Skip to main content
Hawada1
Staff & Editor
Hawada1
Staff & Editor
August 20, 2022

Technical Tip: How to send tagged voice VLAN to FortiSwitch via FortiNAC RADIUS attributes

  • August 20, 2022
  • 0 replies
  • 5961 views
Description This article describes how to assign voice VLAN to IP phones when FortiSwitch is integrated with FortiNAC.
Scope FortiNAC, FortiFone, and FortiSwitch.
Solution

To assign voice VLAN to IP phones connected to FortiSwitch when it is integrated with FortiNAC:

  1. FortiNAC must authenticate the IP phone using Device Profiling Rules.
  2. LLDP profile for voice traffic must be configured on FortiGate managing the FortiSwitch and assigned to the interface where the IP phone is connected.
  3. FortiSwitch version must be 7.0.1 and above.
  4. LLDP is enabled on the IP phone.

 

VLAN config on FortiGate:

 

config switch vlan

    edit 120

        set description "voicenac"  <-- VLAN description.

       next

FortiNAC Model Configuration:


Access from Topology:

  1. Select Network -> Inventory.
  2. Expand the Container icon.
  3. Select the device, and then select Virtualized Devices.
  4. 'Double-click' on root VDOM.

 

Hawada1_0-1660946133383.png

 

VLAN name/description is 'voicenac';  '1' has been added to the beginning of the RADIUS AVP 'Egress-VLAN-Name' <tagged/untagged(1 or 2)><VLAN Name String> (example: "1voicenac") to be understood by the FortiSwitch as a tagged VLAN.

Device Profiling Rule matches only the Vendor OUI:

 

Hawada1_1-1660946175620.png

 

Network Policy, and User/host profile to authenticate the IP phone:

 

Hawada1_2-1660946196889.png

 
FortiSwitch RADIUS Security Policy:

 

Hawada1_3-1660946225814.png
FortiSwitch Ports managed by FortiGate:


Hawada1_4-1660946254213.png

 

LLDP profile configured on FortiGate and assigned to FortiSwitch port2 (as shown in the above screenshot):

 

config switch-controller lldp-profile

    edit "voicefnaclldp"

        set med-tlvs inventory-management network-policy location-identification

        set auto-isl disable

            # config med-network-policy

                edit "voice"

                    set status enable

                    set vlan-intf "voicenac"

                    set assign-vlan enable

                    set dscp 46
            end
    next

end


Important Note:

This section only needs to be done if the phones are not statically set/tagged for the voice VLAN

For Phones tagged or statically set to a voice VLAN, follow this KB article: Technical Tip: Send a tagged VLAN via RADIUS

 

FortiNAC must first authenticate the device. Otherwise, it will not receive the LLDP profile.

 

FortiNAC must send the following 3 Attributes in the Access-Accept packet:


> tf /var/log/radius/radius.log

Wed Aug 10 19:57:13 2022 : Debug: (8) Sent Access-Accept Id 8 from 192.168.x.x:1812 to 192.168.x.x:34708 length 0

Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Type = VLAN

Wed Aug 10 19:57:13 2022 : Debug: (8) Egress-VLAN-Name = "1voicenac" <- VLAN 120 and 1 for tagged VLAN.

Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Medium-Type = IEEE-802

Wed Aug 10 19:57:13 2022 : Debug: (8) Finished request


Important Note.

RADIUS Access-request will always be sent from the FortiSwitch even if it is managed by FortiGate, so make sure to allow RADIUS traffic between FortiSwitch and FortiNAC.

 

FortiSwitch 802.1x status:

 

S108 # diagnose switch 802-1x status port2

port2 : Mode: mac-based (mac-by-pass enable)

           Link: Link up

           Port State: authorized: ( )

           Dynamic Allowed Vlan list: 120 <---- Assigned by FortiNAC via 'Egress-VLAN-Name' attribute (example: Egress-VLAN-Name = "1voicenac")

           Dynamic Untagged Vlan list: 188 <---- Assigned by FortiNAC via 'Egress-VLAN-Name' attribute (example: Egress-VLAN-Name = "2vlan188") or via (Tunnel-Private-Group-Id = 188).

           EAP pass-through : Enable

           EAP egress-frame-tagged : Enable

           EAP auto-untagged-vlans : Enable

           Allow MAC Move : Disable

           Dynamic Access Control List : Disable

           Quarantine VLAN (4093) detection : Enable

           Native Vlan : 50 <----- Native VLAN is not changed via RADIUS 

           Allowed Vlan list: 120,120,188 <----- VLAN 120 is assigned by FortiNAC, while 120 is assigned by the LLDP profile.

           Untagged Vlan list: 188

           Guest VLAN :

           Auth-Fail Vlan :

           AuthServer-Timeout Vlan :

 

           Switch sessions 1/80, Local port sessions:1/20

           Client MAC Type Traffic-Vlan Dynamic-Vlan

           80:5e:c0:xx:xx:xx MAB 120 0 <----- LLDP voice profile applied VLAN 120.

           Sessions info:

           80:5e:c0:xx:xx:xx Type=MAB,,state=AUTHENTICATED,etime=3,eap_cnt=0                   params:reAuth=3600

 

Important note:

  1. FortiNAC will register the device (Think of this part as Authentication).
  2. Whatever is sent by FortiNAC, the FortiSwitch will not care, and it will apply the LLDP profile assigned to the interface to place the IP phone in Voice-VLAN (Think of this as Authorization). It is even possible to test sending a different voice VLAN ID in RADIUS AVP 'Tunnel-Private-Group-ID' to the Switch after authentication, and it is noticeable that FortiSwitch will apply the LLDP profile and ignore that VLAN (in the article, it is marked the VLAN sent by FortiNAC as green and the one assigned by LLDP as red).

 

If FortiNAC does not register the IP-Phone (Meaning the phone remains Rogue), the switch will NOT apply any LLDP profile.


Related documents:

Dynamic VLAN assignment

VOIP phones getting IPs from native VLAN instead of voice VLAN in FortiSwitch

Technical Tip: Send a tagged VLAN via RADIUS. 

 

    Terms & ConditionsAccessibility statement