FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff
Article Id 324211
Description

 

This article describes the configurations needed to isolate disabled hosts to the Dead End network. This enforcement status can not be configured as Port Group Membership which is usually used for another type of enforcement but needs to be configured at the device level.

 

Scope

 

FortiNAC.

 

Solution

 

  1. Configure the Dead End for the Logical network in Model Configuration at the network device level (FortiSwitch/FortiAP/FortiGate or SSID):

 

FortiGate (virtualized device):

 

Dead End.PNG

 

FortiSwitch/FortiWLC:

 

sw enfor.PNG

SSID Configuration:

 

ssid enf.PNG

  1. Add the new network devices as part of the group 'Physical Address Filtering'. This is configured in System -> Groups, find this specific group and add the network devices as members:

 

group ad.png

The same result can be obtained by 'right-clicking' on the device and making it a member of this group:

 

dev group.PNG

Now all the ports of that device will have the Dead End enforced on every port:

 

dead endi.PNG

If a disabled host is connected to this port, it will be moved to the Dead End VLAN:

 

disabled host fnac.PNG

 

On the end host's browser, the user gets notified of this action through the portal:

 

dead-end host.PNG

 

Related document: 

Dead end portal