NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling
Network Access Control sounds simple — only let the right devices onto the network. The complexity is in the “how does the system know what devices are there, and what state they’re in?” FortiNAC answers that question by combining network device discovery (building a topology map of every switch and AP), endpoint discovery (finding every host on the network), and device profiling (classifying what each host actually is). Only then can it enforce a policy.
The FCA-FNAC exam is the most architecture-heavy of the four NSE6 tracks. The questions test whether you understand the data flow from discovery through to enforcement — not just where to click.
What NAC Does
Network Access Control enforces three things:
- Authentication: Who is this endpoint and does it have credentials?
- Authorization: Given who it is and what type of device it is, which VLAN should it be in?
- Posture assessment: Is the endpoint’s software in a state the organization trusts? (AV current, OS patched, etc.)
Traditional 802.1X handles authentication but not posture. FortiNAC adds posture assessment and automates the authorization decision — the policy engine, not the admin, decides the VLAN.
FortiNAC Architecture
FortiNAC is a software product that runs on dedicated hardware appliances or VMs. It has two logical server roles:
Control Server
The Control Server is the enforcement engine. It:
- Communicates with network devices (switches, APs, FortiGate) via SNMP, SSH, RADIUS, and CoA
- Maintains the host database and VLAN enforcement state
- Processes access policy decisions
Application Server
The Application Server runs the administrative GUI, web portals (guest, self-registration, sponsor), report engine, and integration APIs (MDM, EMS, Active Directory). In small deployments, the Control Server and Application Server can run on the same virtual machine. In large deployments, they are separated for scalability.
Manager
The Manager is an optional third component for centralised management of multiple FortiNAC Control/Application server pairs — used by MSSPs or large enterprises with multiple data centres.
Physical vs VM
Physical appliances:
- FortiNAC-CA-200F — mid-range, recommended for up to 2,000 endpoints
- FortiNAC-CA-500F — large enterprise, up to 20,000 endpoints
VM:
- FortiNAC-VM — runs on VMware, KVM, Hyper-V. Eval licence = 100 hosts, 30 days.
- Size the VM with enough RAM and disk — the host database and event logs can grow substantially in large deployments.
Licensing: FortiNAC licenses by endpoint count (concurrent hosts) and optionally by Advanced features (MDM integration, additional profiling adapters).
High Availability
FortiNAC HA runs in active/passive mode:
- Primary handles all control operations and GUI access via a Virtual IP (VIP).
- Standby replicates configuration, host database, guest accounts, and events from the primary.
- On primary failure, the VIP moves to the standby, which becomes the new primary.
Synchronisation: MySQL replication keeps the databases in sync in real time. Configuration changes made on the primary replicate to the standby within seconds.
Failover triggers: Heartbeat timeout (configurable, default ~30 seconds). If the standby cannot reach the primary, it assumes the primary has failed and promotes itself.
Manual failover: System > High Availability > Force Failover. Use during maintenance windows.
After recovery: The original primary restarts as the new standby, accepting replicated data from the now-primary standby.
Network Device Discovery
FortiNAC must build a topology map of your switching infrastructure before it can enforce VLANs. It discovers network devices via:
SNMP
FortiNAC walks the SNMP MIB of each network device to build the port-to-MAC mapping:
| MIB | What FortiNAC reads |
|---|---|
ifTable (RFC 1213) | Interface list, names, status |
dot1dTpFdbTable | MAC addresses learned per bridge port |
dot1qVlanStaticTable | VLAN config per port |
lldpRemTable | LLDP neighbour data (topology) |
cdpCacheTable | CDP neighbour data (Cisco) |
Configure in FortiNAC:
Network > Inventory > Network Devices > Add
Required: device IP, SNMP community string (v2c) or credentials (v3), SSH admin credentials.
SNMP v3 is preferred for security. SNMP v1/v2c community strings travel in clear text.
SSH
Some operations require SSH access to network devices:
- Pushing VLAN changes to non-standard devices (where SNMP WRITE is not supported)
- Running
show mac-address-tablefor real-time MAC lookups - Executing device-specific CLI commands for enforcement
FortiNAC stores SSH credentials per device type (Cisco, HP Aruba, FortiSwitch, etc.).
FortiSwitch and FortiGate (direct API)
For FortiSwitch under FortiLink managed mode, FortiNAC communicates with FortiGate rather than directly with each FortiSwitch. FortiGate acts as the API proxy. FortiNAC sends CoA to the FortiGate RADIUS CoA listener, and FortiGate relays the VLAN change to the relevant FortiSwitch port.
CDP/LLDP topology mapping
FortiNAC reads LLDP and CDP neighbour tables to build a visual topology — which switch port connects to which other device. This is what populates the Network > Topology view.
Endpoint Discovery
Once FortiNAC has the network device topology, it discovers the endpoints attached to each switch port.
