Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor II

Created on ‎07-07-2025 04:25 AM

FortiNAC-F Persistent Agent IP Renewing After VLAN Switching

Hello, I've configured the persistent agent but if there is a mismatch during the re-scan, it places the host into the security state "at risk" and assigns it to the registration VLAN. However since the IP is not renewed, even though the user is now in the registration VLAN, they can still browse as if they are in their previous VLAN (in this case, if the user disconnects and reconnects to the network they will naturally be placing in the registration VLAN). How can I ensure that the persistent agent forces to IP renewing?

Labels:
502
0 Kudos
8 REPLIES 8
scitlak
Staff
Staff

Created on ‎07-07-2025 05:02 AM

Hello,
Please make sure that you have enabled "PA Optimization Enabled(VLAN Switching Optimization with Persistent Agent)" options under "Network--> Inventory-->Switch-->Element Tab".

On the other hand,  please also check the below settings.

07.07.2025_14.01.10_REC.png

 BRs

486
barisben
New Contributor II

Created on ‎07-07-2025 06:09 AM

The settings are like this. But I noticed all hosts under the SSID name (which VLAN doesn't matter), not under the VLANS like in the image. Thats probably why not working. In the other location with the exactly same settings, thats not working like this, working as expected. How can I solve this, what causes this?

 

noname.png

 

 

465
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-22-2025 07:12 AM

This behavior is not expected under normal conditions. When a host's VLAN is changed, its previous IP address (belonging to a different subnet) should no longer provide network access.

Based on the description, it appears that the CoA/DM is either not being sent or not accepted by the WLC, resulting in the host remaining on the original VLAN/subnet instead of being moved to the remediation VLAN.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
339
barisben
New Contributor II
In response to ebilcari

Created on ‎08-08-2025 12:10 AM

After looking around a bit, I thought the setting in the screenshot below might be the cause. The people who originally set up the network infrastructure had defined the VLAN assignment on the AP controller (it's Aruba AP by the way) as static and as a register VLAN for the relevant SSID. Yes, it works this way, but it behaves in the manner I described. Could this be related?

 

Screenshot_1.png

284
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎08-08-2025 12:16 AM

The SSID should support dynamic VLAN assignment via RADIUS. The reasons and an example of configuration for FAP is shown in this article: Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
278
barisben
New Contributor II
In response to ebilcari

Created on ‎08-11-2025 02:14 AM Edited on ‎08-11-2025 02:14 AM

I configured the dynamic vlan as in the screenshot before by Tunnel-Private-Group-ID and I can see ids changing from radius logs but if I dont disconnect and connect again the ip never changes. Also I can't see the screen that persistent agent's the "new network paramaters configuring". Maybe this is the problem.

246
0 Kudos
barisben
New Contributor II
In response to barisben

Created on ‎08-11-2025 11:39 AM Edited on ‎08-13-2025 02:15 AM

Changin AP settings solved the problem.

226
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎08-12-2025 12:17 AM

You need to check the WLC configuration and its logs to determine why it is not disconnecting the host after receiving a CoA/DM from FNAC.

The agent role is not highly relevant when it comes to VLAN enforcement, it primarily notifies the end user for a needed network change and triggers an IP renewal on the end host (ipconfig /renew) when PA optimization is enabled.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
211
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.