Description
This article describes basic steps to troubleshoot registered wireless clients moving to the wrong VLAN.
Scope
FortiNAC.
Solution
- Verify the VLAN value assigned to the client within the Controller/AP.
- Compare the VLAN value to the value logged in NAC. In the NAC Administration UI, navigate to Hosts -> Host View.
- Search for the wireless MAC address of the affected host.
- Verify the Host state (At-Risk, Registered, etc).
- Verify wireless adapter shows online.
- Review the Network Access Value for the wireless adapter.
The adapter’s Network Access Value matches the value in Controller/AP: Suggests NAC assigned the VLAN.
Next steps:
- Verify the SSID Configuration has the correct Network Access values (VLANs) assigned for the various host states. (SSID may be using inherited configuration from Controller/AP).
- If using Network Access Policies to assign VLANs, refer to the related KB article below.
The adapter’s Network Access Value does not match the value in Controller/AP: Suggests NAC did not assign the VLAN.
The next steps are:
- Verify the Shared Secret exactly matches between all the following components:
- Controller/AP.
- SSID.
- Controller/AP Model Configuration in NAC.
- SSID Configuration in NAC.
- (802.1x) RADIUS Server Model (System -> Settings -> RADIUS).
- (802.1x) RADIUS Server.
- Verify the RADIUS response from NAC reached the Controller/AP via packet capture or Controller/AP debug.
If the behavior persists, further debugging may be required. Contact Support for assistance.
Related articles:
Technical Tip: Troubleshooting policies
Troubleshooting Tip: RADIUS wired and wireless clients not connecting
