Skip to main content
barisben
barisben
New Member
July 7, 2025
Question

FortiNAC-F Persistent Agent IP Renewing After VLAN Switching

  • July 7, 2025
  • 3 replies
  • 1592 views

Hello, I've configured the persistent agent but if there is a mismatch during the re-scan, it places the host into the security state "at risk" and assigns it to the registration VLAN. However since the IP is not renewed, even though the user is now in the registration VLAN, they can still browse as if they are in their previous VLAN (in this case, if the user disconnects and reconnects to the network they will naturally be placing in the registration VLAN). How can I ensure that the persistent agent forces to IP renewing?

3 replies

scitlak
Staff
scitlak
Staff
July 7, 2025

Hello,
Please make sure that you have enabled "PA Optimization Enabled(VLAN Switching Optimization with Persistent Agent)" options under "Network--> Inventory-->Switch-->Element Tab".

On the other hand,  please also check the below settings.

07.07.2025_14.01.10_REC.png

 BRs

    barisben
    barisbenAuthor
    New Member
    July 7, 2025

    The settings are like this. But I noticed all hosts under the SSID name (which VLAN doesn't matter), not under the VLANS like in the image. Thats probably why not working. In the other location with the exactly same settings, thats not working like this, working as expected. How can I solve this, what causes this?

     

    noname.png

     

     

    ebilcari
    Staff
    ebilcari
    Staff
    July 22, 2025

    This behavior is not expected under normal conditions. When a host's VLAN is changed, its previous IP address (belonging to a different subnet) should no longer provide network access.

    Based on the description, it appears that the CoA/DM is either not being sent or not accepted by the WLC, resulting in the host remaining on the original VLAN/subnet instead of being moved to the remediation VLAN.

    Emirjon
      barisben
      barisbenAuthor
      New Member
      August 8, 2025

      After looking around a bit, I thought the setting in the screenshot below might be the cause. The people who originally set up the network infrastructure had defined the VLAN assignment on the AP controller (it's Aruba AP by the way) as static and as a register VLAN for the relevant SSID. Yes, it works this way, but it behaves in the manner I described. Could this be related?

       

      Screenshot_1.png

      ebilcari
      Staff
      ebilcari
      Staff
      August 8, 2025

      The SSID should support dynamic VLAN assignment via RADIUS. The reasons and an example of configuration for FAP is shown in this article: Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

      Emirjon
        Terms & ConditionsAccessibility statement