Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-09-2018 11:22 AM

Article Id 196040

Technical Tip: User not matching policy requiring LDAP Group

Description
User does not match User Host Profile requiring LDAP Group.
This prevents policy from matching.

Scope
Version: 8.x.

Solution
Verify the following:

1.  Ensure the user record is a LDAP user and not a local record. 
     Admin Users
     UI Method:  User account has Auth Type = LDAP.  This can be verified under Users > Admin Users.
     CLI Method: DumpUserRecords -userid <username> | grep -i AuthenticateType
     (If something other than LDAP is returned, it is not a LDAP record)

     Standard Users 
     UI Method:
     a. Navigate to Users > User View.  
     b. Search for for the user record
     c. Right-click and select Modify User
         If the record contains a modifiable password field, the record is a local record, not LDAP.       

     CLI Method: DumpUserRecords -userid <username> | grep -i AuthenticateType                 
     (If something other than LDAP is returned, it is not a LDAP record)

2.  The user has group membership in Active directory for the group used in the User Host Profile
3.  The user is searchable using System > Settings > Authentication > LDAP > Preview
4.  The group used in the User Host Profile is selected under System > Settings > Authentication > LDAP > Modify > Select Group
5.  A resync of the Directory has been performed under System > Scheduler >  Synchronize users with directory



Solution:
If user is a local record, do the following:
1.  Navigate to Users > Admin Users or Users > User View and delete the user account.
2.  Re-add the user by clicking Add and entering the User ID.  If found in the directory, the system will indicate the User ID was found in the directory.  

Contact Support for additional assistance. Open a support ticket and include the following:
  • Problem description
  • Steps taken to troubleshoot issue
  • Screen capture of Policy Details (Search host under Hosts > Host View, right-click on host and select Policy Details)
  • Screen capture of Policy host is supposed to match (Policy > Policy Configuration)
  • Screen capture of User Host Profile used by policy
  • Screen capture of Help > About
  • Output of DumpUserRecords -id <username>

Labels:
2307
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.