Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-09-2018 11:22 AM Edited on ‎09-22-2025 03:07 AM By Moderator

Article Id 196040

Technical Tip: User not matching policy requiring LDAP Group

Description

 
This article describes a use case where a user does not match a User Host Profile that requires an LDAP group. As a result, the policy fails to match.


Scope

 

FortiNAC.

Solution

 

Verify the following:

  1. Ensure the user record is an LDAP user and not a local record. 

Admin Users.
UI Method: User account has Auth Type = LDAP.  This can be verified under Users & Hosts -> Administrators.
CLI Method:

 

DumpUserRecords -userid <username> | grep -i AuthenticateType


If something other than LDAP is returned, it is not an LDAP record.

 

Standard Users.
UI Method:

  1. Navigate to Users & Hosts -> User Accounts.  
  2. Search for the user record.
  3. 'Right-click' and select Modify User.

 

If the record contains a modifiable password field, the record is a local record, not LDAP.       

CLI Method:

 

DumpUserRecords -userid <username> | grep -i AuthenticateType                 

 

If something other than LDAP is returned, it is not an LDAP record.

 

  1. The user has group membership in Active Directory for the group used in the User Host Profile.

  2. The user is searchable using System -> Settings -> Authentication -> LDAP -> Preview.

  3. The group used in the User Host Profile is selected under System -> Settings -> Authentication -> LDAP -> Modify -> Select Groups.

  4. A resync of the Directory has been performed under System -> Scheduler -> Synchronize Users with Directory'.

     


If the user exists as a local record, the following steps are required:

 

  1. Navigate to Users & Hosts -> Administrators or Users & Hosts -> User Accounts and delete the user account.
  2. Re-add the user by clicking Add and entering the User ID. If found in the directory, the system will indicate that the User ID was found in the directory. 

 

Contact Support for additional assistance. Open a support ticket and include the following:

  • Problem description.
  • Steps taken to troubleshoot the issue.
  • Screen capture of Policy Details (Search host under Hosts -> Host View, 'right-click' on host and select Policy Details).
  • Screen capture of Policy host is supposed to match (Policy -> Policy Configuration).
  • Screen capture of the User Host Profile used by the policy.
  • Screen capture of Help -> About.
  • Output of DumpUserRecords -id <username>.

 

Related articles:

Technical Tip: What causes a host to be moved to an imported LDAP Host Group

Technical Tip: Best practices for LDAP configuration

Technical Tip: Lookup a user in LDAP from CLI

Technical Tip: How FortiNAC 'Registered Hosts' Group Works

Technical Tip: Import users from Active Directory group

Labels:
2551
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.