FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff
Article Id 329815
Description

 

This article describes a simplified example of how to set up FortiNAC in a network. It shows how to handle IP addressing and configuration in FortiGate. This is a continuation of the article Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch and covers a simple scenario for guest self registration over a tunnel mode SSID.

 

Scope

 

FortiNAC and FortiGate/FortiAP (VLAN assignment via RADIUS MAC authentication).

 

Solution

 

  1. Network design and IP planning.

 

Below is the example of deploying FortiNAC as a L3 Routed (recommended and most used type):

 

FNAC - L3 simple setup +wifi.png

 

More details and requirements for this network schema can be found here: Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch. Remember to allow the needed services (DHCP/DNS/HTTP/S) at the interface level configuration for port 2 as shown below (in the FortiNAC CLI):

 

config system interface

    edit port2

        set allowaccess dhcp dns http https nac-agent ping

 

FortiNAC can apply these network configurations when following the ConfigWizard:

  1. Configuring port1 (management interface):

    config_wizard1.PNG

  2. Configuring port2 (isolation interface) and DHCP pools with network details for isolation networks. In smaller setups to simplify the configuration only the Layer 3 isolation can be configured to handle all types of isolated hosts:

    config_wizard2.PNG

In this case, a FortiSwitch is used to connect the FortiAP, but the same steps also apply to a switch from another vendor. It is recommended to use tunnel mode SSID to simplify VLAN spanning/management through the switches.

These configurations are described in the FortiNAC deployment guide

 

  1. Configuring FortiGate in FortiNAC.

After adding a new FortiAP or making other changes like adding SSIDs or VLAN interface to the FortiGate, resynchronization is needed. 'Right-click' on the FortiGate and select 'Resync Interfaces'. Make sure that all of the SSIDs are listed. In model configuration (Virtualized Devices), the VLANs need to be tied to the isolation/logical network. On the same page, the RADIUS secret and Source IP (NAS IP in FortiGate) are also configured.

 

model-confi.PNG

Group membership at the SSID level to enforce Registration and VLAN assignments through access policies:

 

enforcment.PNG

When a host connects to the SSID and the host is unknown to FortiNAC (Rogue), it will be put in an isolation VLAN:

 

host-view.PNG

 

  1. Configuring FortiGate as WLC.

In this example, only guest solution is covered. It can use an Open or PSK-protected SSID with 'Client MAC Address Filtering' and use FortiNAC as a RADIUS server. Since the FortiAP is managed by FortiGate, all the configurations are done in FortiGate only. 

 

Creating the SSID (Tunnel mode) without specifying any IP configuration or DHCP scope:

 

SSID-name.PNG

 

Continue with SSID configuration while paying attention to the highlights:

 

SSID configurations.png

Security Mode can be Open or WPA2 Personal, the later will require from the user to know the PSK in advance before proceeding with self registration. If the Open mode is missing in the dropdown, it can be enabled under Feature Visibility, Wireless Open Security.

 

FortiNAC needs to be configured as a RADIUS server in FortiGate and the same shared secret and NAS IP need to also be used in FortiNAC:

 

radius server fgt.PNG

Both the isolation and guest VLAN need to be created as VLAN interfaces under the SSID in FortiGate, VLAN ID must match with the ones configured in FortiNAC:

 

SSID interface.png

The guest interface should be configured like a common interface with local DHCP and network access. The isolation interface IP configurations should match with the configuration in FortiNAC shown before and the DHCP should be configured as Relay to send the requests to the isolation interface of FortiNAC:

 

Isolation IP configurations.png

 

A firewall policy is required in FortiGate to allow the end host to reach the isolation interface of FortiNAC for DHCP, DNS, and HTTP/S services.

 

  1. Timeline of the actions and common checks. 

The first step begins with the end host joining the SSID. 

 

If the SSID is properly configured, a RADIUS request will be sent to FortiNAC and the Registration VLAN should be responded to in the Access-Accept as shown below:

 

(51) Received Access-Request Id 0 from 10.0.0.1:11653 to 10.0.0.5:1812 length 213
(51)   User-Name = "00-00-00-00-4C-59"
(51)   User-Password = "00-00-00-00-4C-59"
(51)   Calling-Station-Id = "00-00-00-00-4C-59"
(51)   NAS-IP-Address = 10.0.0.1
(51)   NAS-Identifier = "10.5.32.54/5246-A-Por"
(51)   Called-Station-Id = "00-00-00-00-82-30:A-Por"
(51)   NAS-Port-Type = Wireless-802.11
(51)   Service-Type = Call-Check
(51)   Fortinet-SSID = "A-Por"
(51)   Fortinet-AP-Name = "FP421ETF10000000"

---

(51) Login OK: [00-00-00-00-4C-59] (from client 10.0.0.1 port 0 cli 00-00-00-00-4C-59)
(51) Sent Access-Accept Id 0 from 10.0.0.5:1812 to 10.0.0.1:11653 length 0
(51)   Tunnel-Type = VLAN
(51)   Tunnel-Private-Group-Id = "511"
(51)   Tunnel-Medium-Type = IEEE-802
(51) Finished request

 

Note: This logs can be checked from FortiNAC GUI in Network -> RADIUS -> [Local Service] under Details & Logs -> [View Logs]. It is necessary to change the Service Log Level to Normal during the troubleshooting sessions only and reverting after.

