Skip to main content
MFisherIT
MFisherIT
Visitor III
September 5, 2025
Solved

Devices don't reach guest-vlan

  • September 5, 2025
  • 3 replies
  • 1355 views

I have a FortiGate71F (v7.4.8 build2795) "FortiLink'ed" to a FortiSwitch124F (7.6.1-build1047)

I have a Dynamic Port policy:

config switch-controller dynamic-port-policy     edit "typcialdevices"         set description "A port policy for typical devices we know about."         set fortilink "afortilink"         config policy             edit "forti-aps"                 set description "The FortiAPs"                 set mac "b4:b2:e9:*:*:*"                 set hw-vendor "Fortinet"                 set family "FortiAP"                 set vlan-policy "vpapmgmt"             next             edit "pmsi-default"                 set description "LAST policy rule. This indicates the default properties for any"                 set mac "*:*:*:*:*:*"                 set 802-1x "nps-even"             next         end     next end

I have a Security Policy:

config switch-controller security-policy 802-1X     edit "nps-even"         set security-mode 802.1X-mac-based         set user-group "nps-radius"         set mac-auth-bypass disable         set open-auth disable         set eap-passthru enable         set eap-auto-untagged-vlans enable         set guest-vlan enable         set guest-vlan-id "flguest"         set guest-auth-delay 1         set auth-fail-vlan enable         set auth-fail-vlan-id "flguest"         set framevid-apply enable         set radius-timeout-overwrite disable         set authserver-timeout-vlan enable         set authserver-timeout-vlanid "flguest"         set authserver-timeout-tagged disable         set dacl disable     next end

I have the endpoint switch ports set to:

edit "port5"     set poe-capable 1     set vlan "flguest"     set allowed-vlans "quarantine" "flguest"     set untagged-vlans "quarantine"     set access-mode dynamic     set port-policy "typcialdevices"     set export-to "root"     set mac-addr 48:3a:02:3e:d3:29 next

The DPP works well. Multiple devices using different authentication methods with 802.1X work well.

I cannot get devices that are 802.1X incapable to fail to the guest/auth-fail VLAN (flguest / 130).

What I'm I missing?

Below is the debug output:

