Troubleshooting Tip: FortiSwitch Controller NAC rule fails to match

Refer to the link below to configure FortiGate Switch Controller NAC solution:

FortiSwitch network access control

If the device match fails, collect the logs below and raise a TAC ticket: Support.

1. FortiGate Configuration backup.
   
   
2. Run the application debug on the FortiGate and then connect the client to the FortiSwitch NAC-enabled port.

Sample output:

FortiGate# diagnose debug application flpold -1

2026-03-25 09:21:19 569s:532ms:16us flpol_check_mac_exists_in_mac_cache[894]:nac-reg: ret=1 vfid=0 sw=access3 mac=74:78:a6:64:73:b8 port=port1 last_seen=0x0
2026-03-25 09:21:19 569s:532ms:129us flpol_run_nac_engine[1206]:mac=74:78:a6:64:73:b8 is located on switch=access3 port=port1 ret=1
2026-03-25 09:21:19 569s:533ms:272us flpol_run_nac_engine[1362]:nac-policy VOIP matched for mac=74:78:a6:64:73:b8 sw=access3 port=port1 !!!
2026-03-25 09:21:19 569s:533ms:469us nac_device_add[608]:Added nac-device on vfid 0 with mac 74:78:a6:64:73:b8

FortiGate# diagnose debug application fcnacd -1   <-- In case NAC is configured for EMS ZTNA tag.

FortiGate# diagnose debug console timestamp enable

FortiGate# diagnose debug enable

Once the NAC match fails, stop the debug and mention the client MAC address, FortiSwitch name, and FortiSwitch port number.

diagnose debug enable

diagnose debug reset

3. Now collect the outputs below from FortiGate CLI:

FortiGate# diagnose switch-controller mac-device cache
FortiGate# diagnose switch-controller mac-device nac onboarding
FortiGate# diagnose switch-controller mac-device nac known
FortiGate# diagnose switch-controller mac-device dynamic
FortiGate# diagnose switch-controller mac-cache show
FortiGate# diagnose user-device-store device memory list
FortiGate# diagnose user device list

FortiGate# diagnose debug crashlog read

FortiGate# execute switch-controller get-conn-status
FortiGate# execute switch-controller get-sync-status all
FortiGate# execute switch-controller diagnose-connection

Sample output:

FortiGate# diagnose switch-controller mac-device cache
VFID SWITCH MAC-ADDRESS VLAN CREATION(secs ago) LAST-SEEN(secs ago) INTERFACE
0 access3 74:78:a6:64:73:b8 55 2900 0 port1

FortiGate# diagnose switch-controller mac-device nac known
Vdom: root
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT MATCHED-NAC-POLICY MAC-POLICY-ACTION LAST-SEEN(sec) OVERRIDE(min) FSW-ID COMMENTS
74:78:a6:64:73:b8 access3 port1 VOIP VOIP 0 - 2 auto detected @ 2026-03-25 09:21:19

FortiGate# diagnose switch-controller mac-cache show

managed-switch: access3 vfid: 0
running-clients:
VLANID PORTID MAC LAST SEEN(secs ago) INTF-NAME
55 1 74:78:a6:64:73:b8 43 port1

FortiGate # diagnose user-device-store device memory list

interface_info
'ipv4_address' = '40.40.40.2'
'ipv6_address' = 'fd00::2'
'mac' = '74:78:a6:64:73:b8'
'master_mac' = '74:78:a6:64:73:b8'
'detected_interface' = 'fortiap'

FortiGate# diagnose user device list

vd root/0 74:78:a6:64:73:b8 gen 198 scan off
ip 40.40.40.2 src arp ip6 fd00::2 src dns
hardware vendor 'Fortinet' src lldp id 4084 weight 255
type 'Network Generic' src lldp id 4084 weight 255
family 'FortiAP' src lldp id 4084 weight 255
os 'FortiAP OS' src lldp id 4084 weight 255
hardware version '431G' src lldp id 4084 weight 255

4. Collect the outputs below from FortiSwitch CLI:

FortiSwitch# diagnose debug report

FortiSwitch# show full-config

FortiSwitch# diagnose debug crashlog read

Tip: If the device has both Wireless and Wired NIC enabled and if the requirement is to move the devices between NAC-enabled ports, enable the following configuration option under NAC policy:

FortiGate# config user nac-policy

FortiGate# set match-remove link-down    -> Available from FortiGate v7.6.3.

FortiGate# set match-type override   -> Available from FortiGate v7.4.4.

FortiGate# end

5. Capture a snippet of the topology view of the Managed FortiSwitches under FortiGate GUI -> WiFi & Switch Controller -> Managed FortiSwitches -> Topology.