Technical Tip: Conditions to use set match-type override on a NAC policy

Description

This article describes the best conditions to use the 'set match-type override' on a NAC policy. 

Scope

FortiGate and FortiSwitch.

Solution

In the context of Fortinet's Network Access Control (NAC) policies, the 'set match-type override' setting is used to enhance the behaviour of device matching within NAC policies. This setting is particularly useful in scenarios where devices are dynamically managed and may be removed from user-device stores or dynamic firewall tables.

This is a very useful command, but there are negative points. These same commands will cause issues, especially when using the solutions that involve FortiClient EMS tags. As highlighted above, when a single connection is being used by multiple users, this might cause issues where the new user will not be provided with the correct VLAN.

Hence, it is recommended to satisfy the three conditions when using 'set match-type override'.

1. In a solution where FortiClient EMS is configured.

2. The user's laptop has both Ethernet and Wi-Fi enabled (in some customer environments, Wi-Fi will get disabled when Ethernet is connected).

3. FortiClient on the user laptop can reach FortiGate or FortiClientEMS server through Wi-Fi even when Ethernet is down.