Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortinac Quarantine Vlan Join Domain

I have 2 vlans named Nac vlan and quarantine vlan.
The nac vlan is defined in Fortinac ethernet2. dhcp relay to the nac vlan is available in my quarantine vlan. the two vlans communicate with each other and with the active directory. However, I have a problem like this. a device that has just joined the network joins the quarantine vlan. although the quarantine vlan has communication with the active directory, I cannot get the device to the domain. when I enter the ip address of the active directory as dns to the device in quarantine, I can get the device to the domain. why could this problem be? or is there a place where I can enter dns under the quarantine vlan?

2 Solutions
ebilcari

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.".  Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

nemge
Staff
Staff

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

View solution in original post

8 REPLIES 8
AEK
Honored Contributor II

If I understand the problem and if I'm not wrong, your new client host in quarantine is trying to join the domain using FQDN. However in quarantine the FQDN is translated by FNAC's DNS as the IP address of the FNAC's isolation interface.

One way to fix this is to exempt domains from FNAC's DNS translation. You can do this under "Allowed Domains" section, somewhere in "System Settings".

AEK
AEK
ebilcari

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.".  Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
rcpdkc

When the user logs in on the Windows login screen, the kerberos query goes to the 2nd connection ip address in the network instead of going to my name ip address. Although it is attached to the allowed domains .

AEK
Honored Contributor II

If you mean you enable wifi and wire network on your client at the same time know that with FNAC it is recommended to avoid doing this.

When enable wifi disconnect your wire, and vice versa.

AEK
AEK
nemge
Staff
Staff

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

rcpdkc
Contributor II

my problem is solved, thank you

Micsgate
New Contributor

I've set up two VLANs named NAC VLAN and quarantine VLAN, with DHCP relay from the quarantine VLAN to the NAC VLAN. While both VLANs can communicate with each other and with the Active Directory, devices newly joining the network end up in the quarantine VLAN. Strangely, despite the quarantine VLAN having communication with the Active Directory, these devices cannot successfully join the domain unless I manually enter the Active Directory's IP address as the DNS server on the device.

ebilcari

You have to add the AD/DC domain in allowed domains in FNAC. In this way the isolated hosts will be able to resolve the names of the DCs.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Labels
Top Kudoed Authors