I have 2 vlans named Nac vlan and quarantine vlan.
The nac vlan is defined in Fortinac ethernet2. dhcp relay to the nac vlan is available in my quarantine vlan. the two vlans communicate with each other and with the active directory. However, I have a problem like this. a device that has just joined the network joins the quarantine vlan. although the quarantine vlan has communication with the active directory, I cannot get the device to the domain. when I enter the ip address of the active directory as dns to the device in quarantine, I can get the device to the domain. why could this problem be? or is there a place where I can enter dns under the quarantine vlan?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.
Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.". Adding the base domain in FNAC should allow to resolve any other subdomains.
System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.
If I understand the problem and if I'm not wrong, your new client host in quarantine is trying to join the domain using FQDN. However in quarantine the FQDN is translated by FNAC's DNS as the IP address of the FNAC's isolation interface.
One way to fix this is to exempt domains from FNAC's DNS translation. You can do this under "Allowed Domains" section, somewhere in "System Settings".
You can also refer to this articles on how to add or troubleshoot allowed domains in FNAC.
Remember also that domain PCs will also need some DNS records type SRV like "_ldap._tcp.eb.eu." or "_kerberos._udp.eb.eu.". Adding the base domain in FNAC should allow to resolve any other subdomains.
When the user logs in on the Windows login screen, the kerberos query goes to the 2nd connection ip address in the network instead of going to my name ip address. Although it is attached to the allowed domains .
If you mean you enable wifi and wire network on your client at the same time know that with FNAC it is recommended to avoid doing this.
When enable wifi disconnect your wire, and vice versa.
System / Settings / Control / Allowed Domains
-this is the list of addresses that the NAC will respond with the true IP.
Anything not on this list resolves to the NAC so portal can be presented.
my problem is solved, thank you
I've set up two VLANs named NAC VLAN and quarantine VLAN, with DHCP relay from the quarantine VLAN to the NAC VLAN. While both VLANs can communicate with each other and with the Active Directory, devices newly joining the network end up in the quarantine VLAN. Strangely, despite the quarantine VLAN having communication with the Active Directory, these devices cannot successfully join the domain unless I manually enter the Active Directory's IP address as the DNS server on the device.
You have to add the AD/DC domain in allowed domains in FNAC. In this way the isolated hosts will be able to resolve the names of the DCs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.