The Configuration Wizard is an important tool used in the initial deployment phase of FortiNAC. 

It is used to apply the system configuration settings such as DNS, Isolation Scopes, Routes, and more.

It is important to define the differences in the options of 'Network Type' and 'VLAN per state' when initially deploying FortiNAC.

1. Network Type.

Choosing the 'Network type' will define how the FortiNAC port2 interface will be configured.

It also enables the core feature of FortiNAC Isolation through state-based control (port2 is referred to as eth1 for legacy FortiNAC running on CentOS).

Figure 1. Choosing the "Network Type" in the Configuration Wizard.

Differences between these network types are the following:

• In a Layer 3 implementation, FortiNAC port2 will be configured as an access/Interface port. Not a trunk port. The IP address assigned to port2 should be part of a Stub network. Isolation networks should be filtered through Firewall policies or ACLs to communicate with FortiNAC port2 with the IP address from the Stub network. Traffic is routed to the hosts on each Isolation Subnet/Scope defined in the DHCP scopes.
• In a Layer 2 implementation, port2 is configured as an 802.1q trunk port. The interface will accept 802.1q-tagged traffic from any of the isolation VLANs. 

FortiNAC will act as a DHCP server for the Isolation subnets specified in the configuration.

• In a Layer 3 implementation, FortiNAC will receive DHCP Discover packets from the Gateway of the Isolation VLANs. This will require a DHCP helper pointing to the FortiNAC port2 IP address, to be configured in the network devices acting as a gateway.
• In a Layer 2 implementation, FortiNAC port2 resides on the same broadcast domain of the Isolation Subnets. In such cases, the DHCP Discovery packets from clients are broadcasted and received directly from FortiNAC.

It is recommended to use a Layer 3 implementation since it is scalable and new isolation scopes from any branch office can be easily added to enforce control.

2. VLANS per host state. 

    

    

In this step, it is mandatory to choose the VLAN where the Isolation Scopes/subnets are defined. FortiNAC will control these "Isolation" subnets by providing DHCP, DNS and captive services dependin...

Figure 2. Configuring VLAN type "Layer 3 Isolation" in the Configuration Wizard.

There are 2 options.

1. Shared VLAN per host state. This is called the 'Layer 3 Isolation' VLAN.
   It includes all the captive services (registration, remediation, etc.) and automatically presents to the endpoints the respective portal depending on their state. For example, if the Host is marked with '+' At risk, FortiNAC will present the Remediation portal. If the host is a Rogue (?) not yet registered, FortiNAC will present the registration portal, and so on.
   
   In this case, all the gateways of the Isolation subnets will have only 1 DHCP relay IP address pointing to FortiNAC port2.
   
   
2. Separate VLANs per host state. These are all the Layer 3 Networks marked with a Red label in Figure 2.

FortiNAC administrators will need to group specific Isolation Networks in the Layer 3 Registration and other scopes to the Layer 3 Remediation and so on. For each state, there will be a different FortiNAC port2 IP address. FortiNAC will create sub-interfaces for each VLAN under port2.

It is recommended to configure only the option a. 'Layer 3 Isolation' VLAN for ease of management and deployment.

Option b. separate VLANs can have a benefit in very large environments where the FortiNAC administrator might want to have a more organized view of their Isolation Scopes based on the host state. Instead of scrolling to a large list of scopes in the 'Layer 3 Isolation', it is possible to group these network ranges together based on the Host state and have a better view and administration when manipulating the DHCP scopes.

Related Documentation:

FortiNAC Network Type configuration.

FortiNAC "Isolation" Vlans

Configuration Wizard