FortiNAC does not allow to change Default Enforcement as 'deny' or 'bypass' by using GUI. However, it can changed by using CLI.


First, the SSID's DBID should be learned by using the 'dumpports' command shown below. 

device -dbid <SSID_DBID> -setAttr -name DefaultAction - value 0

Note: The above change will not reflect on the GUI, and the GUI will display Default Enforcement's value as 'Enforce'. However, when a host tries to authenticate by using the SSID and if it does not match any Network Access Policy, FortiNAC rejects the authentication request since Default Enforcement is denied. In this case in Radius logs, a log like the one below should be displayed.
 

Tue Dec 17 17:18:16 2024 : Auth: (1078) Rejected in post-auth: [6C-88-14-A1-D7-D0] (from client 192.168.0.254 port 0 cli 6C-88-14-A1-D7-D0)
Tue Dec 17 17:18:16 2024 : Auth: (1078) Login incorrect (Default Access Deny (Post-Auth) [6C-88-14-A1-D7-D0] (from client 192.168.0.254 port 0 cli 6C-88-14-A1-D7-D0)
Tue Dec 17 17:18:16 2024 : Debug: (1078) Delaying response for 1.000000 seconds
Tue Dec 17 17:18:16 2024 : Debug: Waking up in 0.3 seconds.
Tue Dec 17 17:18:16 2024 : Debug: Waking up in 0.6 seconds.
Tue Dec 17 17:18:17 2024 : Debug: (1078) Sending delayed response
Tue Dec 17 17:18:17 2024 : Debug: (1078) Sent Access-Reject Id 6 from 192.168.0.202:1812 to 192.168.0.254:15902 length 71
Tue Dec 17 17:18:17 2024 : Debug: (1078) Reply-Message = "Default Access Deny (Post-Auth)"