Technical Guide: How to configure FortiNAC to assign VLANs based on MAC address

Table of Contents:

• Section 1: Enable RADIUS on the FortiNAC
• Section 2: Create SSID on the FortiGate
• Section 3: Allow SSID to connect to the FortiNAC RADIUS server
• Section 4: Create a Group that belongs to a VLAN
• Section 5: Create User/Host Profile
• Section 6: Create Network Access Policy
• Section 7: Assign VLANs

Section 1. Enable RADIUS on the FortiNAC.

The authentication port in FortiNAC is set to 1645 and can be changed if required. Set the same port on the FortiGate side.

FortiGate RADIUS settings:

config user radius

    edit "FortiNAC"

        set server [FortiNAC IP]

        set secret yourSecret

        set nas-ip [FortiGate IP]

        set radius-port 1645

        set require-message-authenticator disable

    next

end

Section 2. Create SSID on the FortiGate.

Using the 'WPA2 Personal' security mode will require users to enter pre-shared key to connect to the Wi-Fi. Client MAC Address Filtering using the RADIUS server, FortiNAC in this case, will assign VLANs to the user’s device based on user’s MAC address.

1. The Security Mode is 'WPA2 Personal'.
2. Choose the FortiNAC that was configured in the previous step as the RADIUS Server under Client MAC Address Filtering.
3. Enable 'Dynamic VLAN assignment' option.

Section 3. Allow SSID to connect to the FortiNAC RADIUS server.

1. Double-click on the SSID – choose the 'Local' RADIUS mode. 'Resync interfaces' may be required for the newly created SSID to be populated. After, select the 'update' button.
2. Select the 'Virtualized Devices' tab, double click the entry and set a RADIUS secret. This should match the secret configured on the FortiGate.

Section 4. Create a group that belongs to a VLAN.

Section 5: Create a User/Host Profile.

1. Who/What by Group: Choose the group created in the previous step.
2. Who/What by Attribute: Choose the 'MAB' RADIUS authentication type.

Section 6. Create Network Access Policy:

Use the tabs at the top right corner.

1. Create Logical Network.
2. Create Network Access Configuration.
3. Create Network Access Policy.

Section 7. Assign VLANs.

1. Go back to Inventory -> FortiGate -> SSID.
2. Default RADIUS Attribute Group: RFC_Vlan.
3. Assign Access Value (VLAN) accordingly.
4. The Host State object is created when 'Logical Network' is created in the previous step.

Related articles:

• Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)
• Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch