Dear Fortinet TAC Support,
I am currently implementing EAP-TLS authentication in our company’s network. Our environment consists of Domain Joined PCs, IP Phones, and Printers. I have configured 802.1x with MAC Authentication Bypass (MAB) for non-EAP-capable devices. The 802.1x policy configuration is below.
config switch-controller security-policy 802-1X
edit "FNAC-802-1X"
set security-mode 802.1X-mac-based
set user-group "FNAC-Switch"
set mac-auth-bypass enable
set open-auth disable
set eap-passthru enable
set eap-auto-untagged-vlans enable
set guest-vlan disable
set auth-fail-vlan enable
set auth-fail-vlan-id "NAC_AG_Dead_End"
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan enable
set authserver-timeout-vlanid "AG_Corp_WiFi"
set authserver-timeout-tagged disable
set dacl disable
next
end
Here is the current status:
However, I am encountering a strange issue with rogue PCs. These devices receive an Authenticate Response: OK from the RADIUS server instead of an Authentication Failed response. As a result, they are placed into the Registration VLAN if the Force Registration Group is applied to the port or to Default VLAN if no policy is applied.
My expectation was that these Rogue PCs would receive an Authentication Failed response and be placed into the auth-fail-vlan configured in the switch security policy.
Could you please help me understand why this is happening and how to ensure Rogue PCs are appropriately flagged as authentication failures and placed in the correct VLAN?
Thank you for your assistance.
Hi Tagayev
The first thing to look at is why RADIUS response is OK for rogue devices. Once this fixed I think your issue will be resolved.
BTW, are rogue still authenticated when you disable MAB?
PS: This is FTNT community, not TAC support.
This is the expected behavior. FortiNAC normally doesn't reject authentications but it tends to isolate the hosts, in case of Rogue for example but even when a host is disabled it will try to push a dead end VLAN and not reject. All isolation networks also have portal access to notify the end user about their status.
If you want to silently isolate the unregistered hosts you can set up a Registration VLAN in model configuration with the same value of 'NAC_AG_Dead_End' to be pushed from RADIUS or don't enforce Registration on the switch ports and set this VLAN as the Default VLAN.
The registration can also be denied for new rogue hosts that are seen in the network at device level:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.