Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BKP09
New Contributor III

Created on ‎07-09-2025 07:12 AM

FortiNAC - RADIUS AUTH for vlan assigment issue

Hello Community,
Please for your support.
Just a brief explanation of the topology and the case at first. We have a NAC VM Cluster, in which we have enrolled our inventory switches. we want dynamic vlan assignment for the users, based on an the Role attribute that each user has ( attribute 60 = vlan 60). Switches has the respective AAA config and i can see on the NAC that the radius accept is sent when the user is connected to the port. Users have the supplicant configuration for the Radius authentication as well. Thing is that when the user connects on the switch, NAC does not assign any vlan dynamic as it should and it marks the port as down  (not connected), on the nac gui even though on the switch side the port is still up and working on the vlan that it was. normal policies work as it should ( for instance vlan assignment on Cisco IP phones). 

Below some screenshots that may helpimage_2025-07-09_165744010.pngimage_2025-07-09_170245645.pngimage_2025-07-09_170407957.pngimage_2025-07-09_170450297.png

 
The above case is when we try to connect only one device per port. When we have an ip phone along with the laptop the port becomes error disabled and nothing works as well, bellow the switch logs for this case:image_2025-07-09_171126936.png

Any ideas will be highly appreciated. 
Some tests a couple of weeks ago with the exact same laptop worked fine but now this is the case.
thanks in advance.

 

BR, BKP
BR, BKP
Labels:
512
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to BKP09

Created on ‎07-31-2025 02:49 AM

If authentication on the port is successful, the switch should be able to learn the MAC addresses of the connected hosts, allowing FNAC to poll this information successfully. Please check the switch MAC address table to verify that the hosts MAC addresses are present.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

203
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎07-22-2025 07:24 AM

What are the results when the same host connects directly to the switch port, without being daisy chained through an IP phone? What is the host's status, and how is it initially registered in FNAC?

Additionally, verify the switch configuration to ensure that multiple hosts are allowed to authenticate on a single port.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
364
BKP09
New Contributor III
In response to ebilcari

Created on ‎07-30-2025 04:41 AM

Hello and sorry for the late repsone. Issue partially resolved by changing the "aaa server radius dynamic-author port" to the default one. Regarding the view issue i did not find any solution yet. Even though the authentication is completed successfully the view from FortiNAC still is "blind". When we enforce a port, everything appears to be functioning correctly with Dot1X (connectivity is fine) and the switch view shows no problems. However, in the FNAC interface, the port appears as not connected.

BR, BKP
BR, BKP
254
ebilcari
Staff
Staff
In response to BKP09

Created on ‎07-30-2025 08:16 AM

Can FNAC access the switch via SNMP and CLI? Do the hosts appear on port after a manual L2 poll of the switch?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
238
0 Kudos
BKP09
New Contributor III
In response to ebilcari

Created on ‎07-30-2025 11:28 PM

I confirm SNMP and CLI connectivity. Also nothing changes after a manual L2 Polling. 

BR, BKP
BR, BKP
219
0 Kudos
ebilcari
Staff
Staff
In response to BKP09

Created on ‎07-31-2025 02:49 AM

If authentication on the port is successful, the switch should be able to learn the MAC addresses of the connected hosts, allowing FNAC to poll this information successfully. Please check the switch MAC address table to verify that the hosts MAC addresses are present.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
204
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.