Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
haljawhari
Staff
Staff

Created on ‎09-21-2018 04:56 AM Edited on ‎06-13-2025 12:26 AM By Moderator

Article Id 192639

Troubleshooting Tip: VLANs not changing on a wired switch

Description


This article describes steps to take when the VLAN does not change as expected on a switch port after a host connects.

Scope

 

Any supported version of FortiNAC.


Solution

 

  1. Confirm the host is connected to the correct port with a status of 'online' under the Ports tab of the switch's Device Model. Network -> Inventory.

inventory.PNG

 

If the host shows offline, see the article below:

Technical Tip: Wired hosts displaying incorrect connection status

 

  1. Verify the appropriate VLAN is configured to apply to the applicable host state:
  • Hosts being assigned to an isolation VLAN: Review the switch's device model under the Model Configuration tab.

 

Examples:

  • The host is a rogue: Registration VLAN.
  • The host is marked 'At-Risk': Remediation VLAN.
  • The host is marked Disabled: DeadEnd VLAN.

 

modeli.PNG

  • Registered hosts assigned VLANs using a Network Access Policy: Verify that the correct policy matches.  See the article below:

Technical Tip: Troubleshooting policies

 

  • Registered hosts where a Network Access Policy is not used to assign VLAN:  Confirm the default VLAN is either configured at the switch level (Model Configuration) or port level (Ports tab).

 

  1. Verify that VLAN switching is enabled under the Element tab.

 

switchin.PNG

 

  1. Verify that the appropriate enforcement group is configured under the Ports tab.

 

membership.PNG

Examples:

  • The host is a rogue: Port is a member of the Forced Registration group.
  • The host is marked 'At-Risk': Port is a member of the Forced Remediation Group.
  • The host is marked Disabled: Switch is a member of the Physical Address Filtering group (right-click model and select Group Membership).
  • The host is registered, and a network access policy is used to assign VLAN: Port is a member of the Role-Based Access group.

 

host-satt.PNG

 

  1. Confirm credentials are correct. Under the Credentials tab, select Validate Credentials.
  • If SNMP credentials fail, see the article below:

Technical Note: Troubleshooting SNMP communication issues

  • If CLI credentials fail, see the article below:

Technical Note: Troubleshooting CLI credential failure

 

In cases where the RADIUS protocol is used to perform VLAN changes the following verifications need to be done:

  • RADIUS is enabled on the Device and Model Configuration in FortiNAC.
  • The default RADIUS Attribute group has all relevant Attributes:

 

Figure 1. Radius Attribute group selection for "RFC Vlan" setting.Figure 1. Radius Attribute group selection for "RFC Vlan" setting.

 

  • FortiNAC is sending Disconnect Request Messages to the Switch IP and destination port 3799 in order to terminate the user session and trigger a new connection and establish a new authentication session.
  • Switch is returning a Disconnect ACK and applying the VLAN change on the port.

 

The following article provides more details related to CoA/Disconnect Message errors and configuration: 

Technical Tip: CoA Support in FortiNAC 7.4 and applying DACLs in FortiSwitch FortiLink scenario

 

  1. If the switch port is still not changing, confirm the following under the Ports tab (details in the first picture):
  • The port is not a member of the Access Point Management group.
  • The Port does not display as a Uplink.
  • Multiple hosts are not connected to the switch port via a hub. Depending upon the state of each connected host, this can cause unexpected VLAN changes.

 

If the behavior persists, open a support ticket and provide the following information:

  • Problem description.
  • Troubleshooting steps taken.
  • Screen capture of the Element tab of the switch and 'Port Changes' for the test port.
  • A grab log snapshot of FortiNAC that contains all the logs.
  • Firmware version of FortiNAC. Select username in the upper right corner or System Summary from Dashboard.
Labels:
11507
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.