Technical Tip: Flex CLI configuration not applying to ports of Modeled devices

FortiNAC can apply 1.Port Based Configurations and 1. Host Based Configurations to enforce control on endpoints connected to modeled devices.

1. Port Based Configurations:

• used to switch VLANs.
• add/modify port attributes.

Related document: Apply a port based configuration via model configuration

2. Host Based Configurations:

• control endpoint access by using Access control Lists.
• CLI configurations that modify IP address ACLs can only be used on Layer 3 devices.

Related document: Apply a host based configuration via the model configuration

When applying CLI configurations via the device model, FortiNAC will need to bind the CLI configuration to the Device itself.

It then applies and removes the CLI configuration based on the Control states explained in this article.

A common misconfiguration is to leave the control states without the specific CLI configuration. FortiNAC in this case will not use it even if there is a logical network with the Access VLAN and CLI configuration defined.

At least one Control/Isolation state should have the CLI configuration defined even if set to 'deny'. This way FortiNAC will associate the CLI configuration to the Device.

Example:

In this case there is a CLI configuration called 'test'. Either by selecting 'In Use' or by editing the CLI configuration in Network -> CLI Configuration it is possible to detect if it is currently in use or not.

Figure 1. CLI configuration being marked as "Not currently in use"

At this point, any host that would match a Network Access Policy that has the 'test' CLI configuration enabled would not have it applied. This happens because FortiNAC has no Inventory device listed that uses this configuration.

Checking the model configuration of the Cisco Device it is possible to verify that all controll states have no CLI configuration defined.

Figure 2. CLI configuration "test" is not enabled to any of the Control States Logical networks.

At least one of the four control states should have the 'test' CLI configuration enabled even if the Access Enforcement is set to 'Deny'.

After setting the CLI configuration to one of the control states and selecting 'save', verify again the Usage of the 'test' configuration.

Figure 3. Device listed with CLI configuration "test" in use.

This shows that any host connecting to Devices where the CLI configuration is in use, will have it applied depending on the Network access configuration 

The following verifications need to be made in order for the Port based configuration to be applied:

• VLAN access value is specified in the Network Access entry of the Model Configuration.
• Host is showing Online in FortiNAC host view
• Host is matching the respective Network Access policy. 
• Event logs generate either 'Port CLI Task Success' or 'ort CLI Task Failure 'events depending on CLI configuration content pushed to the switch.

Options for Flex CLI configuration:

1. Apply a host based configuration via the model configuration.
2. Apply a CLI configuration using a role.
3. Apply a CLI configuration using a network access policy.
4. Apply a CLI configuration using a scheduled task.

Related documents:

CLI configuration

Technical Note: Configuring Flex CLI with Network Device Roles

Technical Note: Using Flex CLI for Network Access Policies