Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hawada1
Staff
Staff

Created on ‎03-24-2025 07:46 AM

Article Id 384207

Troubleshooting Tip: FortiNAC is not sending Disconnect-request (CoA) for wireless authenticated users due to device location undetected upon initially connecting to the Bridge SSID

Description This article describes how to allow FortiNAC to detect the endpoint location if the VLANs are not terminated on the Wireless Controller (WLC- SSID Bridge-mode).
Scope FortiNAC, SSID in Bridge-Mode.
Solution

The design is as follows:

  • SSID is in Bridge mode, and VLANs are terminated between FortiAP and 3rd party switches.
  • Only the management VLAN is configured on FortiGate to manage the FortiAP.
  • VLANs production and registration VLANs are terminated between the FortiAP, Edge switches, and Core switch.
  • The host is successfully registered through the captive portal after connecting to the SSID.
  • However NAC is unable to detect the location of the client after registration.

The network design looks as the following:

 
                             +---------+----------+
                     |  FortiGate Firewall |
                     +---------+----------+
                               |
                     +---------+----------+
                     |  3rd-Party Switch   |
                     +---------+----------+
                               |
                ---------------------------------
                 |                            |
     +-------+-------+               +-------+---------+
     |   FortiAP     |                |   FortiAP      |
     | (Bridge Mode) |                | (Bridge Mode)  |
     +----------------+               +-----------------+


Workaround:

  1. Create registration and production VLANs on FortiGate and administratively shut them down.
  2. 'Right-click' the WLC in the FortiNAC network Inventory and 'Resync Interfaces' to sync the latest config changes made on FortiGate.
  3. Edit the SSID configuration on FortiNAC and instead of inheriting the configuration from the model configuration use customized RADIUS settings for the SSID.
  4. FortiNAC is now able to detect the Location of the host upon initial connection.
  5. After the registration, FortiNAC properly sends the disconnect-request the authorize the device to be placed in the production VLAN.


Related article: 

Technical Tip: SSID Local bridge vs Tunnel mode
35
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.