Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbas
New Contributor II

Created on ‎10-23-2025 01:21 PM

Creating Contractor user with a corporate email address causing existing user isolation

Dear team,

 

Has anyone else observed this issue?

 

When we create a contractor user with a corporate email address and no one logs in with that user, after a while, it causes the existing user VLAN to change to isolation. When I check that user and click Show Hosts, I can see another host belonging to the same user with the contractor email address. The strange thing is that when I check that host, I can see that the logged-on user is the contractor user, even though we did not log in.

 

Somehow, I guess the passive agent finds that device user, checks the email address, and matches it with the contractor user. Is this normal behavior? It's not happening instantly; it takes some time to detect the other host and link it with the contractor user.

 

My goal is to create a contractor user, assign them to the onboarding VLAN, and install new computers. That's why the help desk team creates users with corporate email addresses and keeps them for a month. Do you have any suggestions for overcoming this issue?

Solving a problem is the best feeling.
Solving a problem is the best feeling.
Labels:
180
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎10-26-2025 12:59 PM

In your LDAP config, what is set as identifier? sAMAccountName or mail?

 

ldap_user_id.png

 

AEK

View solution in original post

AEK
48
0 Kudos
mbas
New Contributor II
In response to AEK

Created on ‎10-27-2025 03:11 PM Edited on ‎10-27-2025 03:14 PM

Hi AEK,

 

No, that was the UserPrincipalName attribute in LDAP. I don't use MSCHAPv2; I use EAP-TLS authentication with a user certificate. When I authenticate the user, the host registered with 802.1x auto registration, and the username is shown as UserPrincipalName in the RADIUS logs because we setup the certificate settings as UserPrincipalName.

 

radius (1).jpg



 

 

 

 

 

 

 

 

 

Host View;

user-prncpl.jpg

 

However, after changing the identifier to sAMAccountName, the logged-on user was shown as UserID.

host.jpg

No Persistant Agent installed. 

 

contractor.jpg

After creating a contractor account with the same email address of the existing user, I can see both Radius-authenticated user and contractor user in the User Accounts menu.

users.jpg


Before, the user IDs were the same because the email address was the same as the userPrincipalName. As you can see, the user IDs are different now. There is no match for hosts :)

 

This entry can be closed. Thank you so much @AEK and @ebilcari :)

 

Solving a problem is the best feeling.

View solution in original post

Solving a problem is the best feeling.
19
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎10-23-2025 01:54 PM

Hi mbas

I may not have understood the issue you described but I think I understand your requirement.

You want to assign the new hosts of your company that are not yet part of the domain to a special VLAN where the helpdesk team can install it and join it to the domain, right?

AEK
AEK
161
mbas
New Contributor II
In response to AEK

Created on ‎10-23-2025 02:01 PM

Yes, this is the requirement. I want to use the contractor template for this. This way, all help desk personnel can create a user account for themselves and log in with a new computer, and I can assign them an onboarding VLAN.

 

However, if another device has the same email as the contractor user, FortiNAC links that device to the contractor user, which I don't want to happen. I enabled Passive Agent for user tracking, but I think because of that, FortiNAC finds all devices related to that email address and shows the contractor user as the logged-on user.

I did not expect to see the logged-on user be the contractor user on an existing computer. That's where I got confused :)

Solving a problem is the best feeling.
Solving a problem is the best feeling.
159
0 Kudos
AEK
SuperUser
SuperUser
In response to mbas

Created on ‎10-23-2025 02:33 PM

So why should it be a contractor account? Why not AD account?

Once he gets the portal, the helpdesk will login with his AD account and he will be dropped in the special VLAN.

And once the PC joins the domain and persistent agent is installed the policy will drops it in the prod VLAN.

Is there any problem with this scenario?

AEK
AEK
152
mbas
New Contributor II
In response to AEK

Created on ‎10-23-2025 11:37 PM

 

In that scenario, each device will be registered under the same Help Desk username. In the Host menu, we don't want to see every host registered to the same help desk user. However, in this case, we can delete the host from FortiNAC once installation is complete. The main concern is that the customer does not want to grant permission to help desk users. They also don't want to enable user login with AD credentials because otherwise, everyone will register their different devices.

 


I cannot enable user login without a separate portal. I also cannot differentiate users, that is why I cannot use a portal policy. How can I create user profiles for guest and onboarding users? Any suggestions?

Solving a problem is the best feeling.
Solving a problem is the best feeling.
126
0 Kudos
ebilcari
Staff
Staff
In response to mbas

Created on ‎10-24-2025 02:31 AM

You can also check if the 'Game Console' option help meet this requirement, some information can be found here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
113
mbas
New Contributor II
In response to ebilcari

Created on ‎10-25-2025 05:36 AM

Yes, that's another option, but it doesn't limit access. Anyone can register that way. What I will do is create a local user for the help desk. If an 802.1x request comes in with that local user, I will put it into the onboarding VLAN. Then, I will remove the host from the FNAC.

Solving a problem is the best feeling.
Solving a problem is the best feeling.
77
0 Kudos
ebilcari
Staff
Staff

Created on ‎10-24-2025 02:07 AM

Is the contractor username related to the user part of the email address that is used? Does these host have the Persistent Agent installed while they are onboarding? 

FNAC will try to match Users after they successfully register a host and by default will try to cut the domain part and just match the sAMAccountName.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
118
0 Kudos
mbas
New Contributor II
In response to ebilcari

Created on ‎10-25-2025 05:13 AM

The new user does not have PA, but the existing user does. We just created a contractor account, and even without logging in, the existing user was isolated after 5-10 minutes. The contractor username and the existing user have the same email address.

 

If FNAC is matching, then I will tell them not to create any contractor accounts with the same email addresses as existing users.

 

The only thing I don't understand is why the FNAC changed the logged-on user to the contractor user on the existing host.

Thanks, Emirjon.

Solving a problem is the best feeling.
Solving a problem is the best feeling.
78
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-26-2025 12:59 PM

In your LDAP config, what is set as identifier? sAMAccountName or mail?

 

ldap_user_id.png

 

AEK
AEK
49
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.