Skip to main content
williasthomas192004
williasthomas192004
Explorer III
May 28, 2025
Solved

NAC

  • May 28, 2025
  • 1 reply
  • 1078 views

FortiNAC self-registration Guest Management with wireless dynamic Vlan management .

During the registration process without doing nothing . I got a native vlan ip.

In NAC's Network>Inventory>Device>Virtualized Devices>root I haven't add native Vlan id .

 

What is the fault ?

 

Screenshot 2025-05-28 113030.pngScreenshot 2025-05-28 113116.pngScreenshot 2025-05-28 113206.png

Best answer by ebilcari

Using a bridged SSID will be similar as long as the VLAN is allowed in the switchport where the AP is connected. The IP configurations shown in the example for the VLANs under the SSID, need to be configured in a similar way to normal VLANs in the FSW.

 

There is no need to create policies for isolation, based on the host state FNAC will push the configured VLANs as long as the Enforcement is enabled in the SSID.

1 reply

ebilcari
Staff
ebilcari
Staff
May 28, 2025

When an unregistered host (Rogue) connects, FNAC will try to isolate it in the registration network which in this case should be VLAN 201. If the SSID in FGT doesn't have this VLAN configured it may leave the host in the default subnet after the Access-Accept. You can also check this article for more information related to this scenario: Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

Emirjon
    williasthomas192004
    williasthomas192004Author
    Explorer III
    May 29, 2025
    Isolation with FortiNAC

    FortiNAC uses isolation VLANs to restrict network access for unregistered or unknown devices, placing them in an isolation VLAN until they are registered or authenticated

    Is that right? How figure out for isolation.
    In your setup u create a vlan under wirelss interface with virtual lan with a tunnel mode.
    My setup is create a vlan under fortilink swith and run bridge mode.

    For Isolation Do I need to create a policy , and how  .Could you pls guide to me? Thanks!

    ebilcari
    Staff
    ebilcariAnswer
    Staff
    May 29, 2025

    Using a bridged SSID will be similar as long as the VLAN is allowed in the switchport where the AP is connected. The IP configurations shown in the example for the VLANs under the SSID, need to be configured in a similar way to normal VLANs in the FSW.

     

    There is no need to create policies for isolation, based on the host state FNAC will push the configured VLANs as long as the Enforcement is enabled in the SSID.

    Emirjon
      Terms & ConditionsAccessibility statement