Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamshaid
New Contributor II

FortiNAC not putting user into isolation if no User Profile match ? Does it ?

Hi Guys.

 

I am wondering if a host is registered via device profiling but not maching any user policy than why it is still getting an IP from any other vlan than isolation ?

 

Also if no nap is matched does fortinac should put this user into either remediation or isolation ? 

 

As my user still has production vlan IP instead of going into isolation on a user profile match failure or even any criteria failure

 

example if a user doesnt have persistent agent he should be not getting an ip from production 

 

does my queries sound right or I am not understanding how the product works in such use cases?

 

@FortiKoala @ebilcari 

3 REPLIES 3
ebilcari
Staff
Staff

If a registered host will not match a network policy than it will be put in the default VLAN that is configured on that port. FNAC will not put this host in isolation since it is considered in a normal state.

To block access for these hosts (not hitting any NAP) you can change the default VLAN to some blackhole VLAN of the switch or create a Network Access Policy to catch all these hosts and create a logical network to move these hosts to the same blackhole VLAN or on one of the isolation VLANs.

model config.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Jamshaid
New Contributor II

So if you want to perform a strict NAC, you can put your default vlan as your isolation ? it is recommended or a good practice ?

ebilcari

Yes, based on my experience, depending on your environment you can use the following as default VLAN to spare the initial VLAN change when the host is connected in the network for the first time:

- Registration, when you have frequent turn over of new devices presented in the network

- Remediation, when existing hosts change their compliance frequently

- Dead End or a black hole VLAN if you want full isolation of the hosts

 

To do this with a single change at device level follow the steps as shown below:

2023-11-01 14_17_12-Window.png

 

Also enable "Reset Forced Default" on group membership for all the ports.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors