| Description | This article describes how FortiNAC can provision switchports on any Network inventory device to support AP-free seating and apply control to any type of endpoint connecting to the infrastructure switches. |
| Scope | FortiNAC-F, FortiGate, FortiSwitch, FortiAP. |
| Solution |
In this scenario, FortiNAC will use Device profiling rules or automatic 802.1x registration to register Access points that authenticate as 802.1x clients. Once the host is categorized as an Access Point device type, FortiNAC will move the AP as an Inventory device in the Topology view and mark the switchport where it is connected as a WAP uplink. Dynamic VLAN assignment will then be used to apply control for wireless-connected hosts.
Step 1. Configure the Access Point as an 802.1x Supplicant.
This document Configuring 802.1X supplicant on LAN provides the necessary steps to configure a FortiAP as an 802.1x Client. It is recommended to use Device Certificates and EAP-TLS. Once the FortiAP is connected to a FortiSwitch port where 802.1x policies are enabled, FortiNAC will authenticate and register the FortiAP as an AP device type. FortiNAC will then model the AP as a Topology device and list it in the Network Inventory.
This scenario requires 802.1x to be enabled on the port where the FortiAP or other AP device will connect. It also requires the Security mode to be 'Port-based" This requirement is needed for FortiSwitch to authenticate the first device that connects (the AP), and open the port for all other devices connecting behind the port.
In this case, a radius session will be established for the AP in the FortiSwitch port, while other hosts connecting wirelessly will be controlled on the WLC where the SSID is configured.
This will not work with MAB. If the FortiAP authenticates through MAB, all wifi clients connecting to the SSID will be treated as local sessions established on the Switch level. The results will be the inability to dynamically provision VLANs for wifi clients through FortiNAC.
Step 2. Configure FortiSwitch 802.1x policy on ports.
For FortiSwitches in Fortilink Mode, configure the Security policy on FortiGate GUI under WiFi & Switch Controller -> FortiSwitch Ports.
 Figure 1. Configure FortiSwitch 802.1x settings for the port.
By using the Port-based configuration, FortiSwitch will only authenticate the Access Point through 802.1x when it initially connects to the port. The port will be open to other devices connecting behind that port. Control for these other devices connecting to the SSID broadcasted by the AP will be performed through Network Access Control policies.
Step 3. Configure FortiNAC settings and Radius Attributes.
In FortiNAC go to System -> Settings -> Network Device. Enable the option 'Enable Network Access Policy for Wireless Access Points'. This ensures that FortiNAC will provision the port with the correct AP VLAN and dynamic VLANs as necessary when it discovers the Access point after 802.1x authentication and registration.
Create a Network Access policy to match 'Wireless Access Point' Device Types.
 Figure 2. Network Access Policy Configuration for AP device type matching.
Configure the Logical Network for the Access_Point in the FortiGate Model configuration. Add the Dynamic Access VLANs in the Radius Attribute group per the Logical network. The RADIUS attributes defined in the Logical network under 'Egress-VLAN-Name', will be appended to the 'RFC_VLAN' default Radius attribute group when the device is successfully authenticated. These are tagged VLANs that represent the VLANs needed for enforcement on the hosts connecting to the SSID that will be broadcasted by the AP.
 Figure 3. Configure the "Egress-VLAN-Name" vlan list for the AP switchport provisioning.
After successful authentication, FortiNAC will provision the switchport where the AP is connected with the above attributes:
Wed Nov 20 13:27:54 2024 : Debug: (493) Sent Access-Accept Id 134 from 10.10.10.6:1812 to 10.10.250.50:58952 length 220
VLAN 61 returned with the attribute 'Tunnel-Private-Group-Id' is the AP_VLAN where communication through CAPWAP is established and FortiGate discovers and marks the Device as online. At this point, FortiNAC will update its inventory by adding the AP as a Topology/Inventory Device and marking the port as 'WAP Uplink'.
 Figure 4. FortiNAC dynamically updates port to WAP uplink once it detects the WAP device type.
Hosts connecting wirelessly to the SSID broadcasted by this AP will be controlled by the enforcement applied in the respective SSID model configuration in FortiNAC. See the 'Enforcement for Wireless Scenarios' section, in this article Technical Tip: Comprehensive guide for a simple FortiNAC deployment for an example of SSID model configuration/enforcement.
Related documents: Configuring 802.1X supplicant on LAN FortiSwitch Dynamic VLAN assignment Technical Tip: CoA Support in FortiNAC 7.4 and applying DACLs in FortiSwitch FortiLink scenario |
