Technical Tip: Users sharing the same switch port does not get the correct VLAN from NAC policy in an environment where EMS is configured to assign VLANs based on the EMS tag

Description

This article describes a practical issue observed in a solution where EMS and NAC have been used to identify users and assign VLANs based on the EMS TAG.

Users are assigned a VLAN based on the EMS TAG. Initially, an onboarding VLAN is assigned, and then based on the EMS TAG, the correct VLAN is assigned. Configuration is mainly based on the article Technical Tip: Assigning a VLAN via NAC policies controlled by ZTNA tags from EMS.

When a user is connected to an Ethernet port, the correct VLAN is assigned by the NAC policy. Once the user has been removed from the Ethernet port and another user is connected to the same Ethernet port, the correct VLAN is not assigned.

Scope

FortiGate, FortiClient EMS.

Solution

As per the article Troubleshooting Tip: Resolving port flapping issues when FortiGate is configured with NAC policies the 'set match-type override' command is used to retain the matched devices' details. But this causes another issue as described above.

To avoid this issue in FortiOS v7.4.x, it is possible to use below command to remove the existing user using below command.

execute switch-controller switch-action mac-device-reset nac ab:cd:ef:gh:ij:kl

Or it is possible to not use 'set match-type override' under NAC policy (Note: usage of this command is dependent on the solution used).

Alternatively, there is a new command that can be used on FortiOS v7.6.x and onwards, along with the override command under the NAC policy.

config user nac-policy

    edit "ABC"

        set category ems-tag

        set match-type override

        set match-remove link-down   <<New command available in 7.6.x

        set ems-tag "ACB user"

     next

end