NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement

Device profiling tells FortiNAC what is on each port. The policy engine tells it what to do about it. This is where FortiNAC’s value proposition materialises: a corporate laptop gets production VLAN access, a guest gets internet-only, an unregistered device gets the registration portal, and a non-compliant endpoint gets quarantined — all without the admin touching a single port configuration.


The FortiNAC Policy Model

FortiNAC’s access policy evaluation is a three-layer model:

Endpoint + Port → Match a Group → Apply an Access Value

Layer 1: Groups

Groups collect entities (hosts or ports) that share a common characteristic. There are multiple group types:

Host groups match endpoints by:

  • Device type (from profiling — “corporate laptop”, “printer”)
  • Registration state (registered, unregistered)
  • Host attribute (AD group membership, OS version, compliance status)
  • MAC OUI prefix
  • IP subnet
  • Custom rule combinations

Port groups match switch ports by:

  • Network device (all ports on a specific switch)
  • Physical location (building, floor — based on topology)
  • Port naming convention (regex match on port description)

User groups match authenticated users by:

  • LDAP/AD group membership
  • FortiNAC local user group

Groups can contain other groups (nesting). When a policy evaluates “host group A includes endpoint X”, FortiNAC traverses the group hierarchy.

Layer 2: Access Values

An access value defines what access an endpoint receives:

Access value typeWhat it does
VLANAssigns a specific VLAN to the port
CLI configurationPushes CLI commands to the switch port (e.g., ACL, rate-limit, PoE settings)
Security policyLinks to a compliance policy that must pass
Access value setCombines VLAN + CLI config into one named object

VLAN-based access values are the most common. The VLAN can be specified by ID (e.g., VLAN 100) or by a logical network name (see below).

Layer 3: Network Access Policies

A network access policy links a host group + port group (conditions) to an access value (result):

If: (Host group = Corporate-Laptop) AND (Port group = Office-Ports)
Then: Apply Access Value = Production-VLAN-100

Policies are evaluated top to bottom, first match wins. Order matters.

Example policy stack (top to bottom):

PriorityHost groupPort groupAccess value
1At-RiskAnyQuarantine-VLAN-999
2DisabledAnyDeny access
3Corporate-LaptopOffice-PortsProduction-VLAN-100
4Corporate-LaptopRemote-PortsRemote-VLAN-110
5GuestAnyGuest-VLAN-50
6PrinterAnyPrinter-VLAN-200
7Any (unregistered)AnyRegistration-VLAN-30

An unregistered laptop hits policy 7, lands in the registration VLAN, and is directed to the self-registration portal. After registering (and joining the Corporate-Laptop group), CoA moves it to policy 3 and production VLAN 100.


Logical Networks

Hardcoding VLAN IDs in access values creates a problem at scale: the same “production” policy might mean VLAN 100 at one site and VLAN 200 at another.

Logical networks decouple the policy (abstract network name) from the physical VLAN (per-device mapping):

Policy: Apply "Production" logical network
On Switch-A (VLAN 100 = production): maps "Production" → VLAN 100
On Switch-B (VLAN 200 = production): maps "Production" → VLAN 200

This allows a single policy definition that works site-wide with per-switch VLAN mappings.

Network > Logical Networks

Create a logical network named “Production”, then for each network device, map the logical network to the physical VLAN ID.


RADIUS Integration

FortiNAC operates as a RADIUS server for 802.1X authentication from FortiSwitch (and FortiGate for wireless). When a device connects to a FortiSwitch port:

  1. FortiSwitch sends a RADIUS Access-Request to FortiNAC.
  2. FortiNAC looks up the MAC address in the host database.
  3. If the MAC is known: check host state and run policy evaluation.
  4. FortiNAC responds with Access-Accept + VLAN attributes.
  5. FortiSwitch assigns the port to the returned VLAN.

RADIUS accounting

FortiNAC also processes RADIUS accounting (Start/Stop) from FortiSwitch. Accounting Start events confirm which IP the endpoint received. Accounting Stop events let FortiNAC know the device has left the port.

Configuring FortiNAC as RADIUS server

Policy > RADIUS Configurations > RADIUS Server > Add

  • Listen interface and port (1812 auth, 1813 accounting)
  • RADIUS clients: add each FortiSwitch or FortiGate by IP with shared secret

On FortiGate (FortiSwitch RADIUS client):

config user radius
  edit "FortiNAC-RADIUS"
    set server "10.0.0.20"     # FortiNAC Control Server IP
    set secret "SharedSecret"
  next
end

CoA — Change of Authorization

CoA (RFC 3576 / RFC 5176) is the mechanism FortiNAC uses to change a port’s VLAN mid-session, without requiring the endpoint to disconnect and re-authenticate.

