Isolate unknown devices
When any device connects to the network FortiNAC checks to see if it is registered or not. Registered devices are allowed to access the production network. Unregistered or unknown devices are placed in an isolation VLAN. There is some configuration required to isolate unknown devices.
VLANs
Make sure that you have at least one isolation VLAN where unknown devices can be placed until they are registered. Typically this is called the Registration VLAN. The condition for being placed in the Registration VLAN is that the device be unknown.
VLANs should also be configured on each switch or controller. VLANs should be read from the switches and included in the model configuration for each switch. See Network access/VLANs and Model configuration.
Forced registration group
Ports that will be used to access your network should be placed in the Forced Registration Group. Placing ports in the Forced Registration Group, indicates to FortiNAC that unregistered devices connecting on those ports must be placed in the Registration VLAN to be isolated until the device is registered. For instructions on placing ports in this group