Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-27-2018 11:44 PM Edited on ‎10-04-2024 05:25 AM By Community Manager

Article Id 194272

Technical Tip: Guest users have access to internal network

Description

 
This article describes how to prevent Guest users who have already registered to the guest network, from being able to plug into a switch on the internal network and not be isolated by FortiNAC.
 
Scope

FortiNAC, FortiNAC-F.

Solution
 
If a Guest user is already registered and provisioned in its Guest VLAN, FortiNAC will not be able to isolate that user if there is no enforcement in the L2 wired switches. The guest may connect to a switch of the internal network and gain access. To prevent this from happening configure the following:

 

  1. Create a User/Host Profile that matches the following criteria:
  • Location = L2 Wired Switches (assuming this covers all access switches).
  • User or host Role/Security Access Value = Guest role value.  

 

Figure 1. Create User/host profile to match Guests connecting to L2 Switches.Figure 1. Create User/host profile to match Guests connecting to L2 Switches.

 

  1. Create Network access configuration for the VLAN for DEAD end or Guest VLAN.
 

Figure 2. Logical network configuration on the L2 Switch.Figure 2. Logical network configuration on the L2 Switch.

 

  1. Create a Network Access Policy using the User/Host Profile and Configuration.
  2. Set the new policy's rank to 1 (top of the list).            
  3. Place Ports to be enforced in a group and add the group to Role Based Access.
  4.  Place the L2 Switch in the "Physical Address filtering".

 

When a Guest will connect to any of the enforced ports of the L2 switch, FortiNAC will change the VLAN to the 'Dead End' VLAN once the host matches the respective policy.

 

Related documents:

Model Configuration of Network Inventory devices

Device group membership

Port group membership

Enforcement groups

Technical Tip: 'State based Control' concept and VLAN changes

Technical Tip: Configuring Dead End as Enforcement

Labels:
977
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.