HI Ebilcari

Thanks for your contribution , i unchecked "forced authentication" from switch port on FortiNAC>Inventory>switch port, now 2-3 PC are authenticating successfully and getting IP addresses too in test run case, we are monitoring the behavior and then will update. I cannot share screenshot here but on FortiNAC its still showing unauthenticated host "A" in red showing , also IP address of one host is showing in adapter options and other host is not showing , both are on same network, same authentication and windows

The host status (need authentication) should change next time the host connects in the network and the port doesn't have the authentication enforced.

The IP address of the hosts usually is learned through the L3 device that is the gateway of the hosts and have that information in its ARP table.

Hi Removed "forced authentication" check and hosts showing "A" in red and IP address not showing by the host , L3 arp table is ok i will troubleshoot again, Please let me know if we want to authentication machine  also before user what should we do then? currently we are using "user authentication in PC " only

User authentication should be enough for this type of deployment. As long as the host will match a UHP of an Authentication policy, it will change the host status. Enforcement configured in the port relates to the action of  VLAN switching. If it still shows as need to authenticate, check the UHP or disable the Authentication policy.

Since you are in the 7.6 branch make sure to also update to the latest version, 7.6.1 if not done yet.

Might be issue with UHP there is not much help on internet for this type of deployment , i will disbale UHP or authentiation polciy then will try , if you have any sample config of UHP policy please share and definately i will update to 7.6.1

Thank you Ebilcari

Basically you don't need an UHP or an Authentication policy at all to match with hosts that are doing RADIUS authentication with credentials (PEAP is used).

You will need an UHP to apply it to a Network Access policy in order to assign a logical network > VLAN to the host. The UHP doesn't have to be very complex as long as it specific enough to differentiate the hosts as required. An example:

You can read about the details for this options in the Administration guide.

Also refer to this article to get more information about the flow of actions from a similar example.

Than you for the information i tried to upgrade but it was auto update was failed and showing 401 unauthorized directory something. i downloaded file but dont know how to upload for upgrade.

Now i disabled forced authentication in switch its 51 VLAN as no-prod vlan , but in fortinac after authentication its showing current and default vlan 10 which is prod vlan

You can upgrade FNAC through CLI as shown in this article, but it's better to do it from the UI. You will need a case with TAC support because the credentials can not be shared publicly, other fields can be completed like this:

Regarding the current VLAN listed in the UI, this is expected behavior because it should show the VLAN that is configured through CLI in the switch. The VLANs that are sent by RADIUS are dynamic VLANs.