Skip to main content
mbas
mbas
Explorer II
October 23, 2025
Solved

Creating Contractor user with a corporate email address causing existing user isolation

  • October 23, 2025
  • 3 replies
  • 1021 views

Dear team,

 

Has anyone else observed this issue?

 

When we create a contractor user with a corporate email address and no one logs in with that user, after a while, it causes the existing user VLAN to change to isolation. When I check that user and click Show Hosts, I can see another host belonging to the same user with the contractor email address. The strange thing is that when I check that host, I can see that the logged-on user is the contractor user, even though we did not log in.

 

Somehow, I guess the passive agent finds that device user, checks the email address, and matches it with the contractor user. Is this normal behavior? It's not happening instantly; it takes some time to detect the other host and link it with the contractor user.

 

My goal is to create a contractor user, assign them to the onboarding VLAN, and install new computers. That's why the help desk team creates users with corporate email addresses and keeps them for a month. Do you have any suggestions for overcoming this issue?

Best answer by AEK

In your LDAP config, what is set as identifier? sAMAccountName or mail?

 

ldap_user_id.png

 

3 replies

AEK
SuperUser
AEK
SuperUser
October 23, 2025

Hi mbas

I may not have understood the issue you described but I think I understand your requirement.

You want to assign the new hosts of your company that are not yet part of the domain to a special VLAN where the helpdesk team can install it and join it to the domain, right?

AEK
    mbas
    mbasAuthor
    Explorer II
    October 23, 2025

    Yes, this is the requirement. I want to use the contractor template for this. This way, all help desk personnel can create a user account for themselves and log in with a new computer, and I can assign them an onboarding VLAN.

     

    However, if another device has the same email as the contractor user, FortiNAC links that device to the contractor user, which I don't want to happen. I enabled Passive Agent for user tracking, but I think because of that, FortiNAC finds all devices related to that email address and shows the contractor user as the logged-on user.

    I did not expect to see the logged-on user be the contractor user on an existing computer. That's where I got confused :)

    AEK
    SuperUser
    AEK
    SuperUser
    October 23, 2025

    So why should it be a contractor account? Why not AD account?

    Once he gets the portal, the helpdesk will login with his AD account and he will be dropped in the special VLAN.

    And once the PC joins the domain and persistent agent is installed the policy will drops it in the prod VLAN.

    Is there any problem with this scenario?

    AEK
      ebilcari
      Staff
      ebilcari
      Staff
      October 24, 2025

      Is the contractor username related to the user part of the email address that is used? Does these host have the Persistent Agent installed while they are onboarding? 

      FNAC will try to match Users after they successfully register a host and by default will try to cut the domain part and just match the sAMAccountName.

      Emirjon
      mbas
      mbasAuthor
      Explorer II
      October 25, 2025

      The new user does not have PA, but the existing user does. We just created a contractor account, and even without logging in, the existing user was isolated after 5-10 minutes. The contractor username and the existing user have the same email address.

       

      If FNAC is matching, then I will tell them not to create any contractor accounts with the same email addresses as existing users.

       

      The only thing I don't understand is why the FNAC changed the logged-on user to the contractor user on the existing host.

      Thanks, Emirjon.

      AEK
      SuperUser
      AEKAnswer
      SuperUser
      October 26, 2025

      In your LDAP config, what is set as identifier? sAMAccountName or mail?

       

      ldap_user_id.png

       

      AEK
      mbas
      mbasAuthor
      Explorer II
      October 27, 2025

      Hi AEK,

       

      No, that was the UserPrincipalName attribute in LDAP. I don't use MSCHAPv2; I use EAP-TLS authentication with a user certificate. When I authenticate the user, the host registered with 802.1x auto registration, and the username is shown as UserPrincipalName in the RADIUS logs because we setup the certificate settings as UserPrincipalName.

       

      radius (1).jpg



       

       

       

       

       

       

       

       

       

      Host View;

      user-prncpl.jpg

       

      However, after changing the identifier to sAMAccountName, the logged-on user was shown as UserID.

      host.jpg

      No Persistant Agent installed. 

       

      contractor.jpg

      After creating a contractor account with the same email address of the existing user, I can see both Radius-authenticated user and contractor user in the User Accounts menu.

      users.jpg


      Before, the user IDs were the same because the email address was the same as the userPrincipalName. As you can see, the user IDs are different now. There is no match for hosts :)

       

      This entry can be closed. Thank you so much @AEK and @ebilcari :)

       

        Terms & ConditionsAccessibility statement