Spoiler
diagnose debug disable
diagnose debug reset
diag deb application dhcprelay -1
diag deb application dhcps -1
diag deb application eap_proxy -1
diag deb application fnbamd -1
diag deb application wiredap -1
diagnose debug console time enable
diagnose debug enable
2025-09-05 12:56:59 Checking STA 80:5e:0c:14:45:92 inactivity:
2025-09-05 12:56:59   Station has been active
2025-09-05 12:57:12 Signal 1 received - config reload scheduled.
2025-09-05 12:57:12 Signal 1 received - config reload RE-scheduled.
2025-09-05 12:57:12 dhcp_snooping_do_cmdb_event:8392:
2025-09-05 12:57:12 on_sw_intf_dhcp_snooping_change:7294:
2025-09-05 12:57:12 on_sw_intf_dhcp_snooping_change:7339: when = 2, sw_intf = port5 trusted = 1 option82-trust = 0,learn_limit(new:old) 5 -
2025-09-05 12:57:12 Signal 1 received - config reload RE-scheduled.
2025-09-05 12:57:13 reconfigure:6669: dhcprelay: detected shared memory version increment, reschedule
2025-09-05 12:57:13 ftnt_config_reload(): running...
2025-09-05 12:57:13 New interface Parameters interface:port4:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_time:300:300: mab_reauth:0: allow_mac_move_global:0:
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:1:guestvlanid:130:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1:
2025-09-05 12:57:13 New conf interface Parameters interface:port4:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_timer:300:300: mab_reauth:0: allow_mac_move_global:0
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:1:guestvlanid:130:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1
2025-09-05 12:57:13 wrdapd_hostapd_flush Hostapd own address 48:3a:02:3e:d3:28 iface:port4: global:(nil) cmd:-1: type:1 flush:0.
2025-09-05 12:57:13 find_or_replace_iface: 'port5' initing new interface
2025-09-05 12:57:13 Configuration file: port5
2025-09-05 12:57:13 read_fswitch_config: read 1 ports from 'port5' unit 0 port 5
2025-09-05 12:57:13 New interface Parameters interface:port5:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_time:0:300: mab_reauth:0
:eap_passthru:1:auth_order:1:auth_priority:0:ap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:allow_mac_move_global:0:guestvlan:1:guestvlanid:130:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:radius_timeout:0:framevid_apply:1:mac_auth_bypass:0:0:
intf flush:1:1
2025-09-05 12:57:13 FTNT_FSW: initializing ftnt_fswitch driver on port5
2025-09-05 12:57:13 FTNT_FSW:  added fsw 'port5' unit 0 port 5
2025-09-05 12:57:13 FTNT_FSW: opening local packet socket for port5 (port 5) @ /tmp/wiredapd_5.pkt
2025-09-05 12:57:13 FTNT_FSW: got mac:48:3a:02:3e:d3:29 for unit 0 port 5
2025-09-05 12:57:13 FTNT_FSW:  __port_init_sta: clear STA cache
2025-09-05 12:57:13 FTNT_FSW:  __port_init_retry_sta: clear RETRY STA cache
2025-09-05 12:57:13 BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)
2025-09-05 12:57:13 Completing interface initialization
2025-09-05 12:57:13 hostapd_setup_bss: start.
2025-09-05 12:57:13 hostapd_setup_bss: continous.
2025-09-05 12:57:13 Flushing old station entries
2025-09-05 12:57:13 hostapd_quarantine_mac_sta_sync cannot sync quarantine sta_mac_addr
2025-09-05 12:57:13 FTNT_FSW:  ftnt_fswitch_driver_flush port:5:
2025-09-05 12:57:13 FTNT_FSW:  __port_init_retry_sta: clear RETRY STA cache
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_8021x_fail_init
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_mab_fail_init
2025-09-05 12:57:13 FTNT_FSW:  __port_init_sta: clear STA cache
2025-09-05 12:57:13 Deauthenticate all stations
2025-09-05 12:57:13 Using interface port5 with hwaddr 48:3a:02:3e:d3:29 and ssid ''
2025-09-05 12:57:13 hostapd_setup_bss: wrdapd_radius_client_init.
2025-09-05 12:57:13 wrdapd_radius_client_init:start.
2025-09-05 12:57:13 radius_change_server:RADIUS local address: 127.0.0.1:48881
2025-09-05 12:57:13 hostapd_setup_bss: wrdapd_fnbam_init.
2025-09-05 12:57:13 wrdapd_fnbam_init:FNBAM init:33
2025-09-05 12:57:13 Using existing control interface directory.
2025-09-05 12:57:13 wrdapd_hostapd_flush Hostapd own address 48:3a:02:3e:d3:29 iface:port5: global:(nil) cmd:-1: type:1 flush:1.
2025-09-05 12:57:13 receive Flush 802_1x/MAB sessions. ifname :port5: flush:1:.
2025-09-05 12:57:13 hostapd_quarantine_mac_sta_sync cannot sync quarantine sta_mac_addr
2025-09-05 12:57:13 FTNT_FSW:  ftnt_fswitch_driver_flush port:5:
2025-09-05 12:57:13 FTNT_FSW:  __port_init_retry_sta: clear RETRY STA cache
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_8021x_fail_init
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_mab_fail_init
2025-09-05 12:57:13 FTNT_FSW:  __port_init_sta: clear STA cache
2025-09-05 12:57:13 port5: Setup of interface done.
2025-09-05 12:57:13 New interface Parameters interface:port11:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_time:300:300: mab_reauth:0: allow_mac_move_global:0:
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:1:guestvlanid:130:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1:
2025-09-05 12:57:13 New conf interface Parameters interface:port11:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_timer:300:300: mab_reauth:0: allow_mac_move_global:0
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:1:guestvlanid:130:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1
2025-09-05 12:57:13 wrdapd_hostapd_flush Hostapd own address 48:3a:02:3e:d3:2f iface:port11: global:(nil) cmd:-1: type:1 flush:0.
2025-09-05 12:57:13 New interface Parameters interface:port13:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_time:300:300: mab_reauth:0: allow_mac_move_global:0:
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:0:guestvlanid:100:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1:
2025-09-05 12:57:13 New conf interface Parameters interface:port13:
reauth:3600: txperiod:12: max attempt:2: link_down:1: mab_entry_as:0: l2_aging_timer:300:300: mab_reauth:0: allow_mac_move_global:0
eap_passthru:1:auth_order:1:auth_priority:0:eap_egress_tagged:1:allow_mac_move_from:0:allow_mac_move_to:0:dacl:0:eap_auto_untagged_vlans:1:quarantine_vlan:1:global_qtine_vlan:1:guestvlan:0:guestvlanid:100:delay:1:
authfailvlan:1:authfailvlanid:130:authservertimeoutvlan:1:authservertimeoutvlanid:130:authservertimeoutperiod:3:authservertimeouttagged:0:taggedvlanid:300:taggedlldpvoicevlanid:0:mab_eapol:3:radius_timeout:0:framevid_app:1:mac_auth_bypass:0:0:intf flush:0:1
2025-09-05 12:57:13 wrdapd_hostapd_flush Hostapd own address 48:3a:02:3e:d3:31 iface:port13: global:(nil) cmd:-1: type:1 flush:0.
2025-09-05 12:57:13 ftnt_config_reload: handled 3 old interfaces 4 new 0 deleted 4 added/updated
2025-09-05 12:57:13 FTNT_FSW:  link down on port5 with deauth. Flush all STAs and set port to unauthorized
2025-09-05 12:57:13 FTNT_FSW:  __port_init_retry_sta: clear RETRY STA cache
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_8021x_fail_init
2025-09-05 12:57:13 FTNT_FSW:  __port_sta_mab_fail_init
2025-09-05 12:57:14 reconfigure:6669: dhcprelay: detected shared memory version increment, reschedule
2025-09-05 12:57:14 FTNT_FSW:  do nothing when remove sta/init when link down port5 fake addr STA will create when link up STA 00:09:0f:05:05:05
2025-09-05 12:57:19 Checking STA a0:29:19:ee:a2:44 inactivity:
2025-09-05 12:57:19   Station has been active
2025-09-05 12:57:20 FTNT_FSW: linkup sta  link_down_auth port5 with no STA installed. installing STA 00:09:0f:05:05:05
2025-09-05 12:57:20 Data frame from unknown STA 00:09:0f:05:05:05 - adding a new STA
2025-09-05 12:57:20   New STA
2025-09-05 12:57:20 IEEE 802.1X: hostapd_prune_associations prune_disassoicate
2025-09-05 12:57:20 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:20 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:20 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:20 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:20 EAP: Server state machine created tx_period :12:
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state IDLE
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 CTRL_DIR entering state FORCE_BOTH
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state DISCONNECTED
2025-09-05 12:57:20 FTNT_FSW:  fake address sta not process :ftnt_fswitch_driver_sta_set_flags
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state RESTART
2025-09-05 12:57:20 EAP: EAP entering state INITIALIZE
2025-09-05 12:57:20 EAP: EAP entering state SELECT_ACTION
2025-09-05 12:57:20 EAP: getDecision: no identity known yet -> CONTINUE
2025-09-05 12:57:20 EAP: EAP entering state PROPOSE_METHOD
2025-09-05 12:57:20 EAP: getNextMethod: vendor 0 type 1
2025-09-05 12:57:20 EAP: EAP entering state METHOD_REQUEST
2025-09-05 12:57:20 EAP: building EAP-Request: Identifier 32
2025-09-05 12:57:20 EAP: EAP entering state SEND_REQUEST
2025-09-05 12:57:20 EAP: EAP entering state IDLE
2025-09-05 12:57:20 EAP: tx_period  3 seconds (from dynamic back off ;retransCount=0)
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state CONNECTING
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state AUTHENTICATING
2025-09-05 12:57:20 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state REQUEST
2025-09-05 12:57:20 FTNT_FSW: EAP packet sending with **vlanid=130** tag_mode:0: in header on port5:
2025-09-05 12:57:20 FTNT_FSW:  link down on port5 with deauth. Flush all STAs and set port to unauthorized
