Skip to main content
doncacciatoconsuting
doncacciatoconsuting
Explorer II
February 4, 2025
Solved

FortiNAC - firewall tags not sent for Wifi connection

  • February 4, 2025
  • 1 reply
  • 945 views

Fortinac is configured to send firewall tags to my gate. Communication is working fine. For wired switchports in Role Based Access mode, the tags are being properly sent when the Network Access Policy is matched. 

 

However, I can't seem to get it working for wifi. Although the correct NAC policy is hit, logical network is assigned, and VLAN is changed, I still get:

Looking up LogicalNetworkConfiguration for LogicalNetwork prod-wifi
Using SSID Name:root:corp_wifi, id: 439
Returning LogicalNetworkConfiguration: AccessConfiguration
- Task ID:[null]
- Network:[prod-wifi]
- Access Value:[VLAN_230]
- Access Action:[2]
- Alias:[false]
- Send Groups To Firewall:[false]
- RadiusAttributeGroupId:[1]
- Version:[9]
- Tags: []
- Firewall Groups: []

 

One thing I noticed is there really isn't a config for applying RBAC to a Wifi SSID. Could this be the issue ?

 

 

Best answer by ebilcari

I did some tests in a lab (9.4.7) and found out that the Tag is sent even when the SSID is configured with 'Use Custom Settings' and the Tags is empty in the Policy Details. This may be treated as a cosmetic issue and should not prevent the tag from being sent to the FGT.

tagsi.PNG

 

GW # diagnose firewall dynamic list
List all dynamic addresses:
IP dynamic addresses in VDOM root(vfid: 0):
FNVXCATM0000000_Guesta: ID(43)
ADDR(10.5.60.51)
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.

1 reply

ebilcari
Staff
ebilcari
Staff
February 4, 2025

You can try to configure the SSID to inherit the policies from the Virtual Device like shown below:

inherit.PNG

 

and make sure that a Firewall tag is configured for that logical network.

Emirjon
    ebilcari
    Staff
    ebilcariAnswer
    Staff
    February 4, 2025

    I did some tests in a lab (9.4.7) and found out that the Tag is sent even when the SSID is configured with 'Use Custom Settings' and the Tags is empty in the Policy Details. This may be treated as a cosmetic issue and should not prevent the tag from being sent to the FGT.

    tagsi.PNG

     

    GW # diagnose firewall dynamic list
    List all dynamic addresses:
    IP dynamic addresses in VDOM root(vfid: 0):
    FNVXCATM0000000_Guesta: ID(43)
    ADDR(10.5.60.51)
    Total IP dynamic range blocks: 0.
    Total IP dynamic addresses: 1.

    Emirjon
      doncacciatoconsuting
      doncacciatoconsutingAuthor
      Explorer II
      February 6, 2025

      @ebilcari - You are correct. on NAC - version 7.2.8 I see the same thing. Policy Details says no tags being sent, but on the Gate the it shows the tag and IP address. Thanks !

        Terms & ConditionsAccessibility statement