Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jucker
New Contributor III

Created on ‎05-25-2023 05:23 PM Edited on ‎05-25-2023 05:24 PM

FortiNAC persistent agent vlan change cli flapping between the change and the undo

Hello,

Hope you are doing well.

 

I'm trying to change to vlan from authentication vlan which is the default with id 150 to Vlan 25 for the production access when the scan is successful without using dot1x on the switch port on Cisco switch.
So far only for testing the Operating system windows 10 pass and the right network access policy is granted, but when it comes to cli change it keeps adding vlan 25 and undo it to 150 back and fourth.
The port is a member of "Forced Registration" "Reset Forced Registration" and "Role Based Access"

 

Fortinac vlan change flapping.JPG

 

My enforcement Access:

 

Fortinac Enforcement.JPG

Cli template :
config t
interface %port%
description Network Security
switchport access vlan %vlan% 
do wr
Undo :
config t
interface %port%
description Authentication
switchport access vlan 105
do wr

FortiNAC version 9.2

Cisco Switch 3750 IOS 12.2

 

Thank you!

Best Regards!

Labels:
736
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎05-26-2023 02:05 AM

Firstly you don't have to use specific CLI command for simple VLAN change. By default FNAC will do the changes via CLI just by setting the VLAN under Access Value. CLI commands are usually used to add extra configuration like voice VLAN, ACL etc.

To gain more information you can check from "Ports", bottom window "Port Changes", it will give you a history of policy evaluations done.:

changes.PNG

Since you are trying to do registration (register rouge devices) you have to change the Registration to Enforce and the value to 150.
You need to create also a method for host registration. If the host status is stuck as Rogue no policy will be evaluated. Easiest way can be Device Profiling rules.

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

712
2 REPLIES 2
ebilcari
Staff
Staff

Created on ‎05-26-2023 02:05 AM

Firstly you don't have to use specific CLI command for simple VLAN change. By default FNAC will do the changes via CLI just by setting the VLAN under Access Value. CLI commands are usually used to add extra configuration like voice VLAN, ACL etc.

To gain more information you can check from "Ports", bottom window "Port Changes", it will give you a history of policy evaluations done.:

changes.PNG

Since you are trying to do registration (register rouge devices) you have to change the Registration to Enforce and the value to 150.
You need to create also a method for host registration. If the host status is stuck as Rogue no policy will be evaluated. Easiest way can be Device Profiling rules.

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
713
Jucker
New Contributor III
In response to ebilcari

Created on ‎05-27-2023 02:24 AM

Thank you @ebilcari that was the issue i did as you told and things got to work!

 

 

683
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.