Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bootaan26
New Contributor III

Created on ‎05-12-2025 05:32 AM

Fortinac hosts (Laptop) switching external adapter

Hi guys,

 

We are using fortinac as NAC and we use mostly laptops with external network adapter, so the issue is if the laptop is registered and someone takes the external adapter and plugs in to his/her laptop, it is not isolating for the new host (Laptop) it gives full network access. and when we check the port, it shows us the new host is registered with the existing user (registered previous laptop).

 

Any solution in this situation?

 

 

Labels:
842
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎05-12-2025 11:16 AM

Hi Bootaan

This is because you are registering/identifying the laptop only based on adapter MAC address.

One solution is to use persistent agent.

AEK
AEK
823
bootaan26
New Contributor III
In response to AEK

Created on ‎05-12-2025 11:23 PM

Hi AEK,

 

Every host is installed persistent agent, and we register hosts through captive portal.

so, my question is how we can prevent users swapping external network adapters?

 

Could you please elaborate more the solution you suggested?

Thanks.

 

 

 

 

800
0 Kudos
AEK
SuperUser
SuperUser
In response to bootaan26

Created on ‎05-13-2025 01:43 AM

Hi Bootan

So I guess your main issue is that when a laptop without a PA uses the external adapter it is considered as the registered one, right?

Since all Corp laptops have PA, then you can do many controls via the UHP.

For example you can edit the host properties (in HPU) to force the check of PA communication. So in case PA is not communicating the host is excluded from the profile and it will fall under another profile that the policy will put in isolation.

You can also control user groups in the HPU. The PA will tell FNAC which user is connected and the policy will put it in the right VLAN accordingly.

That could be one possible solution I have in mind.

AEK
AEK
783
bootaan26
New Contributor III
In response to AEK

Created on ‎05-13-2025 04:31 AM

Hi AEK,

 

I am using 7.4.0 version, and I don't see any option of UHP or HPU when I edit host properties.

 

@ebilcari This is a just a guideline and is not giving sample configuration and when I try to access this KB 193199. am getting Access Denied error.

 

 

733
0 Kudos
AEK
SuperUser
SuperUser
In response to bootaan26

Created on ‎05-13-2025 05:36 AM

Hi Bootan

UHP is User-Host Profile.

https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/15797/user-host-profiles

AEK
AEK
714
0 Kudos
bootaan26
New Contributor III
In response to AEK

Created on ‎05-17-2025 05:35 AM

Hi AEK,

Could you post sample UHP profile for PA.

This is some of the UHP we have.

 

Thanks.

 

36cb0108-0c8f-4b54-ab48-dbaa0a75a484.png

624
0 Kudos
ebilcari
Staff
Staff

Created on ‎05-13-2025 02:03 AM

This behavior is explained in details in this section of the Administration Guide or in this dedicated guide: Tracking Moving Dongles.

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
771
AEK
SuperUser
SuperUser

Created on ‎05-17-2025 01:18 PM

Hi Bootaan

Emirjon shared a good example here:

https://docs.fortinet.com/document/fortinac-f/7.2.0/tracking-moving-dongles/40885/example-use-case

As you can see in the network access policy, the clients with "non-communicating agents" are put in the Dead End network.

 

AEK
AEK
599
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.