| Description | This article describes how FortiNAC can provision switchports on any Network inventory device to support AP free seating and apply control to any type of endpoint connecting to the infrastructure switches. |
| Scope | FortiNAC-F, FortiGate, FortiSwitch, FortiAP |
| Solution |
In this scenario, FortiNAC will use Device profiling rules or automatic 802.1x registration in order to register Access points who authenticate as 802.1x clients. Once the host is categorized as an Access Point device type, FortiNAC will move the AP as an Inventory device in Topology view and mark the switchport where it is connected as an WAP uplink. Dynamic Vlan assignment will then be used to apply control for wireless connected hosts.
Step 1. Configure the Access Point as a 802.1x Supplicant.
This documentation provides the necessary steps to configure a FortiAP as a 802.1x Client. It is recommended to use Device Certificates and EAP-TLS. Once the FortiAP is connected to a FortiSwitch port where 802.1x policies are enabled, FortiNAC will authenticate and register the FortiAP as a AP device type. FortiNAC will then model the AP as a Topology device and list it in Network Inventory.
Step 2. Configure FortiSwitch 802.1x policy on ports.
For FortiSwitches in Fortilink Mode, configure the Security policy on FortiGate GUI under WiFi & Switch Controller -> FortiSwitch Ports.
 Figure 1. Configure FortiSwitch 802.1x settings for the port.
By using the Port-based configuration, FortiSwitch will only authenticate the Access Point through 802.1x when it initially connects to the port. The port will be open to other devices connecting behind that port. Control for these other devices connecting to the SSID broadcasted by the AP, will be performed through Network Access Control policies.
Step 3. Configure FortiNAC settings and Radius Attributes.
In FortiNAC go to System -> Settings -> Network Device. Enable the option 'Enable Network Access Policy for Wireless Access Points'. This ensures that FortiNAC will provision the port with the correct AP VLAN and dynamic VLANs as neccessary when it discovers the Access point after 802.1x authentication and registration.
Create a Network Access policy to match 'Wireless Access Point' Device Types.
 Figure 2. Network Access Policy Configuration for AP device type matching.
Configure the Logical Network for the Access_Point in the FortiGate Model configuration. Add the Dynamic Access VLANs in the Radius Attribute group per the Logical network. The RADIUS attributes defined in the Logical network under 'Egress-VLAN-Name', will be appended to the 'RFC_VLAN' default Radius attribute group when the device is successfully authenticated. These are tagged VLANs that represent the VLANs needed for enforcement on the hosts connecting to the SSID that will be broadcasted by the AP.
 Figure 3. Configure the "Egress-VLAN-Name" vlan list for the AP switchport provisioning.
After successful authentication, FortiNAC will provision the switchport where the AP is connected with the above attributes:
Wed Nov 20 13:27:54 2024 : Debug: (493) Sent Access-Accept Id 134 from 10.10.10.6:1812 to 10.10.250.50:58952 length 220
VLAN 61 returned with the attribute 'Tunnel-Private-Group-Id' is the AP_VLAN where communication through CAPWAP is established and FortiGate discovers and marks the Device as online. At this point, FortiNAC will update its inventory by adding the AP as a Topology/Inventory Device and marking the port as 'WAP Uplink'.
 Figure 4. FortiNAC dynamically updates port to WAP uplink once it detects the WAP device type.
Hosts connecting wireless to the SSID broadcasted by this AP will be controlled by the enforcement applied in the respective SSID model configuration in FortiNAC. See the 'Enforcement for Wireless Scenarios' section in this article for an example of SSID model configuration/enforcement.
Related Documentation: Configuring 802.1X supplicant on LAN FortiSwitch Dynamic VLAN assignment Technical Tip: CoA Support in FortiNAC 7.4 and applying DACLs in FortiSwitch FortiLink scenario |
