FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hatibi
Staff
Staff
Article Id 215606
Description

 

This article describes how to set up a Guest Registration portal with Sponsor approval in FortiNAC.

 

Scope

 

A standard setup will include the following products: FortiSwitch, FortiGate and FortiNAC.

This article only discusses the flow and steps to configure the portal on FortiNAC.

 

It is expected the customer has already performed integration of FortiNAC and FortiGate by referring to the following articles and documentation:

 

Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch

Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

FortiGate endpoint management integration guide

FortiSwitch integration guide

 

  • It is also expected that FortiNAC is deployed and configured with the isolation subnet where Rogue devices will be initially moved and presented the Eth1 captive interface.
  • On FortiNAC, it is necessary DHCP scopes in order for FortiNAC to assign isolation IP to the connecting Rogue devices.
  • FortiNAC will act as DNS server for hosts in Isolation. All HTTP and HTTPS requests will be redirected to FNAC eth1 where captive portal services will be available to users.

 

Other necessary elements:

  • DHCP helper addresses pointing to the ETH1 interface of FortiNAC.
  • In the VLANs routed interface, an L3 ACL is necessary in order to route everything to ETH1 of FortiNAC.

 

To troubleshoot issues with Guest/Captive portal not appearing for rogue hosts follow this article.

 

Solution

 

  1. Operation flow for the host making a wired connection to the FortiSwitch port:

 

  1. The host connects to the network.
  2. The Switch sends a MAC Notification trap to FortiNAC.
  3. FortiNAC enforces Isolation on the Port and presents the portal to the user. The host appears as Rogue(?) in FortiNAC host view and will have an Isolation IP assigned.
  4. The user completes Registration form and sends request to FortiNAC.
  5. The request is sent to the Sponsor (who needs to approve it under User & Hosts -> Account Requests by 'right-clicking' the request under the 'status pending' section and selecting 'Accept').
  6. After approval, FortiNAC sends user + password information to the Guest.
  7. The user logs in with credentials. (The post is sent to FortiNAC.)
  8. In the FortiNAC host view, the guest user associated with the host is displayed. The guest user is now registered and matching the needed Network Access policy with the guest VLAN logical configuration.
  9. FortiNAC will change the VLAN on the port to the GUEST VLAN depending on the integration method and on how FortiNAC performs VLAN changes on the switch (SNMP, CLI, API, RADIUS, ...).
  10. The user achieves network access through FortiGate Policies.

 

     B. Operation flow for a host connecting wirelessly to the SSID

 

  1. In these scenarios, FortiNAC learns about the Host MAC address through RADIUS protocol.
  2. After connecting to the SSID the Host sends a Radius Authentication Request (MAB).
  3. FortiNAC authenticates the host and returns the Isolation VLAN. The host appears as Rogue(?) in FortiNAC host view and will have an Isolation IP assigned.
  4. All HTTP and HTTPS requests will be redirected to FortiNAC (which is acting as DNS server in isolation), which will present the Captive portal services.
  5. The user completes the form and sends a request to FortiNAC.
  6. The request is sent to the sponsor (who needs to approve it under User & Hosts -> Account Requests by 'right-clicking' the request under the 'status pending' section and selecting 'Accept').
  7. After approval, FortiNAC sends the user + password information to the guest.
  8. The user logs in with credentials (the post is sent to FortiNAC).
  9. In the FortiNAC host view, the guest user associated with the host is displayed. The guest user is now registered and matching the necessary Network Access policy with the guest VLAN logical configuration.
  10. FortiNAC sends a RADIUS CoA disconnect request to de-authenticate the host from its current isolation state.
  11. The NAS (Switch) will disconnect the Host from the isolation state(VLAN) and send a RADIUS COA ACK to FortiNAC.
  12. The host sends a new RADIUS authentication request to which FortiNAC responds with an Accept-Accept response that includes the 'Tunnel-Private-Group-Id' attribute, which contains the Guest VLAN access value.
  13. The user has network access through FortiGate policies.

 

Before proceeding to the Portal and guest templates, the following will be necessary to have:

 

  • A guest VLAN configured on the FortiSwitch.
  • A logical network created for the Guest VLAN in FortiNAC.
  • A network access configuration/policy in FortiNAC matching the Guest_VLAN logical network.
  • A guest VLAN logical network is enforced and assigned an access value in the FortiGate model configuration.

 

Step 1. Create role and template for Guests.

 

Go to Policy and Objects -> Roles.

Select GuestSelfRegistration.

Edit the details if it will be necessary groups to be added to this role.

 

Figure 1. Set Role for self registering guests.Figure 1. Set Role for self registering guests.

 

 

Step 2. Configure the Template for Guests.

Go to User & Devices and select 'Role: GuestSelfRegistration' from the previous step.

 

Figure 2. Guest Template configuration for self registering guests.Figure 2. Guest Template configuration for self registering guests.

 

 

Edit the Data fields.

 

Figure 3. Set the required "Data Fields" that must be filled by guest during the registration process.Figure 3. Set the required "Data Fields" that must be filled by guest during the registration process.

 

 

Step 3. Create a user host profile named 'Guest' to associate with the network access policy.

Add the Who/what attribute to Role:GuestSelfRegistration.

 

Figure 4. User "Role" as filtering criteria in the user host profile.Figure 4. User "Role" as filtering criteria in the user host profile.

 

 

Step 4. Create a network access policy matching the previously created User/host profile and Network access configuration.

The network access configuration should specify the Guest_Vlan logical network.

 

Figure 5. Define Network Access configuration.Figure 5. Define Network Access configuration.

 

 

Step 5. Enable the self-registration guest login:

 

Figure 6. Enable Guest Self registration in the portal settings.Figure 6. Enable Guest Self registration in the portal settings.

 

 

 

Step 6. Enter a sponsor email if sponsor approval for guests is enabled.

 

Figure 7. Enable sponsor approval.Figure 7. Enable sponsor approval.

 

 

Edit the 'Require sponsor approval' to 'Any User' and enable additional features if needed as below:

 

 

Figure 8. Additional settings related to approval process in the portal configuration.Figure 8. Additional settings related to approval process in the portal configuration.

 

 

 

Step 7. Configure the email server and verify the sponsor's email address under Users View by modifying the user entry and configuring the email address.

 

Figure 9. Admin user for sponsor approval and email server configuration.Figure 9. Admin user for sponsor approval and email server configuration.

 

 

 

 

Under Settings -> System Communication, go to Email settings and configure the Email server as needed.

 

Figure 10. Email Server configuration options.Figure 10. Email Server configuration options.

 

 

Step 8. Put the Port where the host connects to the 'Force Registration' and 'Role Based Access' groups.

These are system groups that will provide enforcement to all ports that are marked as members.

 

  • Force Registration - Enforces isolation when unregistered hosts connect.
  • Role-Based Access - Enforces Network access policies on the member ports and port groups.

 

In order to do this, include all the needed ports in a port group and then make this group a member of both system groups above.

For a simple test with one port, it is possible to go to the Network device in Inventory view, select the port, and select Group Membership.

Enable membership for both system groups.

 

Related articles:

Technical Tip: Troubleshooting domain resolution in the captive portal

Technical Tip: How to troubleshoot FortiNAC guest captive portal authentication

Technical Tip: Troubleshooting captive portal page not building or rendering

Troubleshooting Tip: Captive portal page not building or slow to build

Troubleshooting Tip: Portal page cannot be reached