Skip to main content
tmcgov62
Staff
tmcgov62
Staff
November 19, 2024
Question

FortiNAC and Dynamic VLAN assignment for WPA2 Personal SSIDs

  • November 19, 2024
  • 1 reply
  • 2555 views

I have IOT devices that can only connect to an SSID using a PSK so using WPA2 Personal. I'm trying create NAC profile rule/access policy to move them to a different vlan on that SSID (Tunnel mode). I have two sub-interfaces under the SSID for dynamic assignment.

Config #1 - My FortiAP SSID config is WPA2 personal with NO RADIUS server defined. On NAC, the connected device is properly profiled, hits the correct Profile/Policy with the desired new VLAN. However, the vlan on the SSID is not changed. 

 

Config #2 - My FortiAP SSID config is WPA2 personal AND I assign the NAC Radius server and select "Dynamic VLAN Assignment". With this config, I can no longer even connect to the AP. I get the error message like "STA denied by Radius based MAC authentication". Here's a config snippet.

 

config wireless-controller vap
edit "iot_devices"
set ssid "iot"
set broadcast-ssid enable
set security wpa2-only-personal
set radius-mac-auth enable
set radius-mac-auth-server "fnac_radius"
set radius-mac-auth-block-interval 0
set dynamic-vlan enable

 

Maybe I'm missing some kind of MAB config on the AP or NAC.

 

Any ideas ?

 

 

1 reply

Hatibi
Staff & Editor
Hatibi
Staff & Editor
November 19, 2024

Is FortiNAC responding with Access-Reject to the authentication attempts sent?

Check if the "Registration" Logical network in the SSID model in FortiNAC is enforced and has a Access Value. If that is left to "Deny", FortiNAC will reject any rogue connections.

 

https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/151724/model-configuration

 

Access Enforcement

This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.
tmcgov62
Staff
tmcgov62Author
Staff
November 21, 2024

@Hatibi - thanks for the help

I have have corrected the Radius issue, but running into a different issue now.

 

The goal is connect to tunnel mode ssid.

The main ssid interface is where the device connects initially and will be assigned a DHCP address.

There is a sub interface off the main interface.

If the device passes the DPR, it should be assigned to the vlan of the sub-interface and it gets a new IP.

The host connects to the wifi, passed the DPR and hits the correct access policy. The access value/vlan shows the correct VLAN_215 but it does not get changed.

 

Attached is the ssid model config.

 

any ideas ?

 

 

Hatibi
Staff & Editor
Hatibi
Staff & Editor
November 22, 2024

Hello tmcgov62,

 

in the SSID model config i would suggest to you to make these changes:

 

1. Add "RFC VLAN" in the default Radius attribute group.

2. Set a VLAN for "Default" logical network.

3. Enforce "Registration" and set an Access VLAN.

 

The host in this case will automatically register through 802.1x that you have enabled in the SSID model config. So no need for DPR in this case.

 

Once the host registers and it matches the correct policy, FortiNAC will send a "Disconnect Request" in order to terminate the session and trigger a new auth request in order to assign the new VLAN.

 

In order to verify this part you can run tcpdump in FortiNAC cli and filter for port 3799. 

 

FortiNAC-F cli command:

 

execute tcpdump -i any host X.X.X.X and port 3799 -v  <---- Replace X.X.X.X with the WLC IP.

 

You should see a Disconnect Request sent from FortiNAC and the WLC should acknowledge it by responding with Disconnect ACK

Terms & ConditionsAccessibility statement