Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortinac-F DNS problem

I have a problem with Fortinac. Quarantine vlan defined in fortinac interface
Fortinac port 2 ip address
10.10.24.100

Quarantine vlan
10.10.22.10-10.10.22-250

I turned on vlan quarantine in Fortigate firewall
Gateway
10.10.22.1
DHCP relay 10.10.24.100
When I do this, a user who enters the quarantine vlan gets ip without any problem.
But my main problem is this
I have a domain and users log in with LDAP. However, in the quarantine vlan, the user cannot log in. It gives a domain error. If I manually enter the domain in the DNS section in the network settings, it gets better. But I cannot add DNS because DHCP distributes nac.
How can I solve this?

1 Solution
AEK
SuperUser
SuperUser

You can fix this by adding domain controller FQDN as an allowed domain inFNAC.

Navigate to System > Settings > Allowed Domains, then add the FQDN.

Once done, when a client in isolation tries resolve FQDN's IP then FNAC provides the actual DC IP instead of 2nd FNAC's IP.

AEK

View solution in original post

AEK
3 REPLIES 3
rcpdkc
Contributor II

Normally it should send the kerberos request to the domain, but fortinac sends it to 10.10.24.100 on port 2.

AEK
SuperUser
SuperUser

You can fix this by adding domain controller FQDN as an allowed domain inFNAC.

Navigate to System > Settings > Allowed Domains, then add the FQDN.

Once done, when a client in isolation tries resolve FQDN's IP then FNAC provides the actual DC IP instead of 2nd FNAC's IP.

AEK
AEK
ebilcari
Staff
Staff

You can use this articles to troubleshoot this more in depth and share your findings here:
Technical Tip: Troubleshooting domain resolution in the captive portal
Technical Note: Verify IP resolution of a domain when in isolation

Make also sure that the primary DNS of FNAC or the "Production DNS IP" in allowed domain is pointing to the private DNS, usually the DC itself.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors