Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Dynamic VLAN provison for wifi user with FortiNAC

I have Cambium Wifi Access points use RADIUS to authenticate end-user with FortiNac. In FortiNAC I added Cambium AP with Pingable Device mode and FortiNAC is also integrated with Windows Active Directory to load user credential. The problem is end-user login to wifi SSID successfully but after login, AP assigned user to default VLAN. I want my  FortiNAC to send VLAN ID base on user credential  in RADIUS accept message when it response to Cambium AP. Is there anyway to do that ?

Thanks in advance for any help!


Did you follow this guide?

Can you share a screenshot of device's model configuration?

Did you check in RADIUS logs if FNAC is assigning the right VLAN to the connecting cloent?


Hi anhbt, 


in case your host matches no NAC policy FortiNAC returns the Default VLAN.(default behavior)


To enforce control and change the VLAN you will need to make the SSID part of the Role Base Acces system group. Right Click the SSID in your inventory and selcet "Group Membership". Select the "Role Based Access"


Role-Based Access

Ports that participate in role-based access and switch VLANs, based on the role of network devices, such as printers, when they connect.

Add switch ports that participate in VLAN switching. Ports that participate have their VLAN ID set to the role specified for the connected network device.


FortiNAC will apply NAC policies after host is registered and associated to the logged in user. Access is provided based on role.

To check if host is matching the policy go to Host View and right click the affected host.

Select "Policy Details" and make sure the wanted Network Access Policy is matching


For more details also check the section "Stage 5. Enforce Control." in KB below:


Top Kudoed Authors