NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling

Network Access Control sounds simple — only let the right devices onto the network. The complexity is in the “how does the system know what devices are there, and what state they’re in?” FortiNAC answers that question by combining network device discovery (building a topology map of every switch and AP), endpoint discovery (finding every host on the network), and device profiling (classifying what each host actually is). Only then can it enforce a policy.

The FCA-FNAC exam is the most architecture-heavy of the four NSE6 tracks. The questions test whether you understand the data flow from discovery through to enforcement — not just where to click.


What NAC Does

Network Access Control enforces three things:

  1. Authentication: Who is this endpoint and does it have credentials?
  2. Authorization: Given who it is and what type of device it is, which VLAN should it be in?
  3. Posture assessment: Is the endpoint’s software in a state the organization trusts? (AV current, OS patched, etc.)

Traditional 802.1X handles authentication but not posture. FortiNAC adds posture assessment and automates the authorization decision — the policy engine, not the admin, decides the VLAN.


FortiNAC Architecture

FortiNAC is a software product that runs on dedicated hardware appliances or VMs. It has two logical server roles:

Control Server

The Control Server is the enforcement engine. It:

  • Communicates with network devices (switches, APs, FortiGate) via SNMP, SSH, RADIUS, and CoA
  • Maintains the host database and VLAN enforcement state
  • Processes access policy decisions

Application Server

The Application Server runs the administrative GUI, web portals (guest, self-registration, sponsor), report engine, and integration APIs (MDM, EMS, Active Directory). In small deployments, the Control Server and Application Server can run on the same virtual machine. In large deployments, they are separated for scalability.

Manager

The Manager is an optional third component for centralised management of multiple FortiNAC Control/Application server pairs — used by MSSPs or large enterprises with multiple data centres.

Physical vs VM

Physical appliances:

  • FortiNAC-CA-200F — mid-range, recommended for up to 2,000 endpoints
  • FortiNAC-CA-500F — large enterprise, up to 20,000 endpoints

VM:

  • FortiNAC-VM — runs on VMware, KVM, Hyper-V. Eval licence = 100 hosts, 30 days.
  • Size the VM with enough RAM and disk — the host database and event logs can grow substantially in large deployments.

Licensing: FortiNAC licenses by endpoint count (concurrent hosts) and optionally by Advanced features (MDM integration, additional profiling adapters).


High Availability

FortiNAC HA runs in active/passive mode:

  • Primary handles all control operations and GUI access via a Virtual IP (VIP).
  • Standby replicates configuration, host database, guest accounts, and events from the primary.
  • On primary failure, the VIP moves to the standby, which becomes the new primary.

Synchronisation: MySQL replication keeps the databases in sync in real time. Configuration changes made on the primary replicate to the standby within seconds.

Failover triggers: Heartbeat timeout (configurable, default ~30 seconds). If the standby cannot reach the primary, it assumes the primary has failed and promotes itself.

Manual failover: System > High Availability > Force Failover. Use during maintenance windows.

After recovery: The original primary restarts as the new standby, accepting replicated data from the now-primary standby.


Network Device Discovery

FortiNAC must build a topology map of your switching infrastructure before it can enforce VLANs. It discovers network devices via:

SNMP

FortiNAC walks the SNMP MIB of each network device to build the port-to-MAC mapping:

MIBWhat FortiNAC reads
ifTable (RFC 1213)Interface list, names, status
dot1dTpFdbTableMAC addresses learned per bridge port
dot1qVlanStaticTableVLAN config per port
lldpRemTableLLDP neighbour data (topology)
cdpCacheTableCDP neighbour data (Cisco)

Configure in FortiNAC: Network > Inventory > Network Devices > Add

Required: device IP, SNMP community string (v2c) or credentials (v3), SSH admin credentials.

SNMP v3 is preferred for security. SNMP v1/v2c community strings travel in clear text.

SSH

Some operations require SSH access to network devices:

  • Pushing VLAN changes to non-standard devices (where SNMP WRITE is not supported)
  • Running show mac-address-table for real-time MAC lookups
  • Executing device-specific CLI commands for enforcement

FortiNAC stores SSH credentials per device type (Cisco, HP Aruba, FortiSwitch, etc.).

FortiSwitch and FortiGate (direct API)

For FortiSwitch under FortiLink managed mode, FortiNAC communicates with FortiGate rather than directly with each FortiSwitch. FortiGate acts as the API proxy. FortiNAC sends CoA to the FortiGate RADIUS CoA listener, and FortiGate relays the VLAN change to the relevant FortiSwitch port.

CDP/LLDP topology mapping

FortiNAC reads LLDP and CDP neighbour tables to build a visual topology — which switch port connects to which other device. This is what populates the Network > Topology view.


Endpoint Discovery

Once FortiNAC has the network device topology, it discovers the endpoints attached to each switch port.

Passive discovery (no active probing)

ARP table monitoring: FortiNAC reads the ARP table of the layer-3 gateway (FortiGate) at regular intervals. Any IP/MAC pair in the ARP table is a potential host to add to the inventory.

DHCP snooping: FortiNAC listens to DHCP traffic (typically via a SPAN port mirroring the management VLAN, or from DHCP log forwarding). Each DHCP lease gives: MAC, IP, hostname, and DHCP option 55/60 fingerprint data.

Switch port MAC table polling: FortiNAC polls each switch’s MAC table and correlates MAC-to-port. Combined with the ARP table, this gives: IP → MAC → switch port.

Syslog from switches: FortiSwitch and Cisco switches can send MAC notification syslog messages when a MAC appears or disappears on a port. FortiNAC uses these real-time events to update the host database faster than polling alone.

Active discovery (probing)

Nmap scan: FortiNAC can run an Nmap scan against discovered IP addresses to:

  • Determine OS type (OS fingerprinting via TCP/IP stack analysis)
  • Identify open ports (running services)
  • Detect device type from service banners

Nmap scans are intrusive — they generate traffic directed at endpoints. Schedule them during off-hours or limit them to unregistered/new hosts.

Network > Discovery Config > Nmap Profile
  Enable: Yes
  Timing: T3 (normal) — adjust based on endpoint sensitivity
  OS detection: enable

Device Profiling

Device profiling assigns a device type to each discovered host. The device type determines which access policy group the host falls into — a “corporate laptop” might go to VLAN 100, while a “printer” goes to VLAN 200, and a “mobile device” goes to VLAN 150.

Profiling methods

FortiNAC uses multiple methods and combines evidence to build a profile. The more evidence, the more confident the classification:

MethodData sourceQuality
DHCP option 55 (parameter request list)DHCP snoopHigh — very device-type-specific
DHCP option 60 (vendor class ID)DHCP snoopHigh — e.g., “MSFT 5.0” = Windows
HTTP User-AgentSPAN/mirrorMedium — can be spoofed
SNMP sysDescr (from the device itself)SNMP queryHigh — network devices
CDP/LLDP platform stringSwitch topologyHigh — network devices
Active Directory computer objectAD integrationHigh — domain-joined PCs
MDM (Intune/Jamf)API integrationHigh — mobile devices
FortiClient EMSEMS APIHigh — managed endpoints
WMI (Windows Management Instrumentation)Direct queryHigh — Windows OS details, AV status
Nmap OS fingerprintActive scanMedium — heuristic

Profiling rules

FortiNAC ships with a built-in profiling rule library covering common device types: Windows workstations, macOS, Linux, iOS, Android, Cisco phones, HP printers, Axis cameras, etc.

Custom profiling rules can be created: Policy > Device Profiling Rules > Add

Rule: Custom-Industrial-PLC
Condition: DHCP Option 60 contains "SiemensS7"
Result Device Type: Industrial-PLC

The device type library maps types to icons and names visible in the device inventory. The type is also used in host group membership rules (covered in Part 12).

Host record states

After discovery and profiling, each endpoint is a host record with a state:

StateMeaning
RegisteredDevice is known, owner identified. Normal state for corporate devices.
Unregistered (Rogue)Device is on the network but not registered. May trigger registration VLAN.
At RiskDevice failed a compliance scan. May trigger quarantine VLAN.
DisabledAdmin has manually disabled the host. Access is denied.

Key Diagnostic Commands and Views

# From FortiNAC CLI (SSH to NAC appliance)
# Check database sync (HA)
show high-availability

# Check network device polling status
show device-polling-status

# Check RADIUS service status
show radius-service

# Diagnostic portal in GUI:
System > Administration > Diagnostics
  - Network device discovery test
  - Host lookup by MAC/IP
  - RADIUS test
  - Nmap test (run a scan against a specific IP)

Network > Hosts in the GUI gives a complete inventory of discovered hosts with their MAC, IP, device type, state, and last-seen time.


Common Exam Scenarios

Q: FortiNAC is not discovering a Cisco switch. SNMP is configured correctly but the switch doesn’t appear. A: Check firewall rules — UDP 161 from FortiNAC management IP to the switch management IP must be permitted. Also verify the SNMP community string matches, and that SNMP is enabled on the switch interface that FortiNAC is querying.

Q: A host appears in FortiNAC with no device type (unclassified). DHCP fingerprinting is enabled. A: The DHCP data is either not reaching FortiNAC (check the SPAN port or DHCP log forwarding), or the device type doesn’t match any profiling rule. Check the DHCP option 55 values for that host and see if a new custom rule is needed.

Q: After an HA failover, FortiNAC shows no hosts in the inventory. A: Database synchronisation may not have been working before the failover. Check replication status via show high-availability on both nodes. If the standby was out of sync, it may need a full resync from a backup.