If FortiNAC-F does not match user group and user authentication is failing. For example, in the logs below, FortiNAC is unable to perform dox1x Authentication because it's unable to get the remote user from OpenLDAP.

yams.RadiusAccess.70:B5:E8:XX:XX:XX FINE :: 2025-08-26 14:51:28:786 :: #1145 :: 802.1x Auto Registration: true
yams.RadiusAccess.70:B5:E8:XX:XX:XX FINE :: 2025-08-26 14:51:28:786 :: #1145 :: Register Client: 70b5e8xxxxxx
yams.RadiusAccess.70:B5:E8:XX:XX:XX FINE :: 2025-08-26 14:51:28:786 :: #1145 :: 802.1x Auto Registration: Register client returned false

yams.RadiusAccess.70:B5:E8:XX:XX:XX.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: Get Legacy Isolate Action - Rogue Client on Forced Registration port
yams.RadiusAccess.70:B5:E8:XX:XX:XX.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: Get Legacy Isolate Action returned: LegacyIsolateAction [accessValue=null, action=0, logicalNetworkName=Registration]
yams.RadiusAccess.70:B5:E8:XX:XX:XX.RadiusAccessEngine FINE :: 2025-08-26 14:51:28:787 :: #1145 :: [Post-Auth] Returns: [Access-Reject] Registration - Access Deny (Post-Auth)

Solution:

In LDAP settings for the OpenLDAP (under System -> Setting -> Authentication -> LDAP), apply the following values for Group attributes.

• Object Class: posixGroup
• Name: cn

• Members: memberUid

Select the user search and group search branches. Confirm the user DN is inside the selected user search branch, and the user is inside the selected group branch.

The configuration above can be verified against the OpenLDAP group settings by running the following command to check the group configurations in OpenLDAP.

ldapsearch -x -H ldap://localhost -b "dc=openldap,dc=lab" "(objectClass=posixgroup)"

If the configuration is correct, the OpenLDAP group will appear in the Select Groups tab.

Note:

To use the 'OU' object class type, upgrade to FortiNAC-F v7.6.x.