Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
71
Views
2
Helpful
2
Replies

WLC9800 COA

hs08
VIP
VIP

‎05-22-2026 12:56 AM

I make ssid for guest where the user should enter the captive portal and enter the entra id user to acess to guest network. The environment used is WLC9800 and FortiNAC. When the user login to the SSID then the user will enter to isolation network to access the captive portal and after entra id successfull the from fortinac i can see the user already move from isolation to guest network but actually the client still sit under isolation network.

Based on this picture can we say that fortinac not send the CoA to the WLC?

hs08_0-1779436534266.png

 

 

Labels:
0 Helpful
2 Replies 2

Mark Elsen
Hall of Fame
Hall of Fame

‎05-22-2026 01:55 AM - edited ‎05-22-2026 01:59 AM

 

  - @hs08                  Do you have COA enabled in the WLC 9800 configuration as in :
                                        aaa server radius dynamic-author
                                       client <FortiNAC-IP> server-key <key>
    and 
                                       radius server FORTINAC
                                       address ipv4 x.x.x.x auth-port 1812 acct-port 1813
                                       key XXXXX
                                       automate-tester username test

   Also make sure to enablehttps://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/wlan-security.html#info-aaa-over

   Troubleshooting commands :

# Show wireless client summary
show wireless client summary

# Show client detail
show wireless client mac-address <MAC_ADDRESS> detail

# Show RADIUS server status
show aaa servers detailed
# Show AAA method lists
show aaa method-lists all

# Debug RADIUS transactions
debug radius all

          For : show aaa servers detailed 
                 Look for stats after  Author:

   + Use full client debugging according to :   https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
    Client debugs , so called Radio Active traces can be analyzed with : Wireless Debug Analyzer

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎05-22-2026 03:26 AM

Check on the WLC if the dynamic-author (CoA) server is configured.

Example of required configuration:

aaa server radius dynamic-author
client <FortiNAC_IP_IP> server-key <secret>

Check the real-time CoA statistics by running the following command during the test:

show aaa servers dynamic-author

Debug on the WLC with the commands below:

debug radius coa enable
debug aaa all enable

If nothing appears during login, no CoA is being received.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card