Created on 08-02-2024 06:02 AM Edited on 09-25-2024 01:40 PM By Jean-Philippe_P
This article describes a simplified example of how to set up FortiNAC in a network. It shows how to handle IP addressing and configuration in FortiGate. This is a continuation of the article Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch and covers a simple scenario for guest self registration over a tunnel mode SSID.
FortiNAC and FortiGate/FortiAP (VLAN assignment via RADIUS MAC authentication).
Below is the example of deploying FortiNAC as a L3 Routed (recommended and most used type):
More details and requirements for this network schema can be found here: Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch. Remember to allow the needed services (DHCP/DNS/HTTP/S) at the interface level configuration for port 2 as shown below (in the FortiNAC CLI):
config system interface
edit port2
set allowaccess dhcp dns http https nac-agent ping
FortiNAC can apply these network configurations when following the ConfigWizard:
In this case, a FortiSwitch is used to connect the FortiAP, but the same steps also apply to a switch from another vendor. It is recommended to use tunnel mode SSID to simplify VLAN spanning/management through the switches.
These configurations are described in the FortiNAC deployment guide.
Configuring FortiGate in FortiNAC.
After adding a new FortiAP or making other changes like adding SSIDs or VLAN interface to the FortiGate, resynchronization is needed. 'Right-click' on the FortiGate and select 'Resync Interfaces'. Make sure that all of the SSIDs are listed. In model configuration (Virtualized Devices), the VLANs need to be tied to the isolation/logical network. On the same page, the RADIUS secret and Source IP (NAS IP in FortiGate) are also configured.
Group membership at the SSID level to enforce Registration and VLAN assignments through access policies:
When a host connects to the SSID and the host is unknown to FortiNAC (Rogue), it will be put in an isolation VLAN:
Configuring FortiGate as WLC.
In this example, only guest solution is covered. It can use an Open or PSK-protected SSID with 'Client MAC Address Filtering' and use FortiNAC as a RADIUS server. Since the FortiAP is managed by FortiGate, all the configurations are done in FortiGate only.
Creating the SSID (Tunnel mode) without specifying any IP configuration or DHCP scope:
Continue with SSID configuration while paying attention to the highlights:
Security Mode can be Open or WPA2 Personal, the later will require from the user to know the PSK in advance before proceeding with self registration. If the Open mode is missing in the dropdown, it can be enabled under Feature Visibility, Wireless Open Security.
FortiNAC needs to be configured as a RADIUS server in FortiGate and the same shared secret and NAS IP need to also be used in FortiNAC:
Both the isolation and guest VLAN need to be created as VLAN interfaces under the SSID in FortiGate, VLAN ID must match with the ones configured in FortiNAC:
The guest interface should be configured like a common interface with local DHCP and network access. The isolation interface IP configurations should match with the configuration in FortiNAC shown before and the DHCP should be configured as Relay to send the requests to the isolation interface of FortiNAC:
A firewall policy is required in FortiGate to allow the end host to reach the isolation interface of FortiNAC for DHCP, DNS, and HTTP/S services.
Timeline of the actions and common checks.
The first step begins with the end host joining the SSID.
If the SSID is properly configured, a RADIUS request will be sent to FortiNAC and the Registration VLAN should be responded to in the Access-Accept as shown below:
(51) Received Access-Request Id 0 from 10.0.0.1:11653 to 10.0.0.5:1812 length 213
(51) User-Name = "00-00-00-00-4C-59"
(51) User-Password = "00-00-00-00-4C-59"
(51) Calling-Station-Id = "00-00-00-00-4C-59"
(51) NAS-IP-Address = 10.0.0.1
(51) NAS-Identifier = "10.5.32.54/5246-A-Por"
(51) Called-Station-Id = "00-00-00-00-82-30:A-Por"
(51) NAS-Port-Type = Wireless-802.11
(51) Service-Type = Call-Check
(51) Fortinet-SSID = "A-Por"
(51) Fortinet-AP-Name = "FP421ETF10000000"
---
(51) Login OK: [00-00-00-00-4C-59] (from client 10.0.0.1 port 0 cli 00-00-00-00-4C-59)
(51) Sent Access-Accept Id 0 from 10.0.0.5:1812 to 10.0.0.1:11653 length 0
(51) Tunnel-Type = VLAN
(51) Tunnel-Private-Group-Id = "511"
(51) Tunnel-Medium-Type = IEEE-802
(51) Finished request
Note: This logs can be checked from FortiNAC GUI in Network -> RADIUS -> [Local Service] under Details & Logs -> [View Logs]. It is necessary to change the Service Log Level to Normal during the troubleshooting sessions only and reverting after.
