FortiNAC-F Port-Access Security VLAN Not Updating Properly

barisben · ‎08-14-2025

Hello, I have a strange issue on FortiNAC-F. The switch is Aruba 6100 AOS-CX. The credentials are correct and the RADIUS configuration has been set up for example on two ports. It's working properly but the problem is that for ports that are not connected, it assigns the default VLAN 116 and its updating the config as "vlan access 116". However for ports that have performed "port-access-security" with MAC authentication or dot1x auth, it doesn't assign the "vlan access x" value. It stays as "vlan access 1" but the authentication has been successfully performed, meaning there isn't an issue here. However, unlike the default VLAN, it does not update the VLAN access ID on the port as 'vlan access x'. Then although the host connected to the port is listed in the MAC table, I cannot see it on FortiNAC. As you can see in the first screenshot the port is indeed active. When I disable and re-enable the port, for a while (even though 'vlan access 1' is still shown on the switch), I can see the correct VLAN in FortiNAC. However after some tim, it reverts to an empty. Of course the host continues to function properly. After host authenticated with Radius, for some reason port updates itself as Adapter Disconnected.
What could the issue be?

interface 1/1/8
    no shutdown
    vlan access 1
    port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 86400
        quiet-period 10
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 10
        enable
interface 1/1/13
    no shutdown
    vlan access 116
    port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 86400
        quiet-period 10
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 10
        enable
		
		
08:a1:89:xx:xx:xx      111      port-access-security      1/1/8

ebilcari · ‎08-15-2025

I will try to explain some aspects of FNAC behavior based on the configuration you've shared:

Reset Forced Default - When a host is not seen as connected in the port for more than 60 seconds, the VLAN in the port is changed to Default (116)
The VLAN that is sent via RADIUS is considered a dynamic VLAN, so there are no changes done in the switch CLI (vlan access 1) or the value that is shown in the column 'Current VLAN'
If a host is not found in the switch MAC table when a L2 polling is performed, than the host details are removed and the port status is changed to 'Not Connected'

I believe the root cause may be related to the third condition. Please check the behavior of both the switch and the end host, particularly if the host enters a sleep mode, which could lead the switch to remove its MAC address from the MAC table.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

barisben · ‎08-15-2025

This host always on and its still in the MAC table but shows as I mentioned. This entry from MAC table;

08:a1:89:xx:xx:xx 111 port-access-security 1/1/8

FortiNAC-F Port-Access Security VLAN Not Updating Properly

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website