Hello Community, I am facing an issue with FortiNAC policy matching and VLAN enforcement.Environment:FortiNAC FJuniper switch (dot1x authenticator)Current Behavior: On the switch, the session is shown as Authenticated via RADIUS. VLAN assignment only works when I manually force the Registration or Authentication VLANs.However, FortiNAC displays the following:Auth Type: MABNo policy matchedThis occurs even though the Network Access Policy is configured with:RADIUS Auth Type: 802.1XGroups: UsersGroupLocations: AnyObservations: MAC-RADIUS is enabled on the switch interface. Although the device is configured for 802.1X authentication and FortiNAC correctly learns the user identity (DOMAIN\username), FortiNAC does not seem to classify the session as 802.1X, only as MAB. Port Group Membership shows Role Based Access is enabled, but no policy hit is recorded. What checks or actions can be performed to resolve this classification issue?

Rabeb_Ali

Explorer II

Question

FortiNAC shows No Policy matched and Auth Type = MAB

Forum|Forum|6 months ago
December 18, 2025
1 reply
489 views

Hello Community,

I am facing an issue with FortiNAC policy matching and VLAN enforcement.

Environment:

FortiNAC F
Juniper switch (dot1x authenticator)

Current Behavior: On the switch, the session is shown as Authenticated via RADIUS. VLAN assignment only works when I manually force the Registration or Authentication VLANs.

However, FortiNAC displays the following:

Auth Type: MAB
No policy matched

This occurs even though the Network Access Policy is configured with:

RADIUS Auth Type: 802.1X
Groups: UsersGroup
Locations: Any

Observations: MAC-RADIUS is enabled on the switch interface. Although the device is configured for 802.1X authentication and FortiNAC correctly learns the user identity (DOMAIN\username), FortiNAC does not seem to classify the session as 802.1X, only as MAB. Port Group Membership shows Role Based Access is enabled, but no policy hit is recorded.

What checks or actions can be performed to resolve this classification issue?

ebilcari

Staff

Does the switch configuration allows MAB, fallback from 802.1x to MAC authentication for hosts that did not successfully authenticate? Is the test host ever authenticated as MAB?

To get a better picture for host attributes that are evaluated on UHP you can also check the Endpoint Fingerprints like:

host attr.PNG

or Debug Log output in the Policy Details:

pol ditails.PNG

Emirjon

Rabeb_AliAuthor

Explorer II

Thanks for your help. The issue is now resolved. In our architecture, FortiNAC acts as a RADIUS Proxy, so we had to update the Model Configuration of the switch to Proxy mode. This allowed FortiNAC to correctly classify the session as 802.1X and match the appropriate policy

ebilcari

Staff

Thank you for sharing the solution.

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded