Hello everyone,I’m encountering a strange behavior with my FortiNAC architecture (v7.4.2) running in Layer 3 mode. Everything was working perfectly for months, but suddenly, the VLAN assignment logic seems broken.My Setup:FortiNAC Version: 7.4.2Mode: L3 with Registration VLAN activated.DHCP: Pool declared directly on FortiNAC for the Guest/Registration scope.Switch Configuration: Standard Radius config applied to the ports.Port Group Membership: Initially, only "Role-Based Access" was checked.Troubleshooting attempted: To mitigate this, I recently had to check "Forced Registration" in the Port Group Membership settings. However, I never needed this before; it used to work perfectly with only "Role-Based Access" enabled.Question: Why did the default behavior change? Has anyone seen a bug in 7.4.2 where unknown hosts bypass the Registration VLAN and get Production access by default?

Explorer II

Solved

FortiNAC 7.4.2 - Issue with Registration VLAN assignment

Forum|Forum|2 months ago
March 30, 2026
1 reply
156 views

Hello everyone,

I’m encountering a strange behavior with my FortiNAC architecture (v7.4.2) running in Layer 3 mode. Everything was working perfectly for months, but suddenly, the VLAN assignment logic seems broken.

My Setup:

FortiNAC Version: 7.4.2
Mode: L3 with Registration VLAN activated.
DHCP: Pool declared directly on FortiNAC for the Guest/Registration scope.
Switch Configuration: Standard Radius config applied to the ports.
Port Group Membership: Initially, only "Role-Based Access" was checked.

Troubleshooting attempted: To mitigate this, I recently had to check "Forced Registration" in the Port Group Membership settings. However, I never needed this before; it used to work perfectly with only "Role-Based Access" enabled.

Question: Why did the default behavior change? Has anyone seen a bug in 7.4.2 where unknown hosts bypass the Registration VLAN and get Production access by default?

FortiNAC

Best answer by ebilcari

'Forced Registration' is required to enforce isolation for new rogue devices connecting to the network, this has always been a requirement. The details are explained here: Technical Tip: 'State based Control' concept and VLAN changes

'Role Based Access' will enforce VLANs based on Network Access policies. Maybe the default VLAN is also set as the registration/isolation VLAN.

ebilcariAnswer

Staff

'Forced Registration' is required to enforce isolation for new rogue devices connecting to the network, this has always been a requirement. The details are explained here: Technical Tip: 'State based Control' concept and VLAN changes

'Role Based Access' will enforce VLANs based on Network Access policies. Maybe the default VLAN is also set as the registration/isolation VLAN.

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded