We have FortiNAC 9.4.3. All corp hosts have PA agent. We enabled PA optimization on all access switches.
Without IP phone everything works fine. However when we connect a host with PA agent behind a IP phone, the PA seems not to initiate DHCP request when VLAN is changed, so the host's IP remains unchanged, until we initiate ipconfig /renew, here the IP is renewed correctly and all works fine.
This issue happens every time when VLAN is switched by FortiNAC, e.g.: from isol to prod, or from prod to isol, or from prod1 to prod2, ... etc
It should work as expected as far as the required ports for PA are open on your firewall (TCP 4568).
However there is some constraints when you have PA behind IP phone.. The first time the client connects behind the IP phone you may need run dhcp renew, or just unplug and plug back the cable. This is because FNAC switches the VLAN after your client has issued the fist dhcp request.
I hope Fortinet will fix this particular issue in future release.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.