FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.

This article describes the behavior where the host's IP address does not update after a VLAN change when connected to a FortiSwitch managed by FortiNAC. Affects hosts authenticating via RADIUS.


The following is observed when FortiNAC changes a VLAN:

1) FortiNAC sends the CoA packet to the FortiSwitch and the FortiSwitch acknowledges the CoA request.

2) The end station requests authentication and FortiNAC responds, providing the new VLAN.


Result:  FortiSwitch shows that the host is assigned to the new VLAN, however, the host maintains its old IP address.

Scope FortiNAC version 8.8 and greater

Configure FortiNAC to include the custom attribute Fortinet-Host-Port-AVPair action=bounce-port in the RADIUS response in order for the host to request a new IP address.



Once the property below is set, FortiNAC will include the attribute when responding to any FortiSwitch.


1) Upgrade to version 9.4.2.

2) Login to the appliance CLI as root and enable the global property:

globaloptiontool -name radiusServer.use.coa.for.disconnect -set true


To disable this property, run the command:

globaloptiontool -name radiusServer.use.coa.for.disconnect -set false