If FortiNAC-F does not match user group and user authentication is failing. For example, in the logs below, FortiNAC is unable to perform dox1x Authentication because it's unable to get the remote user from OpenLDAP.

yams.RadiusAccess.70:B5:E8:7B:BA:9F FINE :: 2025-08-26 14:51:28:786 :: #1145 :: 802.1x Auto Registration: true
yams.RadiusAccess.70:B5:E8:7B:BA:9F FINE :: 2025-08-26 14:51:28:786 :: #1145 :: Register Client: 70b5e87bba9f
yams.RadiusAccess.70:B5:E8:7B:BA:9F FINE :: 2025-08-26 14:51:28:786 :: #1145 :: 802.1x Auto Registration: Register client returned false

yams.RadiusAccess.70:B5:E8:7B:BA:9F.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: Get Legacy Isolate Action - Rogue Client on Forced Registration port
yams.RadiusAccess.70:B5:E8:7B:BA:9F.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: Get Legacy Isolate Action returned: LegacyIsolateAction [accessValue=null, action=0, logicalNetworkName=Registration]
yams.RadiusAccess.70:B5:E8:7B:BA:9F.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: [Post-Auth] Returns: [Access-Reject] Registration - Access Deny (Post-Auth)

Solution:

In LDAP settings for the OpenLDAP (under System -> Setting -> Authentication -> LDAP), apply the following values for Group attributes.

• Object Class: posixGroup
• Name: cn

• Members: memberUid

Select user search and group search branches. Confirm the user DN is inside the selected user search branch and the user is inside the selected group branch.

Note: To use the 'OU' object class type, upgrade to FortiNAC-F v7.6.x.