2025-09-05 12:57:20 Removing station 00:09:0f:05:05:05
2025-09-05 12:57:20 ACCT stop session:0:0: cause :6:
2025-09-05 12:57:20 FTNT_FSW: STA 00:09:0f:05:05:05 ftnt_fswitch_driver_sta_remove on port5 : prev_auth:0:
2025-09-05 12:57:20 FTNT_FSW: STA 00:09:0f:05:05:05 ftnt_fswitch_driver_sta_remove on port5 mode :2: mab_mode :0:
2025-09-05 12:57:20 EAP: Server state machine removed
2025-09-05 12:57:20 FTNT_FSW:  __port_init_retry_sta: clear RETRY STA cache
2025-09-05 12:57:20 FTNT_FSW:  __port_sta_8021x_fail_init
2025-09-05 12:57:20 FTNT_FSW:  __port_sta_mab_fail_init
2025-09-05 12:57:24 FTNT_FSW: linkup sta  link_down_auth port5 with no STA installed. installing STA 00:09:0f:05:05:05
2025-09-05 12:57:24 Data frame from unknown STA 00:09:0f:05:05:05 - adding a new STA
2025-09-05 12:57:24   New STA
2025-09-05 12:57:24 IEEE 802.1X: hostapd_prune_associations prune_disassoicate
2025-09-05 12:57:24 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:24 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:24 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:24 IEEE 802.1X: prune_associations start prune
2025-09-05 12:57:24 EAP: Server state machine created tx_period :12:
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state IDLE
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 CTRL_DIR entering state FORCE_BOTH
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state DISCONNECTED
2025-09-05 12:57:24 FTNT_FSW:  fake address sta not process :ftnt_fswitch_driver_sta_set_flags
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state RESTART
2025-09-05 12:57:24 EAP: EAP entering state INITIALIZE
2025-09-05 12:57:24 EAP: EAP entering state SELECT_ACTION
2025-09-05 12:57:24 EAP: getDecision: no identity known yet -> CONTINUE
2025-09-05 12:57:24 EAP: EAP entering state PROPOSE_METHOD
2025-09-05 12:57:24 EAP: getNextMethod: vendor 0 type 1
2025-09-05 12:57:24 EAP: EAP entering state METHOD_REQUEST
2025-09-05 12:57:24 EAP: building EAP-Request: Identifier 50
2025-09-05 12:57:24 EAP: EAP entering state SEND_REQUEST
2025-09-05 12:57:24 EAP: EAP entering state IDLE
2025-09-05 12:57:24 EAP: tx_period  3 seconds (from dynamic back off ;retransCount=0)
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state CONNECTING
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state AUTHENTICATING
2025-09-05 12:57:24 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state REQUEST
2025-09-05 12:57:24 FTNT_FSW: EAP packet sending with **vlanid=130** tag_mode:0: in header on port5:
2025-09-05 12:57:27 EAP: EAP entering state RETRANSMIT
2025-09-05 12:57:27 EAP: EAP entering state IDLE
2025-09-05 12:57:27 EAP: tx_period  6 seconds (from dynamic back off ;retransCount=1)
2025-09-05 12:57:27 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state REQUEST
2025-09-05 12:57:27 FTNT_FSW: EAP packet sending with **vlanid=130** tag_mode:0: in header on port5:
2025-09-05 12:57:33 EAP: EAP entering state RETRANSMIT
2025-09-05 12:57:33 EAP: EAP entering state IDLE
2025-09-05 12:57:33 EAP: retransmit timeout 12 seconds (from dynamic back off more then tx_period ; retransCount=2)
2025-09-05 12:57:33 EAP: EAP entering state RETRANSMIT
2025-09-05 12:57:33 EAP: EAP entering state TIMEOUT_FAILURE
2025-09-05 12:57:33 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state REQUEST
2025-09-05 12:57:33 FTNT_FSW: EAP packet sending with **vlanid=130** tag_mode:0: in header on port5:
2025-09-05 12:57:34 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state TIMEOUT
2025-09-05 12:57:34 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state ABORTING
2025-09-05 12:57:34 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state INITIALIZE
2025-09-05 12:57:34 IEEE 802.1X: 00:09:0f:05:05:05 AUTH_PAE entering state INITIALIZE
2025-09-05 12:57:34 IEEE 802.1X: 00:09:0f:05:05:05 BE_AUTH entering state IDLE
2025-09-05 12:57:34 EAP: EAP entering state DISABLED
2025-09-05 12:57:34 ACCT stop session:0:0: cause :0:
2025-09-05 12:57:34 FTNT_FSW: STA 00:09:0f:05:05:05 ftnt_fswitch_driver_sta_remove on port5 : prev_auth:0:
2025-09-05 12:57:34 FTNT_FSW: STA 00:09:0f:05:05:05 ftnt_fswitch_driver_sta_remove on port5 mode :2: mab_mode :0:
2025-09-05 12:57:34 FTNT_FSW: STA 00:09:0f:05:05:05 fake mab mode 0 on remove port5
2025-09-05 12:57:34 FTNT_FSW: STA 00:09:0f:05:05:05 fake MAB disable and MAC mode Trigger no need to create a fake STAport5
2025-09-05 12:57:34 EAP: Server state machine removed
2025-09-05 12:57:59 Checking STA 80:5e:0c:14:45:92 inactivity:
2025-09-05 12:57:59   Station has been active
2025-09-05 12:58:19 Checking STA a0:29:19:ee:a2:44 inactivity:
2025-09-05 12:58:19   Station has been active

