Skip to main content
ByteHaven
ByteHaven
Explorer III
March 29, 2026
Question

FortiNAC AD Authentication for Employees - Captive Portal or 802.1X?

  • March 29, 2026
  • 2 replies
  • 307 views

Hi everyone,

 

I've got the guest flow working — guests get isolated, hit the captive portal, self-register, and get moved to the guest VLAN. SNMP, MAC learning, and L2 traps are all configured and working on the switch side.

Now I'm trying to set up the employee flow and I'm not sure what the best practice is.

 

For employees I want them to authenticate against Active Directory and then get placed into the employee VLAN automatically.

 

My question:
For AD-authenticated employees, is the captive portal still the recommended approach or should I be looking at dot1x instead? (It is a wired network, no wireless).

Any advice or example configs would be greatly appreciated. Thanks!

2 replies

Stephen_G
Moderator
Stephen_G
Moderator
March 31, 2026

Hello ByteHaven, 

 

Thank you for using the Community Forum. I will seek to get you some help. We will reply to this thread with an update as soon as possible. 

 

I recognise this is a broad topic. If anyone else has any ideas, feel free to contribute!

Regards,
Stephen_G - Fortinet Community Team
AEK
SuperUser
AEK
SuperUser
April 1, 2026

Hi BH

I don't really have idea about which one is recommended, but I'll just share my experience about the simple way to proceed.

So far when I integrate NAC for wired connections I don't use dot1x, but this is because the companies for which I integrated it don't use it. But I guess this depends on the company's policy if they use dot1x for wired connection or not.

On the other hand the NAC authentication for corp hosts I do it with persistent agent for passive authentication. This avoids user to authenticate twice (Windows session + captive portal).

Hope it helps a bit.

AEK
ebilcari
Staff
ebilcari
Staff
April 1, 2026

In addition, if users want to onboard devices that are not enterprise managed or part of the domain, they can register them through the portal using their AD credentials, workflow.
Some other details are also shown here: Technical Tip: Control BYOD access

Emirjon
ByteHaven
ByteHavenAuthor
Explorer III
April 2, 2026

So how can i achieve this please ?

Like AEK said, I don't want users to double authenticate "windows session + captive portal) 

 

BR,

Terms & ConditionsAccessibility statement