FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Sx11
Staff
Staff
Article Id 339020
Description

 

This article describes the requirements and conditions to be met in order to have state based control applied by FortiNAC. 

 

Scope

 

FortiNAC-F, FortiNAC, Isolation, Captive Services.

 

Solution

 

For each host depending on their state (Rogue(?), At-Risk(+), Disabled(X), or Unauthenticated(A)) FortiNAC should provide the respective captive service.

 

The following configurations and requirements must be fulfilled for the Isolation/Captive Portal to appear to the host.

Requirements:

 

  1. Isolation VLANs are defined in the Configuration Wizard.
  2. The Isolation VLAN is enabled in the Model Configuration of the device.
  3. Port/SSID is under enforcement.
  4. Portal has a valid SSL certificate.
  5. HTTP/HTTPS Service enabled in FortiNAC port2.
  6. ACLs and Firewall policies are configured correctly.
  7. The host has not yet registered

 

  1. Isolation VLANs are defined in the Configuration Wizard.

FortiNAC should first be configured to be a DHCP and DNS server for the respective VLAN where the host resides. The IP address range should be specified in Isolation the FortiNAC configuration Wizard in.

 

Figure 1. Isolation subnets definition in the configuration wizard.Figure 1. Isolation subnets definition in the configuration wizard.

 

The Isolation VLAN with gateway 172.16.60.1 is configured in FortiGate with FortiNAC port2 IP: 10.10.10.2 as a DHCP relay.

 

Figure 2. Isolation VLAN gateway and DHCP relay configuration.Figure 2. Isolation VLAN gateway and DHCP relay configuration.

 

  1. The Isolation VLAN is enabled in the Model Configuration of the device.

The Device where Hosts are connecting should have the Isolation VLAN assigned to the Registration Logical network and enabled.

This way FortiNAC can apply the respective captive portal depending on the host state. Hosts with the state of 'Rogue' will be presented on the Registration Captive portal. 

Figure 3. Registration Logical network enabled and using Isolation VLAN ID as access value.Figure 3. Registration Logical network enabled and using Isolation VLAN ID as access value.

 

 

  1. Port/SSID is under enforcement.

To enforce isolation,  put the port/SSID where the host is connected to the respective system group which enforces control, in this example the Portal during the registration process when the Rogue connects. 'Right-click the port where the device is connected and make sure that 'Forced Registration' is enabled.

 

Figure 4. Port is put under enforcement by being put as member of "Forced Registration" system group.Figure 4. Port is put under enforcement by being put as member of "Forced Registration" system group.

 

The other system groups and 'State based control' are explained in the Comprehensive guide for a simple FortiNAC deployment

 

  1. Portal has a valid SSL certificate.

Isolation Portal will not appear if it is not configured with a Valid SSL certificate. It is recommended to use a third-party public (External) certificate to secure the Portal target. These are certificates issued from Certificate Authorities like GoDaddy, DigiCert, GlobalSign, etc. 

Certificate Requirements noted in this documentation. 

 

  1. HTTP/HTTPS Service enabled in FortiNAC port2.

This configuration is available only through CLI:


naclab1 # show system interface

    config system interface
        edit port1
            set ip 10.10.10.6/24
            set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
        next
            edit port2
                set ip 10.20.20.2/24
                set allowaccess dhcp dns http https nac-agent ping
            next
        end

 

The services in bold in port2 must be enabled for FortiNAC to act as DHCP and DNS server in isolation. Additionally, HTTP/HTTPS is required for FortiNAC to respond to HTTP GET requests from clients and serve the portal page.

 

  1. ACLs and Firewall policies are configured correctly.

Traffic matching the direction from Isolation VLAN towards FortiNAC port2(eth1) should have NAT disabled. If NAT is enabled then the portal will not render. It is important to make sure that all layer3 devices are configured to allow communication of Isolated Subnets only to FortiNAC port2(eth1).

 

  1. The host has not yet registered.

The registration portal will appear only for unregistered hosts showing up as rogue. The host should have an IP address from the isolation subnet and FortiNAC IP showing as DNS server in its IP configuration.

 

Related documents:

FortiNAC Isolation VLANs

Technical Tip: FortiNAC Guest Captive Portal configuration and workflow

Technical Tip: Comprehensive guide for a simple FortiNAC deployment

Enforcement groups