| Description | This article describes how to assign voice VLAN to IP phones when FortiSwitch is integrated with FortiNAC. |
| Scope | FortiNAC, FortiFone and FortiSwitch. |
| Solution |
To assign voice VLAN to IP phones connected to FortiSwitch when it is integrated with FortiNAC (FNAC).
VLAN config on FortiGate:
config switch vlan edit 120 set description "voicenac" <-- VLAN description. next
VLAN name/description is 'voicenac'; '1' has been added to the beginning of the RADIUS AVP 'Egress-VLAN-Name' <tagged/untagged(1 or 2)><VLAN Name String> (example: "1voicenac") to be understood by the FortiSwitch as a tagged VLAN.
Network Policy, and User/host profile to authenticate the IP phone:
LLDP profile configured on FortiGate and assigned to FortiSwitch port2 (as shown in the above screenshot):
config switch-controller lldp-profile edit "voicefnaclldp" set med-tlvs inventory-management network-policy location-identification set auto-isl disable # config med-network-policy edit "voice" set status enable set vlan-intf "voicenac" set assign-vlan enable set dscp 46 end
This section only needs to be done if the phones are not statically set/tagged for the voice VLAN For Phones tagged or statically set to a voice VLAN, follow this KB article: Technical Tip: Send a tagged VLAN via RADIUS
FortiNAC must first authenticate the device. Otherwise, it will not receive the LLDP profile.
FortiNAC must send the following 3 Attributes in the Access-Accept packet:
Wed Aug 10 19:57:13 2022 : Debug: (8) Sent Access-Accept Id 8 from 192.168.x.x:1812 to 192.168.x.x:34708 length 0 Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Type = VLAN Wed Aug 10 19:57:13 2022 : Debug: (8) Egress-VLAN-Name = "1voicenac" <- VLAN 120 and 1 for tagged VLAN. Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Medium-Type = IEEE-802 Wed Aug 10 19:57:13 2022 : Debug: (8) Finished request
RADIUS Access-request will always be sent from the FortiSwitch even if it is managed by FortiGate, so make sure to allow RADIUS traffic between FortiSwitch and FortiNAC.
FortiSwitch 802.1x status:
S108 # diagnose switch 802-1x status port2 port2 : Mode: mac-based (mac-by-pass enable) Link: Link up Port State: authorized: ( ) Dynamic Allowed Vlan list: 120 <---- Assigned by FortiNAC via 'Egress-VLAN-Name' attribute (example: Egress-VLAN-Name = "1voicenac") Dynamic Untagged Vlan list: 188 <---- Assigned by FortiNAC via 'Egress-VLAN-Name' attribute (example: Egress-VLAN-Name = "2vlan188") or via (Tunnel-Private-Group-Id = 188). EAP pass-through : Enable EAP egress-frame-tagged : Enable EAP auto-untagged-vlans : Enable Allow MAC Move : Disable Dynamic Access Control List : Disable Quarantine VLAN (4093) detection : Enable Native Vlan : 50 <----- Native VLAN is not changed via RADIUS Allowed Vlan list: 120,120,188 <----- VLAN 120 is assigned by FortiNAC, while 120 is assigned by the LLDP profile. Untagged Vlan list: 188 Guest VLAN : Auth-Fail Vlan : AuthServer-Timeout Vlan :
Switch sessions 1/80, Local port sessions:1/20 Client MAC Type Traffic-Vlan Dynamic-Vlan 80:5e:c0:xx:xx:xx MAB 120 0 <----- LLDP voice profile applied VLAN 120. Sessions info: 80:5e:c0:xx:xx:xx Type=MAB,,state=AUTHENTICATED,etime=3,eap_cnt=0 params:reAuth=3600
If FortiNAC does not register the IP-Phone (Meaning the phone remains Rogue), the switch will NOT apply any LLDP profile.
VOIP phones getting IPs from native VLAN instead of voice VLAN in FortiSwitch |