 

It is possible to verify also from the FortiGate that the host is residing on the isolation VLAN (make sure to include the VLAN ID column):

 

fgt-isolation client.PNG

 

After the host is placed in the registration VLAN, a request for an IP is sent via DHCP that should get relayed to FortiNAC. The logs can be checked from FortiNAC CLI:

 

diag tail -f dhcpd.log

fnac dhcpd: disable: host unknown.
fnac dhcpd: DHCPDISCOVER from 00:00:00:00:4c:59 via 10.5.11.1
fnac dhcpd: DHCPOFFER on 10.5.11.61 to 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1
fnac dhcpd: DHCPREQUEST for 10.5.11.61 (10.5.0.11) from 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1
fnac dhcpd: DHCPACK on 10.5.11.61 to 00:00:00:00:4c:59 (M2012K11AG) via 10.5.11.1

 

After receiving an IP, a DNS server will also be provided to point the queries to FortiNAC, the DNS logs can be also checked from the FortiNAC CLI:

 

diag tail -f named.log

queries: client @0x7f75480ea180 10.5.11.61#29959 (connectivitycheck.gstatic.com): view isolation: query: connectivitycheck.gstatic.com IN A + (10.5.0.11)
queries: client @0x7f755c1b6c40 10.5.11.61#62916 (www.google.com): view isolation: query: www.google.com  IN A + (10.5.0.11)
queries: client @0x7f755c15eec0 127.0.0.1#20209 (www.google.com): view PassThru-isol: query: www.google.com  IN A +E(0)D (127.0.0.6)
resolver: resolver priming query complete
queries: client @0x7f75480fa7c0 10.5.11.61#33067 (g.whatsapp.net): view isolation: query: g.whatsapp.net IN A + (10.5.0.11)


...(a list of other domains being requested/resolved to 10.5.0.11 will be shown, and than the portal request appears).

 

queries: client @0x7f75480fa7c0 10.5.11.61#33910 (fnac.eb.eu):view isolation: query: fnac.eb.eu IN A + (10.5.0.11)
queries: client @0x7f75480fa7c0 10.5.11.61#38655 (fnac.eb.eu): view isolation: query: fnac.eb.eu IN TYPE65 + (10.5.0.11)

 

This is a summary of the steps followed by the end host (Android smartphone):

 

smartphone-steps.png

 

Approval from FortiNAC:

 

approval.PNG

Verifying from the FortiGate that the host is authenticated and is residing in the right VLAN:

 

guest-vlani.png

 

  1. Common misconfigurations and troubleshooting commands.

The host not getting IP after connecting to the SSID.

 

  1. The first step is to verify that the FortiNAC/RADIUS is receiving an Access-Request and is responding with the registration VLAN.
    If not receiving any request, check the configuration in FortiGate to match the model configuration in FortiNAC. If the VLAN in the RADIUS response is empty or has a wrong value, check the model configuration and make sure that the SSID has Forced Registration checked.
  2. Verify in FortiGate that the WiFi Client is residing in the isolation/registration VLAN. If the VLAN is correct, check the DHCP relay configurations are pointing to FortiNAC isolation IP. Verify with a packet capture in FortiGate or FortiNAC these requests.

 

GW # diagnose wireless-controller wlac -c sta
-------------------------------STA 1----------------------------
STA mac : 00:00:00:00:4c:59
live : 4137 (ts=299398)
authed : yes
wtp : 0-10.5.32.54:5246
rId : 1
aId : 1
wId : 1
bssid : 70:4c:a5:00:00:00
cap : 0111
VLAN tag : 0230 (560)
ACL deny cnt : 0
802.11kvr :
Os Info : Android13

 

c. If the DHCP requests are reaching FortiNAC but are getting ignored, check the dhcpd.log and verify from the ConfigWizard that the appropriate subnet is being used.

 

Portal not showing in end host.

After the host gets a valid IP from FortiNAC, it will also receive the DNS server. Verify with packet captures in FortiGate and FortiNAC that these requests are being received and are getting responded to in named.log. If the DNS is working fine, check the Portal configuration in FortiNAC and make sure to use a FQDN and a valid public signed SSL Certificate.

 

After the guest account gets approved and try to login, the progress bar ends with a failure.

 

  1. A Network Access Policy does not match in FortiNAC. Check UHP, logical network, model configuration, or other possible misconfigurations. The policy that should match can be easily checked by 'right-clicking' in the host and selecting 'Policy Details':

 

policy check.PNG

 

b. Host does not appear as registered (still shows as rogue) in Users & Hosts -> Hosts. Something has failed in the registration process for the host, this can be caused by the use of MAC randomization or portal misconfiguration.

 

c. Host is matching the right policy but is not getting moved to the right VLAN, it can successfully be moved only after manually disconnecting/connecting to the SSID. This is an indication that RADIUS CoA is not properly configured or it's failing. In FortiGate configurations make sure to enable CoA under RADIUS configuration from CLI:

config user radius
    edit "FNAC"
        set server "fnac.eb.eu"
        set nas-ip 10.0.0.1
        set radius-coa enable

 

Useful debug commands used in FortiGate:

 

diagnose debug application wpad 8

diagnose debug application radius-das 8

diagnose debug enable

 

88:40:00:00:00:59 <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=0 len=214

...

HOSTAPD: <0>10.5.32.54:15246<1-1> STA 88:40:00:00:00:59 WPA: sending 1/4 msg of 4-Way Handshake
88:40:00:00:00:59 <eh> send 1/4 msg of 4-Way Handshake

...

88:40:00:00:00:59 <eh> RADIUS message (type=0) <== RADIUS Server code=2 (Access-Accept) id=0 len=37

 

Related articles:

Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch

Technical Tip: FortiNAC Guest Captive Portal configuration and workflow.