Etnetera IT Knihovna

English

Čeština

English

Čeština

Appearance

FortiNAC — Network Access Control

Basic Information

FieldValue
CategoryInfrastructure
OwnerFilip Kohák
DeputyArtem Ryzhkov
SLA24x7
DeploymentOn-prem VM (Proxmox cluster)

Description

FortiNAC controls who and what device can connect to the corporate network. Authentication uses 802.1X standard on Wi-Fi access points (Aruba/UniFi). Integration with Entra ID and Active Directory automatically assigns VLANs based on user role.

Key features:

  • 802.1X authentication (Wi-Fi and wired network)
  • Automatic VLAN assignment based on AD/Entra ID group membership
  • Detection and isolation of unknown devices (guest VLAN)
  • Device profiling (OS fingerprinting)
  • FortiGate integration for dynamic security policies

Access and Login

  • URL: https://[fortinac-vm-ip] (management VLAN only)
  • Login: admin account (stored in Passbolt)
  • VM access: via Proxmox console or SSH

Warning

Changes to NAC configuration can cause Wi-Fi outage for all users. Perform major changes (new VLAN policies, RADIUS settings) during maintenance windows (outside business hours).

Procedure — Approve New Device

  1. Log in to FortiNAC GUI
  2. Go to Network Access → Hosts
  3. Search by MAC address or hostname
  4. Click device → Register or assign to the correct group
  5. Device automatically receives access to the appropriate VLAN

VLAN Assignment Mapping

AD GroupVLAN
IT-StaffVLAN 10 (Management)
EmployeesVLAN 20 (Corporate)
GuestsVLAN 30 (Guest/Internet only)
UnknownQuarantine VLAN

Troubleshooting

ProblemSolution
User cannot connect to Wi-FiCheck RADIUS logs in FortiNAC: Logs → RADIUS Accounting; verify user's AD groups
Device stuck in Quarantine VLANRegister device in FortiNAC or check certificate (EAP-TLS)
RADIUS timeoutVerify AP → FortiNAC network connectivity; check RADIUS secret (must match on both sides)
802.1X fails after password changeUser must manually refresh Wi-Fi profile or restart device

Contact

  • Owner: Filip Kohák — Slack @filip / filip.kohak@etnetera.cz
  • Deputy: Artem Ryzhkov — Slack @artem
  • Urgent incidents (Wi-Fi outage): Slack #it-alerts

Etnetera a.s. — IT Team