NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement
Device profiling tells FortiNAC what is on each port. The policy engine tells it what to do about it. This is where FortiNAC’s value proposition materialises: a corporate laptop gets production VLAN access, a guest gets internet-only, an unregistered device gets the registration portal, and a non-compliant endpoint gets quarantined — all without the admin touching a single port configuration.
The FortiNAC Policy Model
FortiNAC’s access policy evaluation is a three-layer model:
Endpoint + Port → Match a Group → Apply an Access Value
Layer 1: Groups
Groups collect entities (hosts or ports) that share a common characteristic. There are multiple group types:
Host groups match endpoints by:
- Device type (from profiling — “corporate laptop”, “printer”)
- Registration state (registered, unregistered)
- Host attribute (AD group membership, OS version, compliance status)
- MAC OUI prefix
- IP subnet
- Custom rule combinations
Port groups match switch ports by:
- Network device (all ports on a specific switch)
- Physical location (building, floor — based on topology)
- Port naming convention (regex match on port description)
User groups match authenticated users by:
- LDAP/AD group membership
- FortiNAC local user group
Groups can contain other groups (nesting). When a policy evaluates “host group A includes endpoint X”, FortiNAC traverses the group hierarchy.
Layer 2: Access Values
An access value defines what access an endpoint receives:
| Access value type | What it does |
|---|---|
| VLAN | Assigns a specific VLAN to the port |
| CLI configuration | Pushes CLI commands to the switch port (e.g., ACL, rate-limit, PoE settings) |
| Security policy | Links to a compliance policy that must pass |
| Access value set | Combines VLAN + CLI config into one named object |
VLAN-based access values are the most common. The VLAN can be specified by ID (e.g., VLAN 100) or by a logical network name (see below).
Layer 3: Network Access Policies
A network access policy links a host group + port group (conditions) to an access value (result):
If: (Host group = Corporate-Laptop) AND (Port group = Office-Ports)
Then: Apply Access Value = Production-VLAN-100
Policies are evaluated top to bottom, first match wins. Order matters.
Example policy stack (top to bottom):
| Priority | Host group | Port group | Access value |
|---|---|---|---|
| 1 | At-Risk | Any | Quarantine-VLAN-999 |
| 2 | Disabled | Any | Deny access |
| 3 | Corporate-Laptop | Office-Ports | Production-VLAN-100 |
| 4 | Corporate-Laptop | Remote-Ports | Remote-VLAN-110 |
| 5 | Guest | Any | Guest-VLAN-50 |
| 6 | Printer | Any | Printer-VLAN-200 |
| 7 | Any (unregistered) | Any | Registration-VLAN-30 |
An unregistered laptop hits policy 7, lands in the registration VLAN, and is directed to the self-registration portal. After registering (and joining the Corporate-Laptop group), CoA moves it to policy 3 and production VLAN 100.
Logical Networks
Hardcoding VLAN IDs in access values creates a problem at scale: the same “production” policy might mean VLAN 100 at one site and VLAN 200 at another.
Logical networks decouple the policy (abstract network name) from the physical VLAN (per-device mapping):
Policy: Apply "Production" logical network
On Switch-A (VLAN 100 = production): maps "Production" → VLAN 100
On Switch-B (VLAN 200 = production): maps "Production" → VLAN 200
This allows a single policy definition that works site-wide with per-switch VLAN mappings.
Network > Logical Networks
Create a logical network named “Production”, then for each network device, map the logical network to the physical VLAN ID.
RADIUS Integration
FortiNAC operates as a RADIUS server for 802.1X authentication from FortiSwitch (and FortiGate for wireless). When a device connects to a FortiSwitch port:
- FortiSwitch sends a RADIUS
Access-Requestto FortiNAC. - FortiNAC looks up the MAC address in the host database.
- If the MAC is known: check host state and run policy evaluation.
- FortiNAC responds with
Access-Accept+ VLAN attributes. - FortiSwitch assigns the port to the returned VLAN.
RADIUS accounting
FortiNAC also processes RADIUS accounting (Start/Stop) from FortiSwitch. Accounting Start events confirm which IP the endpoint received. Accounting Stop events let FortiNAC know the device has left the port.
Configuring FortiNAC as RADIUS server
Policy > RADIUS Configurations > RADIUS Server > Add
- Listen interface and port (1812 auth, 1813 accounting)
- RADIUS clients: add each FortiSwitch or FortiGate by IP with shared secret
On FortiGate (FortiSwitch RADIUS client):
config user radius
edit "FortiNAC-RADIUS"
set server "10.0.0.20" # FortiNAC Control Server IP
set secret "SharedSecret"
next
end
CoA — Change of Authorization
CoA (RFC 3576 / RFC 5176) is the mechanism FortiNAC uses to change a port’s VLAN mid-session, without requiring the endpoint to disconnect and re-authenticate.
