Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff

Created on ‎04-25-2023 02:01 AM Edited on ‎04-25-2023 07:41 AM By Moderator

Article Id 253321

Technical Tip: Configuring access point management

Description

 

This article describes how to configure access point management in FortiNAC. In deployments that have unmanaged APs or Hubs, FortiNAC is unable to assign different VLANs depending on host status. This option offers the ability to divide these hosts in two groups normal and isolated while sharing the same VLAN.

 

Scope

 

FortiNAC with a non-managed AP or hub.

 

Solution

 

Access point management configuration is used in environments where control over the host VLAN access is not possible. For example, when hosts are connecting to the network through devices that do not support VLANs, such as non-intelligent switches or access points.

 

This feature controls hosts through IP address assignment. All hosts share the same VLAN, but hosts that need to be isolated will be presented with captive portal pages appropriate for their state. FortiNAC provides DHCP and DNS service on the access point management VLAN and for isolated hosts.

 

apm.PNG

The interface must be enabled and an IP address and mask need to be configured. There are two address pools for this isolated VLAN.

 

The first address pool defines the DHCP scope and DNS server for hosts that have a 'normal' state.

When a host connects to a port that is on the access point management VLAN and issues a DHCP request, FortiNAC consults the list of all normal state hosts, which it maintains within its configuration.

If the host is found in the list, FortiNAC will assign an IP address from the authenticated address pool and assign a production DNS server. The host will then have access to any site that can be resolved by that DNS server.

 

The second scope is created for hosts that have any state other than 'normal'. There is no DNS server defined for this scope. FortiNAC will automatically assign itself for DNS wildcarding and presentation of the appropriate isolation pages.

 

Enable option under Settings -> Control -> Access Point Management:

 

control.PNG

 

The managed switch port used when a device (a hub or an AP) connects need to have:

- Access Point Management.

- Authorized Access Points.

 

The VLAN should be manually assigned for this switch port where the AP or the hub connects.

 

defi.PNG

From the network device or the user's gateway, point the DHCP relay to FortiNAC. For example, a FortiGate-FortiSwitch connection in FortLink mode has the following configurations available:

 

FGT-FSW.PNG

 

From the end host perspective, the following are seen.

 

While in isolation:

 

isoli.PNG

 

After registration, the host will receive an IP from the production part of the subnet and the production DNS servers:

 

normali.PNG

791
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.