Hi @ahollifield yes indeed ISE cannot do that, so I added as an additional accounting server on cisco meraki the FSSO collector. pxGrid is an option which I have done it already, but it is not really convenience for the client as he will need to apply extra policies on the fortigate according to the SGT now. He wants to stick with the FSSO groups. 

Back now to radius accounting from the cisco meraki APs, it seems that it does not work. I mean The AP sends the info but I do not see anything on the FSSO collector. I have enabled also the the collector to listen for radius accounting messages on port 1813 but not luck. To be fair I am not really familiar with the collector even if it is not so difficult to configure it.

The FSSO collector may not like the RADIUS accounting format sent from Meraki.  Fortinet TAC would be your next contact for that.

Hi @ahollifield yes indeed it did work with the radius accounting being sent by the AP to FSSO collector. Fortunately, FSSO has the ability to listen to accounting messages. So once it receives the message which includes the user and the IP address, it does include him to  FSSO logon users, and instead of dc-agent type it shows as radius accounting type. All good! My only concern is how the Cisco meraki APs send the accounting messages because when someone logins to WiFi and gets authenticated the message it sends does not include the IP address. He has to reconnect again in order the AP to generate a new radius message, and on the new message the IP address appears. 

I understand that during the authentication the clients does not have an IP address and after the successful login the device gets the IP. By that time, the AP has already sent the accounting message without the IP address. After the second login, it does include  the IP address because the client has been already authenticated?

There is an option of Accounting interim interval in cisco meraki and the default time I see is 10 minutes. Does it help if I Change that?

AFAIK there is no ability to customize the accounting behavior on Meraki.  It is either enabled or not.  I would reach out to Meraki TAC, they may have some backend support-only changes they could make for you.

Cheefrs @ahollifield and @Milos_Jovanovic  thanks for all the help. Setup with radius accounting works as expected. Have the issue with the initial radius message which is being sent but thats another story. Will need to raise it up with cisco meraki team so see if there is a workaround

Hey @Nick Mavrou sorry to dredge up an old thread. We've also had the same issue with the Meraki Accounting-Start not containing the 'Framed-IP-Address' attribute. We've achieved a form of fix implementing a RADIUS Accounting start delay timer via Meraki support to delay the sending of the Start packet a few seconds, even then it does still send too quick sometimes.

Did you end up going down this path as well or something different?

Hi @Paccers Paccers,

How much delay did you ask the support to apply for the accounting-start packet. I think for us it was something close to half second. Since we changed that we didn't face any issue. I think half second is more than enough to allow the device to get the IP address  before the accounting-start packet is being sent. By all means, it depends on how fast your DHCP server provides the IP addresses so I assume that your network doesn't have issues anyway. You could also try to max the delay to more than half second. By the end of the day it is not a bad user experience...

2 seconds currently seems to be our sweet spot, below that we get way more failures to include Framed-IP-Address value. Are you sending on to FSSO collector to set up FSSO sessions not RSSO on the FGT?

Yes that's right, straight to FSSO collector. In that case to might need to dive deeper and run a wireshark and check why you are facing that issue. I have to say though that the integration in question is not something that I would recommend anyway. I was forced to do that trick cos in my case the WiFi devices were out of AD. I assume you are having the same case...  

Yup, got to love BYOD!