Skip to main content
TilagenV
TilagenV
New Member
May 8, 2026
Question

FortiNAC - Isolation interface captive portal

  • May 8, 2026
  • 2 replies
  • 141 views

Hi Everyone,

I am currently working on a FortiNAC deployment integrated with Cisco switches and FortiGate firewall, and I would appreciate some advice regarding the captive portal/isolation VLAN configuration.

Environment:

  • FortiNAC version: 7.6.x

  • Cisco access switches

  • FortiGate firewall acting as gateway

  • 802.1X + MAB environment

  • Isolation VLAN configured for unknown/non-domain devices

Objective:
When an unknown or non-domain device connects to the network:

  1. Device should fail 802.1X

  2. Fall back to MAB

  3. Be placed automatically into the isolation VLAN

  4. Receive an IP address

  5. Open browser and get redirected to FortiNAC captive portal

Current Situation:

  • VLAN assignment is working

  • Device is successfully placed into the isolation VLAN

  • Client receives IP address when DHCP is provided by FortiGate

  • Browser can partially reach the FortiNAC isolation portal

However, the captive portal redirection is not fully working correctly.

Issues Observed:

  1. DNS resolution problem

  • Client cannot resolve:
    firewall.company.local

  • nslookup times out

  • DNS server configured is:
    172.x.x.x

Example:
nslookup firewall.company.local
DNS request timed out

  1. Captive portal inconsistent behavior

  • Sometimes browser opens the portal page

  • Sometimes redirect fails

  • Browser may stay loading indefinitely

  1. When using FortiNAC as DHCP server:

  • Clients do NOT receive IP address

  1. When using FortiGate DHCP:

  • Clients receive IP correctly

  • Portal behavior improves but still inconsistent

Current Design:

  • Isolation VLAN: VLAN A

  • FortiGate interface configured as gateway

  • DHCP relay tested

  • Switch ports configured for:
    authentication order dot1x mab

  • Unknown devices mapped to Registration role in FortiNAC

  • Isolation network reachable from client side

Things Already Verified:

  • VLAN assignment working

  • FortiNAC reachable by IP

  • Routing mostly OK

  • Firewall policies checked

  • Isolation interface configured

  • DNS reachability tested

  • Client receives correct isolation VLAN

Questions:

  1. For FortiNAC captive portal deployment, is it recommended to use:

    • FortiNAC DHCP/DNS
      OR

    • FortiGate DHCP/DNS ?

  2. Does the captive portal require proper DNS resolution of the FortiNAC FQDN to work consistently?

  3. Is it better to use:
    https://FortiNAC-FQDN/isolation
    OR direct IP access?

  4. Are there additional firewall policies or DNS requirements commonly missed in isolation VLAN deployments?

  5. Has anyone experienced issues where FortiNAC DHCP does not provide IP addresses properly in isolation VLAN environments?

Any guidance, best practices, or recommended architecture would be greatly appreciated.

Thank you.

2 replies

NovaJoseph1
NovaJoseph1
New Member
May 8, 2026

Can you give share the details of NAC isolated interface ? I would like to check dns and dhcp enabled on the fortinac isolated interface 

    TilagenV
    TilagenVAuthor
    New Member
    May 11, 2026

    Hi NovaJoseph1,

    Thank you for your reply.

    Currently, the isolation VLAN gateway is configured on the FortiGate firewall.

    We tested both FortiNAC DHCP and FortiGate DHCP:

    • FortiNAC DHCP → clients do not receive IP addresses
    • FortiGate DHCP → clients receive IP addresses successfully and portal behavior improves

    We are also observing intermittent DNS resolution issues for the FortiNAC/Firewall FQDN, which may be affecting captive portal redirection.

    We are currently verifying DNS, DHCP, and portal redirection behavior on the isolated interface.

    Thank you very much for your help.

    Thank you.

    ebilcari
    Staff
    ebilcari
    Staff
    May 8, 2026

    You could get an overall idea by checking the required steps covered on this example:

    When the hosts are isolated, the DHCP (as relay) and DNS services should be offered by FNAC (isolation interface). The isolation subnet should be part of the isolation scopes configured in ConfigWizard. Avoid using NAT between end host, network device and FNAC communications.

    The redirection is done through DNS, there is no need to configure any portal url or redirections in FGT or switches.

    Emirjon
      TilagenV
      TilagenVAuthor
      New Member
      May 11, 2026

      Thank you for the clarification and for sharing the reference example.

      This helps confirm that DNS-based redirection is a key requirement for the FortiNAC captive portal workflow.

      Currently, in our setup:

      • Isolation VLAN is working
      • Clients are correctly assigned to the isolation network
      • FortiGate DHCP works properly
      • However, DNS resolution for the FortiNAC FQDN is intermittent

      Based on your recommendation, we will review:

      • FortiNAC isolation interface DHCP/DNS configuration
      • Isolation scopes in ConfigWizard
      • DNS response behavior from the isolation interface
      • NAT configuration between clients and FortiNAC

      Thank you again for the guidance.

        ebilcari
        Staff
        ebilcari
        Staff
        May 12, 2026

        This logs will give more details:

        # diagnose tail -f dhcpd.log

        # diagnose tail -f named.log

        and a packet capture:

        # execute tcpdump -i port2 port 67 or port 53 -v

        Emirjon
          Terms & ConditionsAccessibility statement