Description
This article describes steps to take when the VLAN does not change as expected on a switch port after a host connects.
Scope
Any supported version of FortiNAC.
Solution
- Confirm the host is connected to the correct port with a status of 'online' under the Ports tab of the switch's Device Model. Network -> Inventory.
If the host shows offline, see the below article:
Technical Tip: Wired hosts displaying incorrect connection status
- Verify the appropriate VLAN is configured to apply for the applicable host state:
- Hosts being assigned to an isolation VLAN: Review the switch's device model under the Model Configuration tab.
Examples:
- The host is a rogue: Registration VLAN.
- The host is marked 'At-Risk': Remediation VLAN.
- The host is marked Disabled: DeadEnd VLAN.
- Registered hosts assigned VLANs using a Network Access Policy: Verify the correct policy matches. See below article:
Technical Tip: Troubleshooting policies
- Registered hosts where a Network Access Policy is not used to assign VLAN: Confirm the default VLAN is either configured at the switch level (Model Configuration) or port level (Ports tab).
- Verify VLAN switching enabled is selected under the Element tab.
- Verify the appropriate enforcement group is configured under the Ports tab.
Examples:
- The host is a rogue: Port is a member of the Forced Registration group.
- The host is marked 'At-Risk': Port is a member of the Forced Remediation Group.
- The host is marked Disabled: Switch is a member of the Physical Address Filtering group (right-click model and select Group Membership).
- The host is registered and a network access policy is used to assign VLAN: Port is a member of the Role Based Access group.
- Confirm credentials are correct. Under the Credentials tab, select Validate Credentials.
- If SNMP credentials fail, see below the article:
Technical Note: Troubleshooting SNMP communication issues
- If CLI credentials fail, see the below article:
Technical Note: Troubleshooting CLI credential failure
In cases where RADIUS protocol is used to perform VLAN changes then following verifications need to be done:
- RADIUS is enabled on the Device and Model Configuration in FortiNAC.
- Default RADIUS Attribute group has all relevant Attributes:
- FortiNAC is sending Disconnect Request Messages to Switch IP and destination port 3799 in order to terminate the user session and trigger a new connection in and establish a new authentication session.
- Switch is returning Disconnect ACK and applying the VLAN change on the port.
The following article provides more details related to CoA/Disconnect Message errors and configuration:
- If the switch port is still not changing, confirm the following under the Ports tab (details on the first picture):
- The port is not a member of the Access Point Management group.
- The Port does not display as a Uplink.
- Multiple hosts are not connected to the switch port via a hub. Depending upon the state of each connected host, this can cause unexpected VLAN changes.If RADIUS protocol is used to enforce control (change VLANS) then verify the following:
If the behavior persists, open a support ticket and provide the following information:
- Problem description.
- Troubleshooting steps taken.
- Screen capture of the Element tab of the switch and 'Port Changes' for the test port.
- A grab log snapshot of FortiNAC that contains all the logs.
- Firmware version of FortiNAC. Select username in the upper right corner or System Summary from Dashboard.
