Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
haljawhari
Staff
Staff

Created on ‎09-21-2018 04:56 AM Edited on ‎09-11-2024 07:45 AM By Moderator

Article Id 192639

Troubleshooting Tip: VLANs not changing on a wired switch

Description


This article describes steps to take when the VLAN does not change as expected on a switch port after a host connects.

Scope

 

Any supported version of FortiNAC.


Solution

 

  1. Confirm the host is connected to the correct port with a status of 'online' under the Ports tab of the switch's Device Model. Network -> Inventory.

inventory.PNG

 

 

If the host shows offline, see the below article:

Technical Tip: Wired hosts displaying incorrect connection status

 

  1. Verify the appropriate VLAN is configured to apply for the applicable host state:
  • Hosts being assigned to an isolation VLAN:  Review the switch's device model under the Model Configuration tab.

Examples:

  • The host is a rogue: Registration VLAN.
  • The host is marked 'At-Risk': Remediation VLAN.
  • The host is marked Disabled: DeadEnd VLAN.

 

modeli.PNG

  • Registered hosts assigned VLANs using a Network Access Policy:  Verify the correct policy matches.  See below article:

Technical Tip: Troubleshooting policies

 

  • Registered hosts where a Network Access Policy is not used to assign VLAN:  Confirm the default VLAN is either configured at the switch level (Model Configuration) or port level (Ports tab).

 

  1. Verify VLAN switching enabled is selected under the Element tab.

 

switchin.PNG

 

  1. Verify the appropriate enforcement group is configured under the Ports tab.

 

membership.PNG

Examples:

  • The host is a rogue: Port is a member of the Forced Registration group.
  • The host is marked 'At-Risk': Port is a member of the Forced Remediation Group.
  • The host is marked Disabled: Switch is a member of the Physical Address Filtering group (right-click model and select Group Membership).
  • The host is registered and a network access policy is used to assign VLAN: Port is a member of the Role Based Access group.

 

host-satt.PNG

 

 

  1. Confirm credentials are correct. Under the Credentials tab, select Validate Credentials.
  • If SNMP credentials fail, see below the article:

Technical Note: Troubleshooting SNMP communication issues

  • If CLI credentials fail, see the below article:

Technical Note: Troubleshooting CLI credential failure

 

In cases where RADIUS protocol is used to perform VLAN changes then following verifications need to be done:

 

  • RADIUS is enabled on the Device and Model Configuration in FortiNAC.
  • Default RADIUS Attribute group has all relevant Attributes:

 

Figure 1. Radius Attribute group selection for "RFC Vlan" setting.Figure 1. Radius Attribute group selection for "RFC Vlan" setting.

 

  • FortiNAC is sending Disconnect Request Messages to Switch IP and destination port 3799 in order to terminate the user session and trigger a new connection in and establish a new authentication session.
  • Switch is returning Disconnect ACK and applying the VLAN change on the port.

 

The following article provides more details related to CoA/Disconnect Message errors and configuration: 

 

  1. If the switch port is still not changing, confirm the following under the Ports tab (details on the first picture):
  • The port is not a member of the Access Point Management group.
  • The Port does not display as a Uplink.
  • Multiple hosts are not connected to the switch port via a hub. Depending upon the state of each connected host, this can cause unexpected VLAN changes.If RADIUS protocol is used to enforce control (change VLANS) then verify the following:

 

If the behavior persists, open a support ticket and provide the following information:

  • Problem description.
  • Troubleshooting steps taken.
  • Screen capture of the Element tab of the switch and 'Port Changes' for the test port.
  • A grab log snapshot of FortiNAC that contains all the logs.
  • Firmware version of FortiNAC. Select username in the upper right corner or System Summary from Dashboard.
Labels:
9878
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.