Skip to main content
mzougaghe
mzougaghe
New Member
September 24, 2025
Question

FortiNAC 802.1X – Dynamic VLAN Assignment Based on AD Groups

  • September 24, 2025
  • 1 reply
  • 1132 views

I’ve configured FortiNAC-F as a local RADIUS server and successfully joined it to my Active Directory using Winbind.

Currently, I have a network access policy that places all 802.1X users into the LAN Network, and it’s working as expected.

 

Now, I’d like to set up access policies that dynamically assign VLANs based on the user’s Active Directory group membership:

  • If a user belongs to AD IT_GROUPE, they should be placed in the IT Network.

  • If a user belongs to AD USERS_GROUPE, they should be placed in the LAN Network.

 

1 reply

AEK
SuperUser
AEK
SuperUser
September 25, 2025

Hi Mohamed

First you should prepare two UHP (User Host Profiles). In the first you select IT_GROUP in the WHO field, and in the second UHP you select USERS_GROUP in the same field. You can also use User Roles instead.

The use these two UHP to build two Access Policies and select for each the appropriate networks as target.

AEK
mzougaghe
mzougagheAuthor
New Member
September 25, 2025

 

Hi AEK,

Thank you for your reply.

In the WHO field, I don’t see an option for AD Group—only user attributes such as first name, last name, city, etc., are available.

Here’s what I’ve tried so far (unsuccessfully):

  1. Created a role: IT_ROLE, which includes the AD group IT_GROUP.

  2. Created a UHP: IT_UHP, configured to match users with the role IT_ROLE AND using PEAP as the RADIUS authentication method.

  3. Configured Network Access: to assign users to the IT network if they match IT_UHP.

Unfortunately, this setup isn't working as expected. Any insights on what might be missing or misconfigured?

Thanks again for your help!

 

ebilcari
Staff
ebilcari
Staff
September 26, 2025

Which version of FNAC are you currently running? What type of 802.1x is being used and is 'Dot1x Auto Registration' applied?
Does the host has the 'Registered To' and 'Logged On User' fields populated? The host Groups and Roles will rely on this information.

Emirjon
Terms & ConditionsAccessibility statement