 

Best answer by MFisherIT

Working with Jorge Lopez | TAC Engineer; they found the solution:
Enabling MAC authentication bypass (mac-auth-bypass) solved the issue. That worked with either the security mode (Port-based or MAC-based). Worked with both Windows laptops and the ATA device ("Fax" emulator). Worked with ports 5, 6, and 9.

3 replies

Anthony_E
Staff
Anthony_E
Staff
September 8, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
    MFisherIT
    MFisherITAuthor
    Visitor III
    September 8, 2025

    Thank you @Anthony_E. Due to external events, this issue started when I was using a 124F-FPOE. I am now using a 148F-POE. The issue persists and the behavior is identical. I've done the following while to try and troubleshoot this issue:

    • Tried different ports on the switch
    • Used different Windows 11 laptop
    • Used a non-windows device that is not 802.1X capable
    • Set port to static and assigning the 802.1X security policy to the port
    • Set port to static and assigning the flguest (130) as the Native VLAN
      • Device is able to access the Internet as intended
    • Tried different values for guest-auth-delay:
    • Enabling guest-vlan while disabling auth-fail-vlan
    • Disabling guest-vlan while enabling auth-fail-vlan
    • Enabling authserver-timeout-vlan (even though that should not matter)
    • Enabling radius-timeout-overwrite (currently disabled)
    • Upgraded the switch from 7.2 to 7.6
    • Factoryresetfull
      • upgraded again
    • factoryreset (after upgrade to 7.6)
    • disabled switch-controller-access-vlan on flguest (130)
    • Enabled IGMP snooping (which I am not doing normally see: Reddit Post)
    • Enabled DHCP snooping

    Below is the current configuration of the flguest (130) VLAN interface on the FortiGate:

     

    Spoiler
    edit "flguest"
     set vdom "root"
     set ip 10.30.131.1 255.255.255.0
     set allowaccess ping radius-acct
     set description "Internet only VLAN only used with the FortiLink interface."
     set device-identification enable
     set role lan
     set snmp-index 25
     set switch-controller-igmp-snooping enable
     set switch-controller-dhcp-snooping enable
     set color 6
     set interface "afortilink"
     set vlanid 130
    next

     

      Jean-Philippe_P
      Staff & Editor
      Jean-Philippe_P
      Staff & Editor
      September 10, 2025

      Hello,

       

      We are still looking for an answer to your question.

       

      We will come back to you ASAP.

       

      Thanks,

      Jean-Philippe - Fortinet Community Team
      MFisherIT
      MFisherITAuthorAnswer
      Visitor III
      October 3, 2025

      Working with Jorge Lopez | TAC Engineer; they found the solution:
      Enabling MAC authentication bypass (mac-auth-bypass) solved the issue. That worked with either the security mode (Port-based or MAC-based). Worked with both Windows laptops and the ATA device ("Fax" emulator). Worked with ports 5, 6, and 9.

        Jean-Philippe_P
        Staff & Editor
        Jean-Philippe_P
        Staff & Editor
        October 6, 2025

        Hello MFisherIT,

         

        Thanks for sharing the solution! Glad that your fixed it :)

        Jean-Philippe - Fortinet Community Team
        Bizway
        Bizway
        New Member
        October 31, 2025

        Will this ever be fixed?
        Because I do not require MAB and now my Radius logs are filled with MAC authentication requests.

        Following the Radius flow chart Fortinet provides MAB should NOT be a requirement for guest VLAN to be assigned, but it simply wont work without and clients that do not try to authenticate are never offloaded to the guest vlan and just stay in limbo...

         

        Flowchart (clearly states "MAB Enabled" -> "No" -> "Assign Guest VLAN"):
        Change the priority of MAB and EAP 802.1X authentication | FortiGate / FortiOS 7.6.0 | Fortinet Document Library

        Terms & ConditionsAccessibility statement