Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff

Created on ‎06-24-2022 04:00 AM Edited on ‎08-07-2023 06:53 AM By Moderator

Article Id 215606

Technical Tip: FortiNAC Guest Captive Portal configuration and workflow

Description

 

This article describes how to set up a Guest Registration portal with Sponsor approval in FortiNAC.

 

Scope

 

A standard setup will include the following products: FortiSwitch, FortiGate and FortiNAC.

This article only discusses the flow and steps to configure the portal on FortiNAC.

 

It is expected the customer has already performed integration of FortiNAC and FortiGate by referring to the following articles and documentation:

 

 

  • It is also expected that FortiNAC is deployed and configured with the isolation subnet where Rogue devices will be initially moved and presented the Eth1 captive interface.
  • On FortiNAC, it is necessary DHCP scopes in order for FortiNAC to assign isolation IP to the connecting Rogue devices.
  • FortiNAC will act as DNS server for hosts in Isolation. All HTTP and HTTPS requests will be redirected to FNAC eth1 where captive portal services will be available to users.

 

Other necessary elements:

- DHCP helper address pointing to the ETH1 interface of FortiNAC.

- In the VLANs routed interface, an L3 ACL is necessary in order to route everything to ETH1 of FortiNAC.

 

Solution

 

A) Operation flow for the host making a wired connection to the FortiSwitch port:

 

  1. The host connects to the network.
  2. The Switch sends a MAC Notification trap to FortiNAC.
  3. FortiNAC enforces Isolation on the Port and presents the portal to the user. The host appears as Rogue(?) in FortiNAC host view and will have an Isolation IP assigned.
  4. The user completes Registration form and sends request to FortiNAC.
  5. The request is sent to the Sponsor (who needs to approve it under User & Hosts -> Account Requests by 'right-clicking' the request under the 'status pending' section and selecting 'Accept').
  6. After approval, FortiNAC sends user + password information to the Guest.
  7. The user logs in with credentials. (The post is sent to FortiNAC.)
  8. In the FortiNAC host view, the guest user associated with the host is displayed. The guest user is now registered and matching the needed Network Access policy with the guest VLAN logical configuration.
  9. FortiNAC will change the VLAN on the port to the GUEST VLAN depending on the integration method and on how FortiNAC performs VLAN changes on the switch (SNMP, CLI, API, RADIUS, ...).
  10. The user achieves network access through FortiGate Policies.

 

B) Operation flow for a host connecting wirelessly to the SSID

 

  1. In these scenarios, FortiNAC learns about the Host MAC address through RADIUS protocol.
  2. After connecting to the SSID the Host sends a Radius Authentication Request (MAB).
  3. FortiNAC authenticates the host and returns the Isolation VLAN. The host appears as Rogue(?) in FortiNAC host view and will have an Isolation IP assigned.
  4. All HTTP and HTTPS requests will be redirected to FortiNAC (which is acting as DNS server in isolation), which will present the Captive portal services.
  5. The user completes the form and sends a request to FortiNAC.
  6. The request is sent to the sponsor (who needs to approve it under User & Hosts -> Account Requests by 'right-clicking' the request under the 'status pending' section and selecting 'Accept').
  7. After approval, FortiNAC sends the user + password information to the guest.
  8. The user logs in with credentials (the post is sent to FortiNAC).
  9. In the FortiNAC host view, the guest user associated with the host is displayed. The guest user is now registered and matching the necessary Network Access policy with the guest VLAN logical configuration.
  10. FortiNAC sends a RADIUS CoA disconnect request to de-authenticate the host from its current isolation state.
  11. The NAS (Switch) will disconnect the Host from the isolation state(VLAN) and send a RADIUS COA ACK to FortiNAC.
  12. The host sends a new RADIUS authentication request to which FortiNAC responds with an Accept-Accept response that includes the 'Tunnel-Private-Group-Id' attribute, which contains the Guest VLAN access value.
  13. The user has network access through FortiGate policies.

 

Before proceeding to the Portal and guest templates, the following will be necessary to have:

 

  • A guest VLAN configured on the FortiSwitch.
  • A logical network created for the Guest VLAN in FortiNAC.
  • A network access configuration/policy in FortiNAC matching the Guest_VLAN logical network.
  • A guest VLAN logical network is enforced and assigned an access value in the FortiGate model configuration.

 

Step 1. Create role and template for Guests.

 

Go to Policy and Objects -> Roles.

Select GuestSelfRegistration.

Edit the details if it will be necessary groups to be added to this role.

 

Sx11_0-1656065619257.png

 

Step 2. Configure the Template for Guests.

Go to User & Devices and select 'Role: GuestSelfRegistration' from the previous step.

 

Sx11_1-1656065898729.png

 

Edit the Data fields.

 

Sx11_4-1656065945839.png

 

Step 3. Create a user host profile named 'Guest' to associate with the network access policy.

Add the Who/what attribute to Role:GuestSelfRegistration.

 

Sx11_6-1656066083018.png

 

Step 4. Create a network access policy matching the previously created User/host profile and Network access configuration.

The network access configuration should specify the Guest_Vlan logical network.

 

Sx11_1-1656066217109.png

 

Step 5. Enable the self-registration guest login:

 

Sx11_2-1656066330669.png

 

Step 6. Enter a sponsor email if sponsor approval for guests is enabled.

 

Sx11_3-1656066399484.png

 

Edit the 'Require sponsor approval' to 'Any User' and enable additional features if needed as below:

 

Sx11_6-1656066716285.png

 

Sx11_5-1656066673201.png

 

Step 7. Configure the email server and verify the sponsor's email address under Users View by modifying the user entry and configuring the email address.

 

Sx11_7-1656066881928.png

 

Under Settings -> System Communication, go to Email settings and configure the Email server as needed.

 

Sx11_8-1656067072582.png

 

Step 8. Put the Port where the host connects to the 'Force Registration' and 'Role Based Access' groups.

These are system groups that will provide enforcement to all ports that are marked as members.

 

  • Force Registration - Enforces isolation when unregistered hosts connect.
  • Role-Based Access - Enforces Network access policies on the member ports and port groups.

 

In order to do this, include all the needed ports in a port group and then make this group a member of both system groups above.

For a simple test with one port, it is possible to go to the Network device in Inventory view, select the port, and select Group Membership.

Enable membership for both system groups.

 

Related articles:

6909
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.