Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
yuj_FTNT
Staff
Staff

Created on ‎12-10-2025 07:39 AM Edited on ‎12-10-2025 07:39 AM By Community Manager

Article Id 422486

Technical Guide: How to configure FortiNAC to assign VLANs based on MAC address

Description This article describes how to configure FortiNAC to assign VLANs based on MAC address.
Scope FortiNAC 9.4.x.
Solution

Table of Contents:

 

Section 1. Enable RADIUS on the FortiNAC.

 

The authentication port should remain 1645. Change this on the FortiGate side.

 

1.png

 

FortiGate RADIUS settings:

 

config user radius

    edit "FortiNAC"

        set server [FortiNAC IP]

        set secret yourSecret

        set nas-ip [FortiGate IP]

        set radius-port 1645

        set require-message-authenticator disable

    next

end

 

Section 2. Create SSID on the FortiGate.

 

Using the 'WPA2 Personal' security mode will require users to enter pre-shared key to connect to the Wi-Fi. Client MAC Address Filtering using the RADIUS server, FortiNAC in this case, will assign VLANs to the user’s device based on user’s MAC address.

  1. The Security Mode is 'WPA2 Personal'.
  2. Choose the FortiNAC that was configured in the previous step as the RADIUS Server under Client MAC Address Filtering.
  3. Enable 'Dynamic VLAN assignment' option.

 

2.png

 

Section 3. Allow SSID to connect to the FortiNAC RADIUS server.

 

  1. Double-click on the SSID – choose the 'Local' RADIUS mode. 'Resync interfaces' may be required for the newly created SSID to be populated. After, select the 'update' button.
  2. Select the 'Model Configuration' button. Set a RADIUS secret. This should match the secret configured on the FortiGate.
  3. The Authentication Method is RADIUS.

 

3.png

 

4.png

 

5.png

 

6.png

 

Section 4. Create a group that belongs to a VLAN.

 

7.png

 

Section 5: Create a User/Host Profile.

 

  1. Who/What by Group: Choose the group created in the previous step.
  2. Who/What by Attribute: Choose the 'MAB' RADIUS authentication type.

 

8.png

 

9.png

 

Section 6. Create Network Access Policy:

 

Use the tabs at the top right corner.

 

  1. Create Logical Network.
  2. Create Network Access Configuration.
  3. Create Network Access Policy.

 

10.png

 

Section 7. Assign VLANs.

 

  1. Go back to Inventory -> FortiGate -> SSID.
  2. Default RADIUS Attribute Group: RFC_Vlan.
  3. Assign Access Value (VLAN) accordingly.
  4. The Host State object is created when 'Logical Network' is created in the previous step.

 

11.png
106
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.