The setup involves using NAC with FortiEMS tags for both wired and wireless connections on a single laptop.

Behavior noticed during the Issue: Port flapping occurs when the client PC is initially connected to the network via wireless and then switches to a wired connection.

Solution 1:

Change the implementation from legacy NAC to LAN segments, which prevents the port from bouncing, and ensures that the laptop's Ethernet IP address does not change. This stops the FortiClient from sending network adapter information changes to EMS, resolving the issue. Refer to nac-lan-segments:

config switch-controller fortilink-settings
    edit "fortilink"
        set fortilink "fortilink"
        set inactive-timer 15
        set link-down-flush enable
            config nac-ports
                set onboarding-vlan "vlan691"
                set lan-segment enabled       <- Enable lan-segment.
                set nac-lan-interface "nac_segment"
                set nac-segment-vlans "voice" "video" "vlan750"
            end
        next
    end

Solution 2:

An enhancement was added to NAC/DPP features in FortiOS 7.4.4 and later to retain matched devices even when the device is removed from the user-device store and dynamic firewall tables. This feature helps NAC retain the laptop's Ethernet MAC address in the NAC policy match, even after the device is removed from EMS tags.

This can be achieved by setting the match-type from dynamic to override. Refer to network-access-control.

config user nac-policy
    edit "TEST"
        set description ''
        set category ems-tag
        set match-type override <- Change to be made from dynamic.
        set status enable
        set ems-tag "TEST-EMS-TAG"
        set switch-fortilink "fortilink"
        set switch-group "TEST-SWITCH-GROUP"
        set switch-mac-policy "TEST-MAC-POLICY"
    next

end