FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 253321



This article describes how to configure access point management in FortiNAC. In deployments that have unmanaged APs or Hubs, FortiNAC is unable to assign different VLANs depending on host status. This option offers the ability to divide these hosts in two groups normal and isolated while sharing the same VLAN.




FortiNAC with a non-managed AP or hub.




Access point management configuration is used in environments where control over the host VLAN access is not possible. For example, when hosts are connecting to the network through devices that do not support VLANs, such as non-intelligent switches or access points.


This feature controls hosts through IP address assignment. All hosts share the same VLAN, but hosts that need to be isolated will be presented with captive portal pages appropriate for their state. FortiNAC provides DHCP and DNS service on the access point management VLAN and for isolated hosts.



The interface must be enabled and an IP address and mask need to be configured. There are two address pools for this isolated VLAN.


The first address pool defines the DHCP scope and DNS server for hosts that have a 'normal' state.

When a host connects to a port that is on the access point management VLAN and issues a DHCP request, FortiNAC consults the list of all normal state hosts, which it maintains within its configuration.

If the host is found in the list, FortiNAC will assign an IP address from the authenticated address pool and assign a production DNS server. The host will then have access to any site that can be resolved by that DNS server.


The second scope is created for hosts that have any state other than 'normal'. There is no DNS server defined for this scope. FortiNAC will automatically assign itself for DNS wildcarding and presentation of the appropriate isolation pages.


Enable option under Settings -> Control -> Access Point Management:




The managed switch port used when a device (a hub or an AP) connects need to have:

- Access Point Management.

- Authorized Access Points.


The VLAN should be manually assigned for this switch port where the AP or the hub connects.



From the network device or the user's gateway, point the DHCP relay to FortiNAC. For example, a FortiGate-FortiSwitch connection in FortLink mode has the following configurations available:




From the end host perspective, the following are seen.


While in isolation:




After registration, the host will receive an IP from the production part of the subnet and the production DNS servers: