MAC Address based VLAN assignment via NAC

Question

I currently try to achieve following use-case:   Using my Fortigate, Fortiswitch and FortiAP, I want to assign VLAN based on MAC addresses of clients. Means in detail: All unknown devices should be automatically moved to a specific VLAN and known devices based on their MAC address to a different VLAN. Using NAC I can assign a SINGLE MAC to accomplish this but I don't get how I use a BATCH of MAC address to create a single NAC policy? It would be crazy to assign for every single MAC address a unique NAC rule?   Can someone help me with this?

ozkanaltas · Answer

I think there is no different option from NAC policies. If you want to use a Mac-based dynamic VLAN, you should do this.

But I think you can use CLI configuration to create batch NAC policies. For example;

config user nac-policy
edit "nacpolicy-John"
set mac "xx:xx:xx:xx:xx:xx"
set switch-fortilink "fortilink"
set switch-mac-policy "nacpolicy-Vlan100"
next
edit "nacpolicy-Alice"
set mac "xx:xx:xx:xx:xx:xx"
set switch-fortilink "fortilink"
set switch-mac-policy "nacpolicy-Vlan100"
next
end

But if it is possible, you can use username and password authentication for users. You can authenticate a user with their username and password. Also if you use this, you can use the user group in the NAC policy. In this way, you can handle all users with two policies. In my opinion, this is the best option for dynamic VLAN mapping.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded