Technical Tip: How to change Default VLAN Enforcement on an SSID by using CLI

FortiNAC does not allow changing Default Wireless VLAN Enforcement to 'deny' or 'bypass' by using the GUI. However, it can be changed by using the CLI.

Note: On FortiNAC-F, the commands need to be preceded with 'execute enter-shell'.


First, the SSID's DBID should be learned by using the 'dumpports' command shown below. 

device -dbid <SSID_DBID> -setAttr -name DefaultAction - value 0

Note: The above change will not reflect on the GUI, and the GUI will still display Default Enforcement's value as 'Enforce'. However, when a host tries to authenticate by using the SSID and if it does not match any Network Access Policy, FortiNAC rejects the authentication request since Default Enforcement is denied. In this case, in the RADIUS service logs, entries like the one below should be displayed.
 

Tue Dec 16 17:18:16 2025 : Auth: (1078) Rejected in post-auth: [DE-AD-BE-EF-CA-FE] (from client 192.168.0.254 port 0 cli DE-AD-BE-EF-CA-FE)
Tue Dec 16 17:18:16 2025 : Auth: (1078) Login incorrect (Default Access Deny (Post-Auth) [DE-AD-BE-EF-CA-FE] (from client 192.168.0.254 port 0 cli DE-AD-BE-EF-CA-FE)
Tue Dec 16 17:18:16 2025 : Debug: (1078) Delaying response for 1.000000 seconds
Tue Dec 16 17:18:16 2025 : Debug: Waking up in 0.3 seconds.
Tue Dec 16 17:18:16 2025 : Debug: Waking up in 0.6 seconds.
Tue Dec 16 17:18:17 2025 : Debug: (1078) Sending delayed response
Tue Dec 16 17:18:17 2025 : Debug: (1078) Sent Access-Reject Id 6 from 192.168.0.202:1812 to 192.168.0.254:15902 length 71
Tue Dec 16 17:18:17 2025 : Debug: (1078) Reply-Message = "Default Access Deny (Post-Auth)"