Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbas
New Contributor II

Created on ‎10-23-2025 01:21 PM

Creating Contractor user with a corporate email address causing existing user isolation

Dear team,

 

Has anyone else observed this issue?

 

When we create a contractor user with a corporate email address and no one logs in with that user, after a while, it causes the existing user VLAN to change to isolation. When I check that user and click Show Hosts, I can see another host belonging to the same user with the contractor email address. The strange thing is that when I check that host, I can see that the logged-on user is the contractor user, even though we did not log in.

 

Somehow, I guess the passive agent finds that device user, checks the email address, and matches it with the contractor user. Is this normal behavior? It's not happening instantly; it takes some time to detect the other host and link it with the contractor user.

 

My goal is to create a contractor user, assign them to the onboarding VLAN, and install new computers. That's why the help desk team creates users with corporate email addresses and keeps them for a month. Do you have any suggestions for overcoming this issue?

Solving a problem is the best feeling.
Solving a problem is the best feeling.
Labels:
201
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎10-26-2025 12:59 PM

In your LDAP config, what is set as identifier? sAMAccountName or mail?

 

ldap_user_id.png

 

AEK

View solution in original post

AEK
69
0 Kudos
mbas
New Contributor II
In response to AEK

Created on ‎10-27-2025 03:11 PM Edited on ‎10-27-2025 03:14 PM

Hi AEK,

 

No, that was the UserPrincipalName attribute in LDAP. I don't use MSCHAPv2; I use EAP-TLS authentication with a user certificate. When I authenticate the user, the host registered with 802.1x auto registration, and the username is shown as UserPrincipalName in the RADIUS logs because we setup the certificate settings as UserPrincipalName.

 

radius (1).jpg



 

 

 

 

 

 

 

 

 

Host View;

user-prncpl.jpg

 

However, after changing the identifier to sAMAccountName, the logged-on user was shown as UserID.

host.jpg

No Persistant Agent installed. 

 

contractor.jpg

After creating a contractor account with the same email address of the existing user, I can see both Radius-authenticated user and contractor user in the User Accounts menu.

users.jpg


Before, the user IDs were the same because the email address was the same as the userPrincipalName. As you can see, the user IDs are different now. There is no match for hosts :)

 

This entry can be closed. Thank you so much @AEK and @ebilcari :)

 

Solving a problem is the best feeling.

View solution in original post

Solving a problem is the best feeling.
40
10 REPLIES 10
mbas
New Contributor II
In response to AEK

Created on ‎10-27-2025 03:11 PM Edited on ‎10-27-2025 03:14 PM

Hi AEK,

 

No, that was the UserPrincipalName attribute in LDAP. I don't use MSCHAPv2; I use EAP-TLS authentication with a user certificate. When I authenticate the user, the host registered with 802.1x auto registration, and the username is shown as UserPrincipalName in the RADIUS logs because we setup the certificate settings as UserPrincipalName.

 

radius (1).jpg



 

 

 

 

 

 

 

 

 

Host View;

user-prncpl.jpg

 

However, after changing the identifier to sAMAccountName, the logged-on user was shown as UserID.

host.jpg

No Persistant Agent installed. 

 

contractor.jpg

After creating a contractor account with the same email address of the existing user, I can see both Radius-authenticated user and contractor user in the User Accounts menu.

users.jpg


Before, the user IDs were the same because the email address was the same as the userPrincipalName. As you can see, the user IDs are different now. There is no match for hosts :)

 

This entry can be closed. Thank you so much @AEK and @ebilcari :)

 

Solving a problem is the best feeling.
Solving a problem is the best feeling.
41
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.