantine VLAN for example VLan 100 they go through a portal page and register as either guest or a domain user which will get either a guest or domain vlan address. Portal page works perfect and registration goes fine. The issue im seeing is either after registration the client sits for almost 30 minutes before It changes the client to the correct VLAN or I can manually go in the WLC and delete that client and it will instantly get the address that it should based off the registration. Any idea where to start this troubleshooting, with the old WLC things seem to switch over pretty quickly but having issue since new one was implemented. Any ideas where to start to investigate this???

Re: Fortinac and WLC 9800 controller

MHM Cisco World — Thu, 12 Dec 2024 19:59:48 GMT

NAC return CoA re-auth or port bounce ?

since vlan is change you need to port bounce

MHM

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 12:12:27 GMT

I don't think there is no port bounce config, I do see a COA server key in the WLC but im not quite sure it's working. Is there a method to test this manually to see if this is working?

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 12:49:18 GMT

@terrance-mccallum

You probably have the features "support for CoA" and "AAA overide" enable, right?

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 13:17:48 GMT

Correct, and I also can run the " show aaa server detail " command and see my radius server list and shows enabled. however I am not seeing any vlan change when made in the NAC system, unless I delete the client from the WLC completely it will then come back with the assigned VLAN, If not mistaken in old WLC the NAC would do this step automatically when a change was made, however now it is not.

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 13:32:01 GMT

On the link below, Cisco show how to implement a similar setup using ISE but I believe you can check the WLC part which should be the same.

At the end of this document, they show how you can get a Radioactive Trace that can be helpfull for you. You can share the logs here, if possible.

It is possible to enable the Radioactive traces to ensure successful transfer of the RADIUS attributes to the WLC. In order to do so, do these steps:

From the controller GUI, navigate to Troubleshooting > Radioactive Trace > +Add.
Enter the Mac Address of the wireless client.
Select Start.
Connect the client with the WLAN.
Navigate to Stop > Generate > Choose 10 minutes > Apply to Device > Select the trace file to download the log.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 15:25:41 GMT

attached

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 16:47:07 GMT

Seems like the radius communication is fine

2024/12/13 10:15:31.287576879 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : tunnel-type 0 13 [vlan] ]
2024/12/13 10:15:31.287578693 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : tunnel-medium-type 0 6 [ALL_802] ]
2024/12/13 10:15:31.287580124 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute :tunnel-private-group-id 0 "48" ]
2024/12/13 10:15:31.287581563 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : username 0 "e40d366921f7" ]
2024/12/13 10:15:31.287587016 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : timeout 0 28800 (0x7080) ]

Did you took the action of remove the client?

2024/12/13 10:19:02.121

client-orch-sm

Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_ADMIN_RESET. Explanation: Administrator removed the client, or in some scenarios, AAA server requested client delete. Actions: None required

If you did, can you take the debug but not interfere to compare?

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 16:49:37 GMT

No, I feel like that's the issue it's not doing that step, but if i manually go and delete it, it will then get the correct address and everything works fine. I dont' know why its' not doing the delete even though it's being told to do so.

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 16:51:35 GMT

To add to that, If i let this device sit for a long time up to like 20 minutes it will eventually go through almost like it fails out and at some points tries again and works at that point.

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 17:00:26 GMT

this seems to be some kind of time out. 30 minutes is 1800 seconds which seems to be the session time out for your WLC

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 17:02:47 GMT

Try to reduce the Session time out and see if that makes difference

Re: Fortinac and WLC 9800 controller

MHM Cisco World — Fri, 13 Dec 2024 17:14:44 GMT

I send you PM

MHM

Re: Fortinac and WLC 9800 controller

Mark Elsen — Fri, 13 Dec 2024 17:21:45 GMT

@MHM Cisco World wrote : >I send you PM
- What's wrong with sharing knowledge in the community ?

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 17:22:20 GMT

So I attempted a quick change and instantly loss around half or my wireless connections in my district

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 17:22:44 GMT

Looks like this may be a after hours test

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 17:25:37 GMT

No man, you can not do this changes in live environment doring business hours. Any change on the WLAN will disconnect all the clients.
you should do this in a test SSID only for a few clients.

Re: Fortinac and WLC 9800 controller

Flavio Miranda — Fri, 13 Dec 2024 17:36:58 GMT

Sure. Any change made on the WLAN will disconnect all clients. But, this time out session may help you.

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Fri, 13 Dec 2024 17:51:23 GMT

Perfect, I think it very well will. Going to try it after hours to see how things go. I'll update after testing.

Re: Fortinac and WLC 9800 controller

terrance-mccallum — Mon, 16 Dec 2024 18:26:09 GMT

So built a test SSID and got to make some changes with everything above and changed my timeout session to 300 which is basically 5 minutes and sure enough after 5 minutes I have a successful connection. However the Fortinac engineer says this should happeen instantly upon connection and the the reason it's working after the timeout is it fails and tries the process over again and works sucessfully the second time. Which then points me in the direction of a COA server key. I found it inside the WLC however password is hidden, is there a way to test the COA to see if it's working properly? Im thinking that it's not and after the timeout the machine basically fails out and comes back as a new connection and works because the address was there for it the first time but it couldn't get it due to a bad COA.