Re: Need to configure restriction for non compliant wireless user in

ravina-gurav · ‎11-05-2025

We have FortiGate WLC for wireless user .

After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.

We tried from ISE to Push ACL still the restriction is not working.

Wireless user connecting through fortiAP.

Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.

Aref Alsouqi · ‎11-05-2025

I've never done it before, so bear with me please. It seems you could do it using RADIUS "NAS-Filter-Rule" attribute as it states here:

Solved: ISE issue :i cannot input any value on Radius:NAS-Filter-Rule - Cisco Community

FortiWiFi and FortiAP Configuration Guide

ahollifield · ‎11-05-2025

https://cs.co/ise-berg#fortinet

How is the FortiAP managed? You should pass a User Group attribute if managed by a FortiGate instead.

ravina-gurav · ‎11-05-2025

Managed By Fortigate.

I am Using AD for user authentication.

ahollifield · ‎11-06-2025

No one should be using MS-CHAPv2 in 2025. It relies on broken encryption. are you disabling credential guard?

mary58wilson · ‎11-05-2025

@ravina-gurav E-ZPass New Jerseywrote:
We have FortiGate WLC for wireless user .
After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.
We tried from ISE to Push ACL still the restriction is not working.
Wireless user connecting through fortiAP.
Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.

The failure to enforce restrictions on non-compliant users via your FortiGate WLC (acting as the NAD) with Cisco ISE is likely due to a **Vendor-Specific Attribute (VSA) or Change of Authorization (CoA) mismatch**. The FortiGate is likely ignoring the ACL pushed by ISE because it doesn't understand the format. The solution requires ensuring **CoA is properly configured and acknowledged** by the FortiGate, and crucially, configuring the **Non-Compliant Authorization Profile in ISE to send a specific Fortinet VSA** (e.g., `Fortinet-Group-Name`) instead of a standard ACL. The FortiGate can then map this received VSA to a local **Firewall User Group** with a restrictive policy.

ravina-gurav · ‎11-09-2025

Is there any reference link to implement this solution.

We have configure AD as identity source on ISE for authentication .

Then how we can call group from fortigate is it will initiate authentication again?

Ben Weber · ‎11-09-2025

As said further up in the thread, you need to import the Fortinet VSAs into ISE as a dictionary. You can find the VSAs here: Fortinet RADIUS vendor-specific attribute... - Fortinet Community

To quote the process of importing Fortinet VSAs into ISE from this post (all credits to original author): Solved: Fortigate authorization with ISE - Cisco Community

1) Navigate to Policy > Policy Elements > Dictionaries

2) In the Dictionaries left panel, choose System > RADIUS > RADIUS Vendors

3) You should see a list of RADIUS Vendors that does not include Fortinet

4) Select Import

5) Browse... for the Fortinet_VSAs.txt file then click the Import button and acknowledge the dialog to import the file. (Note: You will have to create this file or copy it from the linked post).

6) You should now see Fortinet in the RADIUS Vendors list:

and all of the Fortinet attributes listed under the Dictionary Attributes tab:

- BW
Please rate posts if they have been helpful.

Need to configure restriction for non compliant wireless user in ise