Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Created on ‎02-26-2024 08:48 AM

FortiAP Radius and DHCP

Hello team,

 

I have the following problem when a device connects to an SSID.
Basically when a device connects to this specific SSID it fails to get the 'ip address in DHCP.

 

This is the traffic flow:

Device --> FortiAP --> FGT200F --> MPLS Circuit --> Fortinet 400F (fortiAP was added here) .

The authentication via Radius occurs successfully while the release of an ip address does not. The DHCP server and Radius server are two different virtual machines.

I see from the logs that the correct vlan is pushed to the device but the DHCP request goes timed-out.

 

I kindly ask:
On the network interface of the SSID should DHCP relay be enabled ?
Should policies be created to allow DHCP traffic from this interface to the DHCP server ?
Should vlan31 be carried from the interface where the FortiAP is connected to the firewall interface where vlan31 is connected ?

 

Thanks for the support

BR

Labels:
426
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎02-27-2024 07:29 AM

Hi Luca

I tried in my lab tunnel mode with DHCP relay and I can see that the DHCP queries are properly forwarded by FG and well received the DHCP server (tried it on FOS 6.2.16).

Regarding dynamic VLAN assignment for tunnel mode SSID I confess I've never tried it before, only did it for bridge mode and it worked perfectly.

Nevertheless I think the following document can help you a lot since you are in the same scenario as FortiAP integration with FortiNAC.

https://docs.fortinet.com/document/fortinac/9.4.0/fortiap-integration

AEK

View solution in original post

AEK
337
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎02-26-2024 12:00 PM

Hi Luca

 

On the network interface of the SSID should DHCP relay be enabled ?

If the DHCP server ison the same VLAN as the connecting client then you don't need DHCP relay, otherwise you need DHCP relay.


Should policies be created to allow DHCP traffic from this interface to the DHCP server ?

In both cases (with or without relay) you don't need firewall policy.

 

Should vlan31 be carried from the interface where the FortiAP is connected to the firewall interface where vlan31 is connected ?

Yes if your SSID is in bridge mode. But in tunnel mode you have to use DHCP relay (no other choice) because you can't put your client in the same VLAN as the DHCP server.

AEK
AEK
405
luca1994
New Contributor III
In response to AEK

Created on ‎02-27-2024 02:01 AM

Hello @AEK ,

 

via cli with debug enable i see that the destination ip of DHCP request is 0.0.0.0 and not my relay server

 

dhcprelay debug.png

 

My WiFi SSID is in tunnel mode with Radius authentication and ip addres and dhcp relay configured.

 

Thanks for the support

BR

378
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎02-27-2024 02:21 AM

Hi Luca

DHCP request always has 0.0.0.0 as destination.

If you configured well the DHCP relay at FG WiFi interface level then you should receive the request on the DHCP server forwarded by FG.

So try sniff at DHCP server interface to see if you receive DHCP request from that client MAC address. If you don't receive then FG may not forward the request properly.

AEK
AEK
366
luca1994
New Contributor III
In response to AEK

Created on ‎02-27-2024 02:59 AM

Hi Aek,

thanks for the suggestion, in a few hours I will have a chance to try.

 

My purpose anyway is to get the client connecting to SSID in tunnel mode and have it push vlan31 with the ip address that is assigned by DHCP which is configured as a relay on the WiFi interface.

 

Thanks you

BR

357
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎02-27-2024 07:29 AM

Hi Luca

I tried in my lab tunnel mode with DHCP relay and I can see that the DHCP queries are properly forwarded by FG and well received the DHCP server (tried it on FOS 6.2.16).

Regarding dynamic VLAN assignment for tunnel mode SSID I confess I've never tried it before, only did it for bridge mode and it worked perfectly.

Nevertheless I think the following document can help you a lot since you are in the same scenario as FortiAP integration with FortiNAC.

https://docs.fortinet.com/document/fortinac/9.4.0/fortiap-integration

AEK
AEK
338
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.