It is possible to verify also from the FortiGate that the host is residing on the isolation VLAN (make sure to include the VLAN ID column):
After the host is placed in the registration VLAN, a request for an IP is sent via DHCP that should get relayed to FortiNAC. The logs can be checked from FortiNAC CLI:
diag tail -f dhcpd.log
fnac dhcpd: disable: host unknown.
fnac dhcpd: DHCPDISCOVER from 00:00:00:00:4c:59 via 10.5.11.1
fnac dhcpd: DHCPOFFER on 10.5.11.61 to 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1
fnac dhcpd: DHCPREQUEST for 10.5.11.61 (10.5.0.11) from 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1
fnac dhcpd: DHCPACK on 10.5.11.61 to 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1
After receiving an IP, a DNS server will also be provided to point the queries to FortiNAC, the DNS logs can be also checked from the FortiNAC CLI:
diag tail -f named.log
queries: client @0x7f75480ea180 10.5.11.61#29959 (connectivitycheck.gstatic.com): view isolation: query: connectivitycheck.gstatic.com IN A + (10.5.0.11)
queries: client @0x7f755c1b6c40 10.5.11.61#62916 (www.google.com): view isolation: query: www.google.com IN A + (10.5.0.11)
queries: client @0x7f755c15eec0 127.0.0.1#20209 (www.google.com): view PassThru-isol: query: www.google.com IN A +E(0)D (127.0.0.6)
resolver: resolver priming query complete
queries: client @0x7f75480fa7c0 10.5.11.61#33067 (g.whatsapp.net): view isolation: query: g.whatsapp.net IN A + (10.5.0.11)
...(a list of other domains being requested/resolved to 10.5.0.11 will be shown, and than the portal request appears).
queries: client @0x7f75480fa7c0 10.5.11.61#33910 (fnac.eb.eu):view isolation: query: fnac.eb.eu IN A + (10.5.0.11)
queries: client @0x7f75480fa7c0 10.5.11.61#38655 (fnac.eb.eu): view isolation: query: fnac.eb.eu IN TYPE65 + (10.5.0.11)
This is a summary of the steps followed by the end host (Android smartphone):
Approval from FortiNAC:
Verifying from the FortiGate that the host is authenticated and is residing in the right VLAN:
Common misconfigurations and troubleshooting commands.
The host not getting IP after connecting to the SSID.
GW # diagnose wireless-controller wlac -c sta
-------------------------------STA 1----------------------------
STA mac : 00:00:00:00:4c:59
live : 4137 (ts=299398)
authed : yes
wtp : 0-10.5.32.54:5246
rId : 1
aId : 1
wId : 1
bssid : 70:4c:a5:00:00:00
cap : 0111
VLAN tag : 0230 (560)
ACL deny cnt : 0
802.11kvr :
Os Info : Android13
c. If the DHCP requests are reaching FortiNAC but are getting ignored, check the dhcpd.log and verify from the ConfigWizard that the appropriate subnet is being used.
Portal not showing in end host.
After the host gets a valid IP from FortiNAC, it will also receive the DNS server. Verify with packet captures in FortiGate and FortiNAC that these requests are being received and are getting responded to in named.log. If the DNS is working fine, check the Portal configuration in FortiNAC and make sure to use a FQDN and a valid public signed SSL Certificate.
After the guest account gets approved and try to login, the progress bar ends with a failure.
b. Host does not appear as registered (still shows as rogue) in Users & Hosts -> Hosts. Something has failed in the registration process for the host, this can be caused by the use of MAC randomization or portal misconfiguration.
c. Host is matching the right policy but is not getting moved to the right VLAN, it can successfully be moved only after manually disconnecting/connecting to the SSID. This is an indication that RADIUS CoA is not properly configured or it's failing. In FortiGate configurations make sure to enable CoA under RADIUS configuration from CLI:
config user radius
edit "FNAC"
set server "fnac.eb.eu"
set nas-ip 10.0.0.1
set radius-coa enable
Useful debug commands used in FortiGate:
diagnose debug application wpad 8
diagnose debug application radius-das 8
diagnose debug enable
88:40:00:00:00:59 <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=0 len=214
...
HOSTAPD: <0>10.5.32.54:15246<1-1> STA 88:40:00:00:00:59 WPA: sending 1/4 msg of 4-Way Handshake
88:40:00:00:00:59 <eh> send 1/4 msg of 4-Way Handshake
...
88:40:00:00:00:59 <eh> RADIUS message (type=0) <== RADIUS Server code=2 (Access-Accept) id=0 len=37
Related articles:
Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch
Technical Tip: FortiNAC Guest Captive Portal configuration and workflow.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.