Passive discovery (no active probing)
ARP table monitoring: FortiNAC reads the ARP table of the layer-3 gateway (FortiGate) at regular intervals. Any IP/MAC pair in the ARP table is a potential host to add to the inventory.
DHCP snooping: FortiNAC listens to DHCP traffic (typically via a SPAN port mirroring the management VLAN, or from DHCP log forwarding). Each DHCP lease gives: MAC, IP, hostname, and DHCP option 55/60 fingerprint data.
Switch port MAC table polling: FortiNAC polls each switch’s MAC table and correlates MAC-to-port. Combined with the ARP table, this gives: IP → MAC → switch port.
Syslog from switches: FortiSwitch and Cisco switches can send MAC notification syslog messages when a MAC appears or disappears on a port. FortiNAC uses these real-time events to update the host database faster than polling alone.
Active discovery (probing)
Nmap scan: FortiNAC can run an Nmap scan against discovered IP addresses to:
- Determine OS type (OS fingerprinting via TCP/IP stack analysis)
- Identify open ports (running services)
- Detect device type from service banners
Nmap scans are intrusive — they generate traffic directed at endpoints. Schedule them during off-hours or limit them to unregistered/new hosts.
Network > Discovery Config > Nmap Profile
Enable: Yes
Timing: T3 (normal) — adjust based on endpoint sensitivity
OS detection: enable
Device Profiling
Device profiling assigns a device type to each discovered host. The device type determines which access policy group the host falls into — a “corporate laptop” might go to VLAN 100, while a “printer” goes to VLAN 200, and a “mobile device” goes to VLAN 150.
Profiling methods
FortiNAC uses multiple methods and combines evidence to build a profile. The more evidence, the more confident the classification:
| Method | Data source | Quality |
|---|---|---|
| DHCP option 55 (parameter request list) | DHCP snoop | High — very device-type-specific |
| DHCP option 60 (vendor class ID) | DHCP snoop | High — e.g., “MSFT 5.0” = Windows |
| HTTP User-Agent | SPAN/mirror | Medium — can be spoofed |
| SNMP sysDescr (from the device itself) | SNMP query | High — network devices |
| CDP/LLDP platform string | Switch topology | High — network devices |
| Active Directory computer object | AD integration | High — domain-joined PCs |
| MDM (Intune/Jamf) | API integration | High — mobile devices |
| FortiClient EMS | EMS API | High — managed endpoints |
| WMI (Windows Management Instrumentation) | Direct query | High — Windows OS details, AV status |
| Nmap OS fingerprint | Active scan | Medium — heuristic |
Profiling rules
FortiNAC ships with a built-in profiling rule library covering common device types: Windows workstations, macOS, Linux, iOS, Android, Cisco phones, HP printers, Axis cameras, etc.
Custom profiling rules can be created:
Policy > Device Profiling Rules > Add
Rule: Custom-Industrial-PLC
Condition: DHCP Option 60 contains "SiemensS7"
Result Device Type: Industrial-PLC
The device type library maps types to icons and names visible in the device inventory. The type is also used in host group membership rules (covered in Part 12).
Host record states
After discovery and profiling, each endpoint is a host record with a state:
| State | Meaning |
|---|---|
| Registered | Device is known, owner identified. Normal state for corporate devices. |
| Unregistered (Rogue) | Device is on the network but not registered. May trigger registration VLAN. |
| At Risk | Device failed a compliance scan. May trigger quarantine VLAN. |
| Disabled | Admin has manually disabled the host. Access is denied. |
Key Diagnostic Commands and Views
# From FortiNAC CLI (SSH to NAC appliance)
# Check database sync (HA)
show high-availability
# Check network device polling status
show device-polling-status
# Check RADIUS service status
show radius-service
# Diagnostic portal in GUI:
System > Administration > Diagnostics
- Network device discovery test
- Host lookup by MAC/IP
- RADIUS test
- Nmap test (run a scan against a specific IP)
Network > Hosts in the GUI gives a complete inventory of discovered hosts with their MAC, IP, device type, state, and last-seen time.
Common Exam Scenarios
Q: FortiNAC is not discovering a Cisco switch. SNMP is configured correctly but the switch doesn’t appear. A: Check firewall rules — UDP 161 from FortiNAC management IP to the switch management IP must be permitted. Also verify the SNMP community string matches, and that SNMP is enabled on the switch interface that FortiNAC is querying.
Q: A host appears in FortiNAC with no device type (unclassified). DHCP fingerprinting is enabled. A: The DHCP data is either not reaching FortiNAC (check the SPAN port or DHCP log forwarding), or the device type doesn’t match any profiling rule. Check the DHCP option 55 values for that host and see if a new custom rule is needed.
Q: After an HA failover, FortiNAC shows no hosts in the inventory.
A: Database synchronisation may not have been working before the failover. Check replication status via show high-availability on both nodes. If the standby was out of sync, it may need a full resync from a backup.