Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎01-05-2025 09:46 PM

Article Id 367000

Troubleshooting Tip: Resolving port flapping issues when FortiGate is configured with NAC policies

Description

This article describes a situation where a FortiGate is connected to FortiSwitch with an NAC solution configured on the FortiGate.

 

When a user is connected to a wireless and wired connection (Ethernet), the laptop tries to get a connection via the Ethernet adapter.

During this time, the Wi-Fi adapter successfully connects to the network and NAC is performed and allowed.

 

However, the laptop keeps disrupting the connection by using the LAN connection. 

But as per logs on FortiGate and FortiSwitch, it successfully appears to be getting authenticated from NAC and should have switched to the real VLAN from the 'onboarding' VLAN.

 

However, within a very short period or during the port-flap sequence, it all appears to reset and start authenticating back from an onboarding stage to the real network, and back to onboarding. at this time Wi-Fi is still connected to the real Wi-Fi network.

This does not take place when the Wi-Fi Adaptor is disabled.

Also, it is important to note that NAC policy is been configured with EMS Tags and a sample config is as below,

 

config user nac-policy
    edit "XYZ"
        set category ems-tag
        set ems-tag "xyz user"
        set switch-fortilink "fortilink"
        set switch-mac-policy "XYZ"
        set firewall-address "XYZ_GROUP"
        set ssid-policy "XYZ"

    next
Scope FortiGate (NAC feature), FortiSwitch.
Solution

The problem occurs when the device matches the NAC-policy and NAC bounces the port for re-DHCP. This causes the laptop ethernet network adapter to go down and hence FortiClient detects and sends network adapter info changes to EMS through the VLAN subnet.

 

So EMS removes the ethernet MAC in the EMS tag which again triggers NAC to remove the device from the NAC-policy matching and moves it back to onboarding VLAN. Later the ethernet mac appears in the FGT EMS Tag after tagging and this cycle repeats continuously causing the FortiSwitch port flap.

 

As a resolution, it is possible to take the 2 below steps.

 

  1. Change the setup from legacy NAC to LAN-segments which does not bounce the port and the laptop ethernet IP address does not change at all. This stops FortiClient from sending network adapter info changes to EMS and resolves the issue. Refer to this document: NAC LAN segments 7.0.1.

Example configuration:

 

config switch-controller fortilink-settings
    edit "fortilink"
        set fortilink "fortilink"
            config nac-ports
                set onboarding-vlan " Clients"
                set lan-segment enabled <-- Make this enabled.
                set nac-lan-interface "nac_segment"
                set nac-segment-vlans "voice" "video" "vlan750"
            end
    next
end

 

  1. A new enhancement is added to NAC/DPP features in FOS 7.4.4 (or later) to retain the matched devices even when the device is removed from user-device-store, dynamic firewall tables. This will help NAC to retain the laptop ethernet MAC in the nac-policy matching even when the device is removed from EMS Tags.


config user nac-policy
    edit "XYZ"
        set category ems-tag
        set match-type override <-- Make this change.
        set ems-tag "xyz user"
        set switch-fortilink "fortilink"
        set switch-mac-policy "XYZ"
    next
end
772
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.