CoA message types
| Message | Port behaviour |
|---|---|
| CoA-Request with new VLAN attribute | Port VLAN changes. Endpoint gets a new DHCP lease in new VLAN. |
| Disconnect-Request (DM) | Session terminated. Port bounces. Endpoint must re-authenticate. |
CoA is sent from FortiNAC Control Server → FortiGate RADIUS CoA listener → FortiSwitch port.
When CoA fires
- Policy re-evaluation: A device’s group membership changes (e.g., compliance scan passes and host moves from “At Risk” to “Corporate-Laptop” group).
- Manual admin action: Admin moves a host from one VLAN to another in the GUI.
- Registration: A device completes self-registration — host state changes from Unregistered to Registered → policy re-evaluates → new VLAN.
- Compliance failure: Persistent agent reports AV is out of date → host moves to “At Risk” group → policy re-evaluates → CoA sends quarantine VLAN.
CoA configuration on FortiGate
config switch-controller global
set allow-client-disconnect enable
end
config user radius
edit "FortiNAC-RADIUS"
set server "10.0.0.20"
set secret "SharedSecret"
set source-ip "10.0.0.1" # FortiGate IP that FortiNAC trusts for CoA
next
end
FortiNAC must be configured to send CoA to the FortiGate IP and use the matching shared secret.
SNMP-Based VLAN Enforcement (Non-802.1X)
For switches that don’t support RADIUS 802.1X (legacy switches, third-party devices), FortiNAC can change port VLANs via SNMP WRITE operations:
- FortiNAC detects a new MAC on a port.
- Policy evaluation determines the correct VLAN.
- FortiNAC sends an SNMP
SETto the switch:dot1qPvid = <vlan-id>for the relevant port index.
This is slower and less reliable than RADIUS CoA (SNMP is connectionless and has no acknowledgment for config changes), but it is the only option for non-802.1X switches. Requires SNMP v2c or v3 write access.
End-to-End 802.1X Enforcement Flow
Let’s trace a new corporate laptop connecting to a FortiSwitch port:
- Endpoint connects — FortiSwitch port link-up event.
- FortiSwitch sends RADIUS
Access-Requestto FortiNAC withUser-Name = MAC address(for MAB) or EAP identity. - FortiNAC checks host database — MAC is unknown → host state = Unregistered.
- Policy evaluation — Policy 7 (unregistered, any port) → Access Value = Registration VLAN 30.
- FortiNAC returns
Access-Acceptwith VLAN attributes (VLAN 30). - FortiSwitch assigns port to VLAN 30 — endpoint gets DHCP lease
192.168.30.x. - User opens browser → FortiGate captive portal (or FortiNAC registration portal on VLAN 30) → user registers device.
- Host state changes to Registered → device type profiled as “Corporate-Laptop” → joins Corporate-Laptop group.
- FortiNAC triggers CoA — sends
CoA-Requestwith VLAN 100 attribute to FortiGate. - FortiSwitch port VLAN changes to 100 — endpoint gets new DHCP lease
192.168.100.x. - User has full production access.
Diagnostic Commands and Views
# From FortiNAC GUI:
# Network > Hosts — full host inventory
# Policy > Network Access Policies — review policy order
# Policy > RADIUS Configurations — check RADIUS server config
# Logs > Events — filter by host MAC for per-endpoint history
# From FortiNAC CLI:
show hosts <mac-address> # host record detail
show radius-service # RADIUS service status
show coa-config # CoA server config
To test CoA manually:
Network > Hosts > [select host] > VLAN Change — triggers a CoA without waiting for policy re-evaluation.
Common Exam Scenarios
Q: Registered corporate laptops are being placed in the guest VLAN instead of production. A: Check policy evaluation order. The guest policy (priority 5 in the example above) is matching before the corporate laptop policy. Move the corporate laptop policy higher, or tighten the guest policy’s host group so it doesn’t include registered corporate devices.
Q: FortiNAC sends CoA but the VLAN doesn’t change on the FortiSwitch port.
A: Three things to check: (1) allow-client-disconnect enable on FortiGate switch-controller global; (2) the CoA shared secret matches the RADIUS client definition; (3) the CoA packet is sourced from the FortiNAC IP that FortiGate has as a trusted CoA source.
Q: VLAN enforcement via SNMP is working intermittently — some hosts get the correct VLAN, others don’t. A: SNMP WRITE operations to the switch are failing for some ports. Verify the SNMP community string has write access and that the OID for port VLAN assignment is correct for this switch model. Check FortiNAC event logs for SNMP errors.