Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff
Staff

Created on ‎09-20-2024 02:53 AM

Article Id 342547

Technical Tip: Investigate Policy/Access Enforcement events for Wireless connecting endpoints

Description This article describes how to check Network Events and identify enforcement actions performed on Hosts connecting Wireless.
Scope FortiNAC.
Solution

When enforcement is applied by FortiNAC in wireless connections it is possible to use the Network -> Network Events in FortiNAC GUI to check the connection logs and the Logical Network/Access VLAN applied on each stage starting from Rogue entry creation to Host registration. This can assist administrators in verifying timestamps and control actions performed by FortiNAC.

 

Example. The user connects to the Guest SSID under FortiNAC control.

 

In this case, the user registers using the Guest Self Registration template and the following happens upon initial connection:

 

  1. The user connects to SSID and FortiNAC receives a RADIUS MAC authentication request that it uses to learn the host and create the Rogue Entry. 
  2. FortiNAC responds to NAS(WLC) with a Radius Accept-Accept containing the Isolation VLAN. (VLAN 181 in this example).
  3. The Host gets DHCP and DNS configuration from FortiNAC. All HTTP requests are redirected to FortiNAC which presents the Captive Portal for registration.
  4. The user selects 'Guest Self Registration' and is prompted to accept an "Acceptable Usage Policy". After accepting it the user is provided by FortiNAC the credentials to login.
  5. Once the user logs in, FortiNAC registers the host with the logged-in user and applies the matching Network Access policy that pushes the Logical configuration containing the VLAN value for the Guest network (VLAN 80 in this example).
  6. FortiNAC sees a need for a VLAN change and sends a RADIUS CoA message request or Disconnect Message to de-authenticate the host from its current isolation state.
  7. The NAS(WLC) responds with ACK to FortiNAC and at the same time reauthenticates or disconnects the user from the current Isolated authentication session.
  8. The host reconnects automatically again and the NAS(WLC) sends a new Access-Request to FortiNAC.
  9. FortiNAC responds to NAS(WLC) with RADIUS Accept-Accept containing VLAN 80.
  10. The host gets a new IP from the production DHCP server and has network access as per Firewall policies.

 

In Network Events it is possible to verify the host/user network events for this example.

 

Figure 1. Checking events for Wireless connecting users and matching logical networks per host state.Figure 1. Checking events for Wireless connecting users and matching logical networks per host state.

 

To investigate it is helpful to add as Filter the Wireless Adapter MAC address in 'MAC Address'. This will only show connection logs for the specific host.

 

While expanding the drop-down '+' on the left it is possible to see the history of the Rogue entry created until registration to the Guest user.

The results provide information about the Logical Networks applied during each Host state and the Access Value 'Net ID' sent on each case with RADIUS Accept-Accept.

 

Related Documentation:
159
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.