Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
haljawhari
Staff
Staff

Created on ‎09-21-2018 04:56 AM Edited on ‎08-28-2023 05:31 AM By Community Manager

Article Id 192639

Troubleshooting Tip: VLANs not changing on a wired switch

Description


This article describes steps to take when the VLAN does not change as expected on a switch port after a host connects.

Scope

 

Any supported version of FortiNAC.


Solution

 

  1. Confirm the host is connected to the correct port with a status of 'online' under the Ports tab of the switch's Device Model. Network - > Inventory

inventory.PNG


If the host shows offline, see below article:

Technical Tip: Wired hosts displaying incorrect connection status

 

  1. Verify the appropriate VLAN is configured to apply for the applicable host state:
  • Hosts being assigned to an isolation VLAN:  Review the switch's device model under the Model Configuration tab.

Examples:

  • The host is a rogue: Registration VLAN.
  • The host is marked 'At-Risk': Remediation VLAN.
  • The host is marked Disabled: DeadEnd VLAN.

 

modeli.PNG

  • Registered hosts assigned VLANs using a Network Access Policy:  Verify the correct policy matches.  See below article:

Technical Tip: Troubleshooting policies

 

  • Registered hosts where a Network Access Policy is not used to assign VLAN:  Confirm the default VLAN is either configured at the switch level (Model Configuration) or port level (Ports tab).

 

  1. Verify VLAN switching enabled is selected under the Element tab.

 

switchin.PNG

 

  1. Verify the appropriate enforcement group is configured under the Ports tab.

 

membership.PNG

Examples:

  • The host is a rogue: Port is a member of the Forced Registration group.
  • The host is marked 'At-Risk': Port is a member of the Forced Remediation Group.
  • The host is marked Disabled: Switch is a member of the Physical Address Filtering group (right-click model and select Group Membership).
  • The host is registered and a network access policy is used to assign VLAN: Port is a member of the Role Based Access group.

 

host-satt.PNG

  1. Confirm credentials are correct. Under the Credentials tab, select Validate Credentials.
  • If SNMP credentials fail, see below the article:

Technical Note: Troubleshooting SNMP communication issues

  • If CLI credentials fail, see the below article:

Technical Note: Troubleshooting CLI credential failure

 

  1. If the switch port is still not changing, confirm the following under the Ports tab (details on the first picture):
  • The port is not a member of the Access Point Management group.
  • The Port does not display as a Uplink.
  • Multiple hosts are not connected to the switch port via a hub. Depending upon the state of each connected host, this can cause unexpected VLAN changes.

If the behavior persists, open a support ticket and provide the following information:

  • Problem description
  • Troubleshooting steps taken
  • Screen capture of the Element tab of the switch and "Port Changes" for the test port
  • A grab log snapshot of FNAC that contains all the logs
  • Firmware version of FortiNAC. Select username in the upper right corner or System Summary from Dashboard.
Labels:
5195
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.