Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Created on ‎01-24-2024 10:26 AM

Fortinac Quarantine Vlan Join Domain

I have 2 vlans named Nac vlan and quarantine vlan.
The nac vlan is defined in Fortinac ethernet2. dhcp relay to the nac vlan is available in my quarantine vlan. the two vlans communicate with each other and with the active directory. However, I have a problem like this. a device that has just joined the network joins the quarantine vlan. although the quarantine vlan has communication with the active directory, I cannot get the device to the domain. when I enter the ip address of the active directory as dns to the device in quarantine, I can get the device to the domain. why could this problem be? or is there a place where I can enter dns under the quarantine vlan?

Labels:
613
0 Kudos
2 Solutions
ebilcari
Staff
Staff
In response to AEK

Created on ‎01-25-2024 12:20 AM

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.".  Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

569
nemge
Staff
Staff

Created on ‎01-25-2024 08:42 AM

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

View solution in original post

547
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎01-24-2024 10:59 AM

If I understand the problem and if I'm not wrong, your new client host in quarantine is trying to join the domain using FQDN. However in quarantine the FQDN is translated by FNAC's DNS as the IP address of the FNAC's isolation interface.

One way to fix this is to exempt domains from FNAC's DNS translation. You can do this under "Allowed Domains" section, somewhere in "System Settings".

AEK
AEK
599
ebilcari
Staff
Staff
In response to AEK

Created on ‎01-25-2024 12:20 AM

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.".  Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
570
rcpdkc
Contributor II
In response to ebilcari

Created on ‎02-22-2024 01:08 PM

When the user logs in on the Windows login screen, the kerberos query goes to the 2nd connection ip address in the network instead of going to my name ip address. Although it is attached to the allowed domains .

348
0 Kudos
AEK
SuperUser
SuperUser
In response to rcpdkc

Created on ‎02-22-2024 01:39 PM

If you mean you enable wifi and wire network on your client at the same time know that with FNAC it is recommended to avoid doing this.

When enable wifi disconnect your wire, and vice versa.

AEK
AEK
342
0 Kudos
nemge
Staff
Staff

Created on ‎01-25-2024 08:42 AM

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

548
rcpdkc
Contributor II

Created on ‎01-29-2024 06:37 AM

my problem is solved, thank you

511
0 Kudos
Micsgate
New Contributor

Created on ‎02-13-2024 07:13 AM Edited on ‎02-19-2024 07:22 AM

I've set up two VLANs named NAC VLAN and quarantine VLAN, with DHCP relay from the quarantine VLAN to the NAC VLAN. While both VLANs can communicate with each other and with the Active Directory, devices newly joining the network end up in the quarantine VLAN. Strangely, despite the quarantine VLAN having communication with the Active Directory, these devices cannot successfully join the domain unless I manually enter the Active Directory's IP address as the DNS server on the device.

412
0 Kudos
ebilcari
Staff
Staff
In response to Micsgate

Created on ‎02-14-2024 02:14 AM

You have to add the AD/DC domain in allowed domains in FNAC. In this way the isolated hosts will be able to resolve the names of the DCs.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
396
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.