Description
This article discusses the steps to build a Network Access Policy.
The following is required in order for the connecting device to be evaluated for policy matching:
- Device must appear in Host View with a connection status of online.
- Port to which device is connected must be a member of the Role-Based Access port group.
- Host must be registered. FortiNAC does not evaluate rogue hosts.
- To apply Network Access Policies to Access Points (APs), ensure Enable Network Access Policy for Wireless Access Points is selected under System > Settings > Network Device.
Scope
FortiNAC v8.x, v9.x, F7.2, F7.4, F7.6
Solution
Configure Policy:
A Network Access Policy consists of two components:
- User/Host Profile
- Network Access Configuration
Build these components and tie them together to form a policy.
Configure the User/Host Profile with the desired criteria that the registered device must match in order for the policy to apply.
Example
- Name: Guest Profile
- Where (Location): Wireless
- Who/What by Group: Employee_Owned
- Who/What by Attribute:
- Host [Role: Guest]
- Host [Role: BYOD]
Adapter [Physical Address: 00:00:1D:43:AA:BB:CC] <----- Add MAC address of a test machine for validation purposes. Allows testing without affecting other devices.
When: Specify Time
M,Tu,W,Th,F 8:00 AM - 6:00 PM
For the online registered host to match the Guest Profile, it must fulfill all of the following criteria:
- Is connected to an Access Point/Controller in the Wireless device group.
- Is a member of the group named 'Employee_Owned'.
- Has a host role of Guest OR BYOD.
- Is connecting during the work week (Monday through Friday) and between the hours of 8:00am and 6:00 PM.
- Has MAC address 00:00:1D:43:AA:BB:CC.
Configure the Network Access configuration. This is the access value (VLAN, Role Assignment, etc) that will be assigned if the host matches the User/Host Profile.
Example
- Name: Guest Access Configuration.
- Access Value/VLAN: 500
Tie the User/Host Profile and Network Access Configuration together using a Network Access Policy.
- Name: Guest Access.
- User/Host Profile: Guest Profile.
- Network Access Configuration: Guest Access Configuration.
Result:
If a host matches the criteria defined in Guest Profile, then the host will be assigned the values as defined in the Guest Access Configuration (VLAN 500).
Validate Policy:
- Search for the test host in Host View.
- Use the Policy Simulator to confirm whether or not the host meets the policy criteria and will match. For instructions, see the section Policy Simulator in the Administration Guide.
- Rank the policy as appropriate. By default, new policies are listed at the bottom. Hosts are matched starting from the top (Rank 1), moving downward. Policies with the most specific criteria should be listed at the top.
- Connect the test host and verify whether or not the policy matches by selecting the host in Host View, right-clicking, and selecting Policy Details.
- Once policy has been validated, remove the Physical Address from the User/Host profile to have the policy match any device with the required criteria.
For additional information on Network Access Policies, see section
Network access in the Administration Guide.
For troubleshooting tips, refer to the related articles below.
Related articles:
Troubleshooting Tip: VLANs not changing on a wired switch
Technical Tip: Troubleshooting policies
