Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
williasthomas192004
New Contributor III

Created on ‎05-27-2025 10:03 PM

NAC

FortiNAC self-registration Guest Management with wireless dynamic Vlan management .

During the registration process without doing nothing . I got a native vlan ip.

In NAC's Network>Inventory>Device>Virtualized Devices>root I haven't add native Vlan id .

 

What is the fault ?

 

Screenshot 2025-05-28 113030.pngScreenshot 2025-05-28 113116.pngScreenshot 2025-05-28 113206.png

Labels:
811
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to williasthomas192004

Created on ‎05-29-2025 01:49 AM

Using a bridged SSID will be similar as long as the VLAN is allowed in the switchport where the AP is connected. The IP configurations shown in the example for the VLANs under the SSID, need to be configured in a similar way to normal VLANs in the FSW.

 

There is no need to create policies for isolation, based on the host state FNAC will push the configured VLANs as long as the Enforcement is enabled in the SSID.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

726
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎05-28-2025 04:25 AM

When an unregistered host (Rogue) connects, FNAC will try to isolate it in the registration network which in this case should be VLAN 201. If the SSID in FGT doesn't have this VLAN configured it may leave the host in the default subnet after the Access-Accept. You can also check this article for more information related to this scenario: Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
772
williasthomas192004
New Contributor III
In response to ebilcari

Created on ‎05-28-2025 10:24 PM

Isolation with FortiNAC

FortiNAC uses isolation VLANs to restrict network access for unregistered or unknown devices, placing them in an isolation VLAN until they are registered or authenticated

Is that right? How figure out for isolation.
In your setup u create a vlan under wirelss interface with virtual lan with a tunnel mode.
My setup is create a vlan under fortilink swith and run bridge mode.

For Isolation Do I need to create a policy , and how  .Could you pls guide to me? Thanks!

747
0 Kudos
ebilcari
Staff
Staff
In response to williasthomas192004

Created on ‎05-29-2025 01:49 AM

Using a bridged SSID will be similar as long as the VLAN is allowed in the switchport where the AP is connected. The IP configurations shown in the example for the VLANs under the SSID, need to be configured in a similar way to normal VLANs in the FSW.

 

There is no need to create policies for isolation, based on the host state FNAC will push the configured VLANs as long as the Enforcement is enabled in the SSID.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
727
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.