Technical Tip: Guest users have access to internal network
Description
This article describes how to prevent Guest users who have already registered to the guest network, from being able to plug into a switch on the internal network and not be isolated by FortiNAC.
Scope
FortiNAC, FortiNAC-F.
Solution
If a Guest user is already registered and provisioned in its Guest VLAN, FortiNAC will not be able to isolate that user if there is no enforcement in the L2 wired switches. The guest may connect to a switch of the internal network and gain access. To prevent this from happening configure the following:
- Create a User/Host Profile that matches the following criteria:
- Location = L2 Wired Switches (assuming this covers all access switches).
- User or host Role/Security Access Value = Guest role value.
Figure 1. Create User/host profile to match Guests connecting to L2 Switches.
- Create Network access configuration for the VLAN for DEAD end or Guest VLAN.
Figure 2. Logical network configuration on the L2 Switch.
- Create a Network Access Policy using the User/Host Profile and Configuration.
- Set the new policy's rank to 1 (top of the list).
- Place Ports to be enforced in a group and add the group to Role Based Access.
- Place the L2 Switch in the "Physical Address filtering".
When a Guest will connect to any of the enforced ports of the L2 switch, FortiNAC will change the VLAN to the 'Dead End' VLAN once the host matches the respective policy.
Related documents:
Model Configuration of Network Inventory devices
Technical Tip: 'State based Control' concept and VLAN changes