FortiNAC can apply 1. Port-Based Configurations and 1. Host-based configurations to enforce control on endpoints connected to modeled devices.

1. Port-Based Configurations:

• Used to switch VLANs.
• Add/modify port attributes.

Related document: Apply a port based configuration via model configuration.

2. Host Based Configurations:

• Control endpoint access by using Access Control Lists.
• CLI configurations that modify IP address ACLs can only be used on Layer 3 devices.

Related document: Apply a host based configuration via the model configuration.

When applying CLI configurations via the device model, FortiNAC will need to bind the CLI configuration to the Device itself.

It then applies and removes the CLI configuration based on the Control State: Technical Tip: 'State based Control' concept and VLAN changes.

A common misconfiguration is to leave the control states without the specific CLI configuration. FortiNAC, in this case, will not use it even if there is a logical network with the Access VLAN and CLI configuration defined.

At least one Control/Isolation state should have the CLI configuration defined, even if set to 'deny'. This way, FortiNAC will associate the CLI configuration with the Device.

Example:

In this case, there is a CLI configuration called 'test'. Either by selecting 'In Use' or by editing the CLI configuration in Network -> CLI Configuration, it is possible to detect if it is currently in use or not.

Figure 1. CLI configuration being marked as "Not currently in use"

At this point, any host that would match a Network Access Policy that has the 'test' CLI configuration enabled would not have it applied. This happens because FortiNAC has no Inventory device listed that uses this configuration.

As noted in Figure 1, FortiNAC has a set of 'Undo' commands. These commands will be applied when FortiNAC detects that the host has disconnected from the port. 

Checking the model configuration of the Cisco Device, it is possible to verify that all control states have no CLI configuration defined.

Figure 2. CLI configuration "test" is not enabled to any of the Control States Logical networks.

At least one of the four control states should have the 'test' CLI configuration enabled, even if the Access Enforcement is set to 'Deny'.

After setting the CLI configuration to one of the control states and selecting 'save', verify again the Usage of the 'test' configuration.

Figure 3. Device listed with CLI configuration "test" in use.

This shows that any host connecting to Devices where the CLI configuration is in use will have it applied, depending on the Network access configuration.

The following verifications need to be made for the port-based configuration to be applied:

• VLAN access value is specified in the Network Access entry of the Model Configuration.
• The host is showing online in the FortiNAC host view.
• The host is matching the respective Network Access policy. 
• Event logs generate either 'Port CLI Task Success' or 'Port CLI Task Failure 'events depending on the CLI configuration content pushed to the switch.

Options for Flex CLI configuration:

1. Apply a host based configuration via the model configuration.
2. Apply a CLI configuration using a role.
3. Apply a CLI configuration using a network access policy.
4. Apply a CLI configuration using a scheduled task.

Related documents:

CLI configuration

Technical Note: Configuring Flex CLI with Network Device Roles

Technical Note: Using Flex CLI for Network Access Policies