NAC IP resolution issues - Unable to configure IP helper address on router (Fortinet Firewall)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I am not able to view the IP address or Hostname for some of my end-system on the Netsight. IP Resolution is not working. 

I followed the steps mentioned in the below article.

https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-IPhost-resolution-failing-on-some-cl...

Radius accounting is enabled on the switches and SNMP is also returning form switch. With the below statement mentioned in the article i tried to configure IP-helpers.

"DHCP is also listened to so it gets to see the full hand shake of client/server. It will not participate in DHCP process but is passively listening to gain knowledge of end station identity. Make sure router's IP-helpers are configured to forward to the NAC IP address."

In my case, Firewall is the gateway/router for all my clients. Intervlan routing and DHCP release done by my Firewall which is Fortinet. I am not sure how i can configure IP helper as NAC IP address in Firewall. I f i configure IP helper then im sure that my firewall cannot release DHCP and Neither NAC also. 

Anyone can help on this?
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

I have found an online guide on the fortinet DHCP options: 

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-system-administration-54/Advanced/DHC...

However, if i'm reading this correctly:

"An interface cannot provide both a server and a relay for connections of the same type"

You may not be able to configure a relay if the server is already providing the service. You will need to contact fortinet in order to confirm this as I'm not certain of the fortinet product.

Hostname, Device Family, and Device type information rely on the DHCP request being snooped on the NAC interface. As a workaround if you have a mirror capable device you can run a mirror of your network into eth1 of the NAC and put it in traffic listening mode. If you have the capabilities for advanced mirroring I would suggest only mirroring DHCP traffic. 

You will need to get the DCHP request in order for device type fingerprinting, but if you are able to capture and mirror over the DHCP ACKs the NAC is designed to inherently trust the ACK, so if you can capture and send those to the NAC it will also help with IP resolution.

What type of switches are you using? In order for IP resolution to complete RADIUS accounting requests must contain the "framed-IP" attribute. NAC uses this for IP resolution if it's provided. If it's not provided it won't help.

Router IP discovery will only work if you're using RFC 3580, or you get a DHCP packet that has the gateway address in the request.

Router IP discovery is a last ditched effort to pull the ipNetToMedia table on the router discovered through the gateway address in the DHCP address to get a MAC to IP mapping.

Let me know if this helps.

Thanks
-Ryan