Skip to main content
riteshpv
Staff
riteshpv
Staff
March 20, 2026

Troubleshooting Tip: Unable to move a client between NAC-Enabled ports on FortiSwitch

  • March 20, 2026
  • 0 replies
  • 184 views
Description This article describes an issue where a client cannot move between NAC-enabled ports due to the match-type override setting.
Scope FortiSwitch and FortiGate v7.4, v7.6 in FortiLink mode.
Solution

Reason:

See FortiSwitch port flap with laptop connected with wifi/wired using FortiClient EMS tags.

 

  • The override match type option under the NAC is designed to maintain NAC policy matching (similar to a static entry) for a defined duration. This prevents policy changes during dynamic events such as EMS entry deletion, port link down, device inactivity.
  • When a device moves between NAC-enabled ports, a MAC move occurs. However, due to the override setting, the device remains associated with the existing NAC policy. As a result, the MAC-based VLAN entry is retained on the FortiSwitch based on the original port.
  • When the device connects to a different port, the existing MAC-based VLAN entry prevents proper MAC learning on the new port, leading to the issue.

 

Configuration example:


config user nac-policy
    edit "TEST"
        set match-type override
    next
end

 

Temporary workaround:

 

The issue can be temporarily resolved by manually clearing the NAC policy match entry:

 

execute switch-controller switch-action mac-device-reset nac <MAC-address>

 

Solution:  

 

In FortiGate OS v7.6.3, a new option has been introduced:

 

  • Added the match-remove option under NAC and DPP policies for override matching.

 

Behavior of match-remove:

  • default: NAC/DPP override entries remain until the match-period expires or indefinitely if set to 0.
  • link-down: NAC/DPP override entries are removed when the switch port link goes down. This triggers FortiGate to remove the MAC-based VLAN entry from the FortiSwitch, allowing proper MAC learning when the device connects to a different port.

 

Note: If the device remains connected (link stays up), the entry persists until the match-period expires or indefinitely if configured.

 

  • match-period: Defines the number of days (0–120) to retain matched devices. 0 = retain indefinitely

 

Configuration example:


config user nac-policy
    edit "TEST"
        set match-type override
        set match-period 0
        set match-remove link-down
    next
end
Terms & ConditionsAccessibility statement