This article describes the requirements and conditions to be met in order to have state based control applied by FortiNAC.
FortiNAC-F, FortiNAC, Isolation, Captive Services.
For each host depending on their state (Rogue(?), At-Risk(+), Disabled(X), or Unauthenticated(A)) FortiNAC should provide the respective captive service.
The following configurations and requirements must be fulfilled for the Isolation/Captive Portal to appear to the host.
Requirements:
FortiNAC should first be configured to be a DHCP and DNS server for the respective VLAN where the host resides. The IP address range should be specified in Isolation the FortiNAC configuration Wizard in.
The Isolation VLAN with gateway 172.16.60.1 is configured in FortiGate with FortiNAC port2 IP: 10.10.10.2 as a DHCP relay.
The Device where Hosts are connecting should have the Isolation VLAN assigned to the Registration Logical network and enabled.
This way FortiNAC can apply the respective captive portal depending on the host state. Hosts with the state of 'Rogue' will be presented on the Registration Captive portal.
To enforce isolation, put the port/SSID where the host is connected to the respective system group which enforces control, in this example the Portal during the registration process when the Rogue connects. 'Right-click the port where the device is connected and make sure that 'Forced Registration' is enabled.
The other system groups and 'State based control' are explained in the Comprehensive guide for a simple FortiNAC deployment
Isolation Portal will not appear if it is not configured with a Valid SSL certificate. It is recommended to use a third-party public (External) certificate to secure the Portal target. These are certificates issued from Certificate Authorities like GoDaddy, DigiCert, GlobalSign, etc.
Certificate Requirements noted in this documentation.
This configuration is available only through CLI:
naclab1 # show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
next
edit port2
set ip 10.20.20.2/24
set allowaccess dhcp dns http https nac-agent ping
next
end
The services in bold in port2 must be enabled for FortiNAC to act as DHCP and DNS server in isolation. Additionally, HTTP/HTTPS is required for FortiNAC to respond to HTTP GET requests from clients and serve the portal page.
Traffic matching the direction from Isolation VLAN towards FortiNAC port2(eth1) should have NAT disabled. If NAT is enabled then the portal will not render. It is important to make sure that all layer3 devices are configured to allow communication of Isolated Subnets only to FortiNAC port2(eth1).
The registration portal will appear only for unregistered hosts showing up as rogue. The host should have an IP address from the isolation subnet and FortiNAC IP showing as DNS server in its IP configuration.
Related documents:
Technical Tip: FortiNAC Guest Captive Portal configuration and workflow
Technical Tip: Comprehensive guide for a simple FortiNAC deployment
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.