Description
This article describes the requirements and conditions to be met in order to have state based control applied by FortiNAC.
Scope
FortiNAC-F, FortiNAC, Isolation, Captive Services.
Solution
For each host depending on their state (Rogue(?), At-Risk(+), Disabled(X), or Unauthenticated(A)) FortiNAC should provide the respective captive service.
The following configurations and requirements must be fulfilled for the Isolation/Captive Portal to appear to the host.
Requirements:
- Isolation VLANs are defined in the Configuration Wizard.
- The Isolation VLAN is enabled in the Model Configuration of the device.
- Port/SSID is under enforcement.
- Portal has a valid SSL certificate.
- HTTP/HTTPS Service enabled in FortiNAC port2.
- ACLs and Firewall policies are configured correctly.
- The host has not yet registered
- Isolation VLANs are defined in the Configuration Wizard.
FortiNAC should first be configured to be a DHCP and DNS server for the respective VLAN where the host resides. The IP address range should be specified in Isolation the FortiNAC configuration Wizard in.
The Isolation VLAN with gateway 172.16.60.1 is configured in FortiGate with FortiNAC port2 IP: 10.10.10.2 as a DHCP relay.
- The Isolation VLAN is enabled in the Model Configuration of the device.
The Device where Hosts are connecting should have the Isolation VLAN assigned to the Registration Logical network and enabled.
This way FortiNAC can apply the respective captive portal depending on the host state. Hosts with the state of 'Rogue' will be presented on the Registration Captive portal.
- Port/SSID is under enforcement.
To enforce isolation, put the port/SSID where the host is connected to the respective system group which enforces control, in this example the Portal during the registration process when the Rogue connects. 'Right-click the port where the device is connected and make sure that 'Forced Registration' is enabled.
The other system groups and 'State based control' are explained in the Comprehensive guide for a simple FortiNAC deployment
- Portal has a valid SSL certificate.
Isolation Portal will not appear if it is not configured with a Valid SSL certificate. It is recommended to use a third-party public (External) certificate to secure the Portal target. These are certificates issued from Certificate Authorities like GoDaddy, DigiCert, GlobalSign, etc.
Certificate Requirements noted in this documentation.
- HTTP/HTTPS Service enabled in FortiNAC port2.
This configuration is available only through CLI:
naclab1 # show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
next
edit port2
set ip 10.20.20.2/24
set allowaccess dhcp dns http https nac-agent ping
next
end
The services in bold in port2 must be enabled for FortiNAC to act as DHCP and DNS server in isolation. Additionally, HTTP/HTTPS is required for FortiNAC to respond to HTTP GET requests from clients and serve the portal page.
- ACLs and Firewall policies are configured correctly.
Traffic matching the direction from Isolation VLAN towards FortiNAC port2(eth1) should have NAT disabled. If NAT is enabled then the portal will not render. It is important to make sure that all layer3 devices are configured to allow communication of Isolated Subnets only to FortiNAC port2(eth1).
- The host has not yet registered.
The registration portal will appear only for unregistered hosts showing up as rogue. The host should have an IP address from the isolation subnet and FortiNAC IP showing as DNS server in its IP configuration.
Related documents:
Technical Tip: FortiNAC Guest Captive Portal configuration and workflow
Technical Tip: Comprehensive guide for a simple FortiNAC deployment
