Not Isolating Despite Not Matching Any Network Policy

Forum|Forum|10 months ago
August 8, 2025
1 reply
274 views

If a host is registered manually or by device profiling but does not match any network policy, the correct VLAN is still assigned. For example, even though the role for that host requires the "Persistent Agent - Yes" condition to be set in the User/Host Profiles, it still gets assigned to the correct VLAN even if the host does not have a persistent agent. I came across a comment suggesting that a default VLAN should be defined and the "Reset Forced Default" option should be enabled in the all ports settings. For instance, if I define the default VLAN as an isolated VLAN ID and enable "Reset Forced Default" in the port settings, the cookbook says "Ports that return to the default VLAN when hosts disconnect." for reset forced default setting. This implies that the task is not being accomplished as intended. Could you please explain it?

AEK

SuperUser

When a host is not in isolation state (registration, authentication, ...) then it follows policy. But when no policy matched then it is put in the default VLAN that you configured in the port properties.

When you set "Reset Forced Default" then when you disconnect the host, the port back to the default VLAN after 1 minute (the delay can be customized).

Personally I usually set the production VLAN as default VLAN on ports that are usually used by Corp hosts, just in case the NAC goes down. This is when you need to prioritize productivity over security.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded