FortiNAC Role Assignment Issue with LDAP Users

Question

Users are connecting to the corporate network with their LDAP credentials and I have configured their roles accordingly. However for some reason, about 1-2 out of every 10 users end up coming to FortiNAC-F with the NAC-Default role, even though they are in the correct LDAP group on AD. The correct behavior and what usually happens is that when a user connects for the first time, if they are a member of group X, they are assigned to the X role. The issue resolves by deleting the host registration from the NAC and when the user disconnects and reconnects to the network they get the correct role. What could be the reason?

Sheikh · Answer

Hello @barisben ,

When assigning user roles, it is recommended to base the assignment on the user’s Directory attributes in LDAP rather than on Directory group membership.

This is because FortiNAC checks directory attribute data during the user registration process. Group membership, however, may not always be up to date, since the latest Directory synchronization might not have run yet to refresh the FortiNAC cache with the updated group information.

- Have you checked that the "ldap bind" user has sufficient permissions on that specific OU where the user resides ?

- Are there any changes in AD for users (e.g., moving from one OU to another OU) ?

- Moreover, are the DCs and FortiNAC in the same location ? If not how is the network latency ?

regards,

Sheikh

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded