FortiNAC Role Assignment Issue with LDAP Users

barisben · ‎09-19-2025

Users are connecting to the corporate network with their LDAP credentials and I have configured their roles accordingly. However for some reason, about 1-2 out of every 10 users end up coming to FortiNAC-F with the NAC-Default role, even though they are in the correct LDAP group on AD. The correct behavior and what usually happens is that when a user connects for the first time, if they are a member of group X, they are assigned to the X role. The issue resolves by deleting the host registration from the NAC and when the user disconnects and reconnects to the network they get the correct role. What could be the reason?

Anthony_E · ‎09-21-2025

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Sheikh · ‎09-22-2025

Hello @barisben ,

When assigning user roles, it is recommended to base the assignment on the user’s Directory attributes in LDAP rather than on Directory group membership.

This is because FortiNAC checks directory attribute data during the user registration process. Group membership, however, may not always be up to date, since the latest Directory synchronization might not have run yet to refresh the FortiNAC cache with the updated group information.

- Have you checked that the "ldap bind" user has sufficient permissions on that specific OU where the user resides ?

- Are there any changes in AD for users (e.g., moving from one OU to another OU) ?

- Moreover, are the DCs and FortiNAC in the same location ? If not how is the network latency ?

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

FortiNAC Role Assignment Issue with LDAP Users

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website