Access control for wireless networks via NAC (Network Access Control) can be configured so that users are automatically transferred from VLANs after meeting the NAC policy criteria. When using user groups, control is performed through local users in FortiGate or via LDAP.

Consider the following scenario:

VLAN10 - VLAN interface for Guest access.

VLAN20 - VLAN interface for Corporate access.

1. Create the VAP SSID:

Via GUI in Wi-Fi Controller -> SSIDs -> Create New -> SSID:

Via CLI:

config wireless-controller vap

    edit "Wifi_Fortinet"

        set ssid "Fortinet"

        set security wpa2-only-enterprise

        set auth usergroup

        set usergroup "Users_Wifi_Corp" "Users_Wifi_Guest"

        set schedule "always"

    next

end

Note: To perform access control by user groups via NAC, it is necessary to configure authentication via 'wpa2-only-enterprise'.

2. Create two VLAN interfaces under the VAP 'Wifi_Fortinet':

    

   Via GUI in Network -> Interfaces -> Create New -> Interface:

    

   

    

   

    

   Via CLI:

    

   config system interface

       edit "VLAN10"

           set vdom "root"

           set ip 10.20.0.254 255.255.255.0

           set allowaccess ping

           set device-identification enable

           set role lan

           set snmp-index 16

           set ip-managed-by-fortiipam disable

           set interface "wqtn.13.Wifi_Fo"

           set vlanid 10

       next

       edit "VLAN20"

           set vdom "root"

           set ip 10.30.0.254 255.255.255.0

           set allowaccess ping

           set device-identification enable

           set role lan

           set snmp-index 17

           set ip-managed-by-fortiipam disable

           set interface "wqtn.13.Wifi_Fo"

           set vlanid 20

       next

   end

    

    

3. Create a NAC Profile with the VLAN interface for Guest access:

    

   Via CLI:

    

   config wireless-controller nac-profile

       edit "NAC_Profile"

           set onboarding-vlan "VLAN10"

       next

   end

    

    

4. Enable NAC profile on SSID:

    

   Via GUI, in Wi-Fi Controller -> SSIDs -> Create New -> SSID -> Edit -> NAC Profile -> Enable.

    

   

    

   Via CLI:

    

   config wireless-controller vap

       edit "Wifi_Fortinet"

           set nac enable

           set nac-profile "NAC_Profile"

       next

   end

    

    

5. Create a SSID policy with a VLAN interface for Corporate access:

    

   Via CLI:
   
   

   config wireless-controller ssid-policy

       edit "Wifi_SSID_Policy"

           set vlan "VLAN20"

       next

   end

    

    

6. Create a NAC policy based on user groups and the SSID policy:

    

Via CLI:

config user nac-policy

    edit "NAC_Policy"

        set category firewall-user

        set user-group "Users_Wifi_Guest"

        set ssid-policy "Wifi_SSID_Policy"

    next

end

Troubleshooting:

To check the logs of the first authentication through the onboarding VLAN and how the NAC switches VLANs, use the debug below:

diagnose debug reset

diagnose debug console timestamp enable

diagnose wireless-controller wlac sta_filter clear
diagnose wireless-controller wlac sta_filter <Device MAC address> 255
diagnose debug enable

This debug will demonstrate the FortiGate’s DHCP process, showing the moment when the FortiGate sends a 'DHCP Offer' with an IP of the new Corporate VLAN after the NAC performs the VLAN change.

Example:

First authentication:

73223.719 a4:63:a1:6e:c5:f3 <dc> DHCP Discover server 0.0.0.0 <== host wks-test mac a4:63:a1:6e:c5:f3 ip 0.0.0.0xId 9010463f

73224.736 a4:63:a1:6e:c5:f3 <dc> DHCP Offer server 10.20.0.254 ==> host  mac a4:63:a1:6e:c5:f3 ip 10.20.0.3 mask 255.255.255.0 gw 10.20.0.254 xId 9010463f

Second authentication:

73320.831 a4:63:a1:6e:c5:f3 <dc> DHCP Discover server 0.0.0.0 <== host wks-test mac a4:63:a1:6e:c5:f3 ip 0.0.0.0xId 2881452e

73321.847 a4:63:a1:6e:c5:f3 <dc> DHCP Offer server 10.30.0.254 ==> host  mac a4:63:a1:6e:c5:f3 ip 10.30.0.3 mask 255.255.255.0 gw 10.30.0.254 xId 2881452e

• To check which VLAN is being used in the first or second authentication, use:

diagnose wireless-controller wlac -d sta online

Example:

vf=0 wtp=12 rId=2 wlan=Fortinet vlan_id=20 ip=10.30.0.3 ip6=fe80::7545:95b7:9e45:1f80 mac=a4:63:a1:6e:c5:f3 vci=MSFT 5.0 host=wks-test user=user_wifi group=Users_Wifi_Corp signal=-59 noise=-95 idle=0 bw=4 use=6 chan=149 radio_type=11AC(wave2) security=wpa2_enterprise mpsk= encrypt=none cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=1

• To check if the device corresponds to the NAC policy, use:

diagnose wireless-controller wlac_hlp -c sta-nac

Example:

STA (001/001) vfid,mac: 0, a4:63:a1:6e:c5:f3

    ip                    : 10.30.0.3

    wlan                  : Fortinet(tunnel)

    vlan-id(oper/dflt)    : 20/10

    matched nac-policy    : NAC_Policy