Fortinac Quarantine Vlan Join Domain

rcpdkc · ‎01-24-2024

I have 2 vlans named Nac vlan and quarantine vlan.
The nac vlan is defined in Fortinac ethernet2. dhcp relay to the nac vlan is available in my quarantine vlan. the two vlans communicate with each other and with the active directory. However, I have a problem like this. a device that has just joined the network joins the quarantine vlan. although the quarantine vlan has communication with the active directory, I cannot get the device to the domain. when I enter the ip address of the active directory as dns to the device in quarantine, I can get the device to the domain. why could this problem be? or is there a place where I can enter dns under the quarantine vlan?

ebilcari · ‎01-25-2024

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.". Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

nemge · ‎01-25-2024

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

View solution in original post

AEK · ‎01-24-2024

If I understand the problem and if I'm not wrong, your new client host in quarantine is trying to join the domain using FQDN. However in quarantine the FQDN is translated by FNAC's DNS as the IP address of the FNAC's isolation interface.

One way to fix this is to exempt domains from FNAC's DNS translation. You can do this under "Allowed Domains" section, somewhere in "System Settings".

AEK

ebilcari · ‎01-25-2024

You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.

Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.". Adding the base domain in FNAC should allow to resolve any other subdomains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

rcpdkc · ‎02-22-2024

When the user logs in on the Windows login screen, the kerberos query goes to the 2nd connection ip address in the network instead of going to my name ip address. Although it is attached to the allowed domains .

AEK · ‎02-22-2024

If you mean you enable wifi and wire network on your client at the same time know that with FNAC it is recommended to avoid doing this.

When enable wifi disconnect your wire, and vice versa.

AEK

nemge · ‎01-25-2024

System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.

rcpdkc · ‎01-29-2024

my problem is solved, thank you

Micsgate · ‎02-13-2024

I've set up two VLANs named NAC VLAN and quarantine VLAN, with DHCP relay from the quarantine VLAN to the NAC VLAN. While both VLANs can communicate with each other and with the Active Directory, devices newly joining the network end up in the quarantine VLAN. Strangely, despite the quarantine VLAN having communication with the Active Directory, these devices cannot successfully join the domain unless I manually enter the Active Directory's IP address as the DNS server on the device.

ebilcari · ‎02-14-2024

You have to add the AD/DC domain in allowed domains in FNAC. In this way the isolated hosts will be able to resolve the names of the DCs.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Fortinac Quarantine Vlan Join Domain

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website