Skip to main content
BKP09
BKP09
Explorer
March 27, 2025
Solved

FortiNAC- Role Assignment Issue with Active Directory Integration

  • March 27, 2025
  • 1 reply
  • 1187 views

I deployed a FortiNAC VM and configured policies to assign users to VLANs based on their department. To achieve this, I used an Active Directory attribute to assign a role to each user, which FortiNAC then parses via AD synchronization.

 image_2025-03-27_140755044.png

 

In the User Accounts page (first image), I can see that the correct role "112" has been assigned to the user. However, in the Hosts section (second image), the user’s laptop—where the same user is logged in—does not have the expected user role assigned (it should be 112 but is missing).

d0565a5f-7683-4aec-9035-59d83a1c4028.png

This discrepancy prevents proper VLAN assignment. How can I troubleshoot and ensure that the role is correctly applied to the host?

Best answer by ebilcari

The only limitations is that the "Registered To" field is populated only during host registration and is not updated later on if the user change. So in cases when the same host is used by different users that require different policies, this may be a limitation.

The rule above should match. To get a better overview of matching conditions done by FNAC, you can go to the host and by r-click choose 'Policy Details' and than Debug Log.

1 reply

ebilcari
Staff
ebilcari
Staff
March 27, 2025

When the host is registered to the same user, the role should be inherited. Based on the second screenshot, which is a bit blurry it appear like the host is not registered to this user, that's why it doesn't have the role.

You can also check this article and the troubleshooting tips.

Emirjon
    BKP09
    BKP09Author
    Explorer
    March 27, 2025

    Sorry for the blurry image. the logged on users is the one that appears to have attribute 112 on the User Role (first image)

    image_2025-03-27_144449248.png

    Thank you for the article but i have already saw it and this is the exact process i followed.
    What do you mean by registered? the user logged on the device with the Host name, shouldn't this mean that the user will inherit the atribute?

    ebilcari
    Staff
    ebilcari
    Staff
    March 27, 2025

    As you can see, the host is missing the 'Registered To' information, which means that this host is registered as device and not tied to a user.

    If dot1x is used in this case, you can use the dot1x auto registration feature, it will register the host directly to the user during the initial authentication.

    In case you want to apply the policy based on the 'Logged On User' information, you can use a UHP that checks the role of the user as shown below:

    UHP-user-role.PNG

    Emirjon
      Terms & ConditionsAccessibility statement