CoA message types

MessagePort behaviour
CoA-Request with new VLAN attributePort VLAN changes. Endpoint gets a new DHCP lease in new VLAN.
Disconnect-Request (DM)Session terminated. Port bounces. Endpoint must re-authenticate.

CoA is sent from FortiNAC Control Server → FortiGate RADIUS CoA listener → FortiSwitch port.

When CoA fires

  • Policy re-evaluation: A device’s group membership changes (e.g., compliance scan passes and host moves from “At Risk” to “Corporate-Laptop” group).
  • Manual admin action: Admin moves a host from one VLAN to another in the GUI.
  • Registration: A device completes self-registration — host state changes from Unregistered to Registered → policy re-evaluates → new VLAN.
  • Compliance failure: Persistent agent reports AV is out of date → host moves to “At Risk” group → policy re-evaluates → CoA sends quarantine VLAN.

CoA configuration on FortiGate

config switch-controller global
  set allow-client-disconnect enable
end
config user radius
  edit "FortiNAC-RADIUS"
    set server "10.0.0.20"
    set secret "SharedSecret"
    set source-ip "10.0.0.1"      # FortiGate IP that FortiNAC trusts for CoA
  next
end

FortiNAC must be configured to send CoA to the FortiGate IP and use the matching shared secret.


SNMP-Based VLAN Enforcement (Non-802.1X)

For switches that don’t support RADIUS 802.1X (legacy switches, third-party devices), FortiNAC can change port VLANs via SNMP WRITE operations:

  1. FortiNAC detects a new MAC on a port.
  2. Policy evaluation determines the correct VLAN.
  3. FortiNAC sends an SNMP SET to the switch: dot1qPvid = <vlan-id> for the relevant port index.

This is slower and less reliable than RADIUS CoA (SNMP is connectionless and has no acknowledgment for config changes), but it is the only option for non-802.1X switches. Requires SNMP v2c or v3 write access.


End-to-End 802.1X Enforcement Flow

Let’s trace a new corporate laptop connecting to a FortiSwitch port:

  1. Endpoint connects — FortiSwitch port link-up event.
  2. FortiSwitch sends RADIUS Access-Request to FortiNAC with User-Name = MAC address (for MAB) or EAP identity.
  3. FortiNAC checks host database — MAC is unknown → host state = Unregistered.
  4. Policy evaluation — Policy 7 (unregistered, any port) → Access Value = Registration VLAN 30.
  5. FortiNAC returns Access-Accept with VLAN attributes (VLAN 30).
  6. FortiSwitch assigns port to VLAN 30 — endpoint gets DHCP lease 192.168.30.x.
  7. User opens browser → FortiGate captive portal (or FortiNAC registration portal on VLAN 30) → user registers device.
  8. Host state changes to Registered → device type profiled as “Corporate-Laptop” → joins Corporate-Laptop group.
  9. FortiNAC triggers CoA — sends CoA-Request with VLAN 100 attribute to FortiGate.
  10. FortiSwitch port VLAN changes to 100 — endpoint gets new DHCP lease 192.168.100.x.
  11. User has full production access.

Diagnostic Commands and Views

# From FortiNAC GUI:
# Network > Hosts — full host inventory
# Policy > Network Access Policies — review policy order
# Policy > RADIUS Configurations — check RADIUS server config
# Logs > Events — filter by host MAC for per-endpoint history

# From FortiNAC CLI:
show hosts <mac-address>         # host record detail
show radius-service              # RADIUS service status
show coa-config                  # CoA server config

To test CoA manually: Network > Hosts > [select host] > VLAN Change — triggers a CoA without waiting for policy re-evaluation.


Common Exam Scenarios

Q: Registered corporate laptops are being placed in the guest VLAN instead of production. A: Check policy evaluation order. The guest policy (priority 5 in the example above) is matching before the corporate laptop policy. Move the corporate laptop policy higher, or tighten the guest policy’s host group so it doesn’t include registered corporate devices.

Q: FortiNAC sends CoA but the VLAN doesn’t change on the FortiSwitch port. A: Three things to check: (1) allow-client-disconnect enable on FortiGate switch-controller global; (2) the CoA shared secret matches the RADIUS client definition; (3) the CoA packet is sourced from the FortiNAC IP that FortiGate has as a trusted CoA source.

Q: VLAN enforcement via SNMP is working intermittently — some hosts get the correct VLAN, others don’t. A: SNMP WRITE operations to the switch are failing for some ports. Verify the SNMP community string has write access and that the OID for port VLAN assignment is correct for this switch model. Check FortiNAC event logs for SNMP errors.