https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345704#M598858 <P>Is there any reference link to implement this solution.</P> <P>We have configure AD as identity source on ISE for authentication .</P> <P>Then how we can call group from fortigate is it will initiate authentication again?</P> Mon, 10 Nov 2025 05:42:50 GMT ravina-gurav 2025-11-10T05:42:50Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344666#M598813 <P>We have FortiGate WLC for wireless user .</P> <P>After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.</P> <P>We tried from ISE to Push ACL still the restriction is not working.</P> <P>Wireless user connecting through fortiAP.</P> <P>Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.</P> Wed, 05 Nov 2025 10:12:42 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344666#M598813 ravina-gurav 2025-11-05T10:12:42Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344691#M598814 <P>I've never done it before, so bear with me please. It seems you could do it using RADIUS "NAS-Filter-Rule" attribute as it states here:</P> <P><A href="https://community.cisco.com/t5/network-access-control/ise-issue-i-cannot-input-any-value-on-radius-nas-filter-rule/td-p/3950991" target="_blank">Solved: ISE issue :i cannot input any value on Radius:NAS-Filter-Rule - Cisco Community</A></P> <P><A href="https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/cb85917a-1b07-11f0-b13a-ca4255feedd9/FortiWiFi_and_FortiAP-7.6.3-Configuration_Guide.pdf" target="_blank">FortiWiFi and FortiAP Configuration Guide</A></P> Wed, 05 Nov 2025 11:22:04 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344691#M598814 Aref Alsouqi 2025-11-05T11:22:04Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344765#M598821 <P><A href="https://cs.co/ise-berg#fortinet" target="_blank">https://cs.co/ise-berg#fortinet</A>&nbsp;</P> <P>How is the FortiAP managed? You should pass a User Group attribute if managed by a FortiGate instead.</P> Wed, 05 Nov 2025 15:18:35 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344765#M598821 ahollifield 2025-11-05T15:18:35Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344896#M598825 <P>Managed By Fortigate.</P> <P>I am Using AD for user authentication.</P> Thu, 06 Nov 2025 06:21:00 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344896#M598825 ravina-gurav 2025-11-06T06:21:00Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344934#M598827 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1817382">@ravina-gurav</a>&nbsp;<A href="https://www.ezpassn-j.com" target="_self">E-ZPass New Jersey</A>wrote:<BR /><P>We have FortiGate WLC for wireless user .</P><P>After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.</P><P>We tried from ISE to Push ACL still the restriction is not working.</P><P>Wireless user connecting through fortiAP.</P><P>Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.</P><HR /></BLOCKQUOTE><P>The failure to enforce restrictions on non-compliant users via your FortiGate WLC (acting as the NAD) with Cisco ISE is likely due to a **Vendor-Specific Attribute (VSA) or Change of Authorization (CoA) mismatch**. The FortiGate is likely ignoring the ACL pushed by ISE because it doesn't understand the format. The solution requires ensuring **CoA is properly configured and acknowledged** by the FortiGate, and crucially, configuring the **Non-Compliant Authorization Profile in ISE to send a specific Fortinet VSA** (e.g., `Fortinet-Group-Name`) instead of a standard ACL. The FortiGate can then map this received VSA to a local **Firewall User Group** with a restrictive policy.</P> Thu, 06 Nov 2025 07:59:39 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5344934#M598827 mary58wilson 2025-11-06T07:59:39Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345016#M598837 <P>No one should be using MS-CHAPv2 in 2025. It relies on broken encryption. are you disabling credential guard?</P> Thu, 06 Nov 2025 13:50:33 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345016#M598837 ahollifield 2025-11-06T13:50:33Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345704#M598858 <P>Is there any reference link to implement this solution.</P> <P>We have configure AD as identity source on ISE for authentication .</P> <P>Then how we can call group from fortigate is it will initiate authentication again?</P> Mon, 10 Nov 2025 05:42:50 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345704#M598858 ravina-gurav 2025-11-10T05:42:50Z https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345715#M598859 <P>As said further up in the thread, you need to import the Fortinet VSAs into ISE as a dictionary. You can find the VSAs here: <A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-RADIUS-vendor-specific-attributes-VSAs/ta-p/191592?externalId=13837" target="_blank">Fortinet RADIUS vendor-specific attribute... - Fortinet Community</A></P> <P>To quote the process of importing Fortinet VSAs into ISE from this post (all credits to original author):&nbsp;<A href="https://community.cisco.com/t5/network-access-control/fortigate-authorization-with-ise/td-p/3545350" target="_blank">Solved: Fortigate authorization with ISE - Cisco Community</A></P> <P>1) Navigate to<SPAN>&nbsp;</SPAN><STRONG>Policy &gt; Policy Elements &gt; Dictionaries</STRONG></P> <P>2) In the<SPAN>&nbsp;</SPAN><STRONG>Dictionaries</STRONG><SPAN>&nbsp;</SPAN>left panel, choose<SPAN>&nbsp;</SPAN><STRONG>System &gt; RADIUS &gt; RADIUS Vendors</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bweber1_0-1762755353577.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/254954iFC9A305C05CA202B/image-size/medium?v=v2&amp;px=400" role="button" title="bweber1_0-1762755353577.png" alt="bweber1_0-1762755353577.png" /></span></P> <P>&nbsp;</P> <P>3) You should see a list of RADIUS Vendors that<SPAN>&nbsp;</SPAN><EM>does not</EM><SPAN>&nbsp;</SPAN>include<SPAN>&nbsp;</SPAN><STRONG>Fortinet</STRONG></P> <P>4) Select<SPAN>&nbsp;</SPAN><STRONG>Import</STRONG></P> <P>5)<SPAN>&nbsp;</SPAN><STRONG>Browse...</STRONG><SPAN>&nbsp;</SPAN>for the<SPAN>&nbsp;</SPAN><SPAN>Fortinet_VSAs.txt</SPAN><SPAN>&nbsp;</SPAN>file then click the<SPAN>&nbsp;</SPAN><STRONG>Import</STRONG><SPAN>&nbsp;</SPAN>button and acknowledge the dialog to import the file. (<STRONG>Note:&nbsp;</STRONG>You will have to create this file or copy it from the linked post).</P> <P>6) You should now see Fortinet in the RADIUS Vendors list:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bweber1_1-1762755353579.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/254952i18D459174155C29A/image-size/medium?v=v2&amp;px=400" role="button" title="bweber1_1-1762755353579.png" alt="bweber1_1-1762755353579.png" /></span></P> <P>&nbsp;</P> <P>and all of the Fortinet attributes listed under the<SPAN>&nbsp;</SPAN><STRONG>Dictionary Attributes</STRONG><SPAN>&nbsp;</SPAN>tab:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bweber1_2-1762755353583.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/254951i244A7E5B6FDD4FBA/image-size/medium?v=v2&amp;px=400" role="button" title="bweber1_2-1762755353583.png" alt="bweber1_2-1762755353583.png" /></span></P> <P>&nbsp;</P> Mon, 10 Nov 2025 06:17:39 GMT https://community.cisco.com/t5/network-access-control/need-to-configure-restriction-for-non-compliant-wireless-user-in/m-p/5345715#M598859 Ben Weber 2025-11-10T06:17:39Z