Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
1
Helpful
5
Replies

Need to configure restriction for non compliant wireless user in ise

ravina-gurav
Level 1
Level 1

‎11-05-2025 02:12 AM

We have FortiGate WLC for wireless user .

After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.

We tried from ISE to Push ACL still the restriction is not working.

Wireless user connecting through fortiAP.

Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.

0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎11-05-2025 03:22 AM

I've never done it before, so bear with me please. It seems you could do it using RADIUS "NAS-Filter-Rule" attribute as it states here:

Solved: ISE issue :i cannot input any value on Radius:NAS-Filter-Rule - Cisco Community

FortiWiFi and FortiAP Configuration Guide

0 Helpful

ahollifield
VIP
VIP

‎11-05-2025 07:18 AM

https://cs.co/ise-berg#fortinet 

How is the FortiAP managed? You should pass a User Group attribute if managed by a FortiGate instead.

0 Helpful

ravina-gurav
Level 1
Level 1
In response to ahollifield

‎11-05-2025 10:21 PM

Managed By Fortigate.

I am Using AD for user authentication.

0 Helpful

ahollifield
VIP
VIP
In response to ravina-gurav

‎11-06-2025 05:50 AM

No one should be using MS-CHAPv2 in 2025. It relies on broken encryption. are you disabling credential guard?

0 Helpful

mary58wilson
Level 1
Level 1

‎11-05-2025 11:59 PM

@ravina-gurav E-ZPass New Jerseywrote:

We have FortiGate WLC for wireless user .

After posture scanning if the user is non-compliant we are unable to restrict the access user is getting full access.

We tried from ISE to Push ACL still the restriction is not working.

Wireless user connecting through fortiAP.

Is there any solution we can configure restriction for non-compliant user as fortigate is the NAD device for user.

The failure to enforce restrictions on non-compliant users via your FortiGate WLC (acting as the NAD) with Cisco ISE is likely due to a **Vendor-Specific Attribute (VSA) or Change of Authorization (CoA) mismatch**. The FortiGate is likely ignoring the ACL pushed by ISE because it doesn't understand the format. The solution requires ensuring **CoA is properly configured and acknowledged** by the FortiGate, and crucially, configuring the **Non-Compliant Authorization Profile in ISE to send a specific Fortinet VSA** (e.g., `Fortinet-Group-Name`) instead of a standard ACL. The FortiGate can then map this received VSA to a local **Firewall User Group** with a restrictive policy.

Customers Also Viewed These Support Documents