Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff

Created on ‎08-20-2022 04:04 AM Edited on ‎04-25-2023 06:27 AM By Moderator

Article Id 221282

Technical Tip: How to send voice VLAN to FortiSwitch via FortiNAC RADIUS attributes

Description This article describes how to assign voice VLAN to IP phones when FortiSwitch is integrated with FortiNAC.
Scope FortiNAC, FortiFone and FortiSwitch.
Solution

To assign voice VLAN to IP phones connected to FortiSwitch when it is integrated with FortiNAC (FNAC).


1) FortiNAC must authenticate the IP phone using Device Profiling Rules.


2) LLDP profile for voice traffic must be configured on FortiGate (FGT) managing the FortiSwitch (FSW) and assigned to the interface where the IP phone is connected.


3) FortiSwitch version must be 7.0.1 and above.


4) LLDP is enabled on the IP phone.

VLAN config on FortiGate:

 

# config switch vlan

    edit 120

        set description "voicenac"  <-- VLAN description.

       next

FortiNAC Model Configuration:


Access from Topology:

 

1) Select Network -> Inventory.

2) Expand the Container icon.

3) Select the device, and then select Virtualized Devices.

4) Then 'double click' on root VDOM.

 

Hawada1_0-1660946133383.png

 

VLAN name/description is 'voicenac';  '1' has been added to the beginning of the RADIUS AVP 'Egress-VLAN-Name' <tagged/untagged(1 or 2)><VLAN Name String> (example: "1voicenac") to be understood by the FortiSwitch as a tagged VLAN.

Device Profiling Rule matches only the Vendor OUI:

 

Hawada1_1-1660946175620.png

 

Network Policy, and User/host profile to authenticate the ip phone:

 

Hawada1_2-1660946196889.png

 
FortiSwitch RADIUS Security Policy:

 

Hawada1_3-1660946225814.png
FortiSwitch Ports managed by FortiGate:


Hawada1_4-1660946254213.png

 

LLDP profile configured on FortiGate and assigned to FortiSwitch port2 (as shown in the above screenshot):

 

# config switch-controller lldp-profile

    edit "voicefnaclldp"

        set med-tlvs inventory-management network-policy location-identification

        set auto-isl disable

            # config med-network-policy

                edit "voice"

                    set status enable

                    set vlan-intf "voicenac"

                    set assign-vlan enable

                    set dscp 46
            end
    next

end


Important Note.

FortiNAC must first authenticate the device. Otherwise, it will not receive the LLDP profile.

 

FortiNAC must send the below 3 Attributes in the Access-Accept packet:


> tf /var/log/radius/radius.log

Wed Aug 10 19:57:13 2022 : Debug: (8) Sent Access-Accept Id 8 from 192.168.x.x:1812 to 192.168.x.x:34708 length 0

Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Type = VLAN

Wed Aug 10 19:57:13 2022 : Debug: (8) Egress-VLAN-Name = "1voicenac" <- VLAN 120 and 1 for tagged VLAN.

Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Medium-Type = IEEE-802

Wed Aug 10 19:57:13 2022 : Debug: (8) Finished request


Important Note.

RADIUS Access-request will always be sent from the FortiSwitch even if it is managed by FortiGate, so make sure to allow RADIUS traffic between FortiSwitch and FortiNAC.

 

FortiSwitch 802.1x status:

 

S108 # diagnose switch 802-1x status port2

port2 : Mode: mac-based (mac-by-pass enable)

           Link: Link up

           Port State: authorized: ( )

           Dynamic Allowed Vlan list: 120 <---- Assigned by FortiNAC.

           Dynamic Untagged Vlan list:

           EAP pass-through : Enable

           EAP egress-frame-tagged : Enable

           EAP auto-untagged-vlans : Enable

           Allow MAC Move : Disable

           Dynamic Access Control List : Disable

           Quarantine VLAN (4093) detection : Enable

           Native Vlan : 188

           Allowed Vlan list: 120,120,188 <----- VLAN 120 is assigned by FortiNAC, while 120 is assigned by the LLDP profile.

           Untagged Vlan list: 188

           Guest VLAN :

           Auth-Fail Vlan :

           AuthServer-Timeout Vlan :

 

           Switch sessions 1/80, Local port sessions:1/20

           Client MAC Type Traffic-Vlan Dynamic-Vlan

           80:5e:c0:xx:xx:xx MAB 120 0 <----- LLDP voice profile applied VLAN 120.

           Sessions info:

           80:5e:c0:0d:7a:4a Type=MAB,,state=AUTHENTICATED,etime=3,eap_cnt=0                   params:reAuth=3600

 

Important note:

 

1) FortiNAC will basically register the device (Think of this part as Authentication).


2) Whatever is sent by FortiNAC the FortiSwitch (FSW) will not care and it will apply the LLDP profile assigned to the interface to place the IP phone in Voice-VLAN (Think of this as Authorization). It is even possible to test sending a different voice VLAN ID in RADIUS AVP 'Tunnel-Private-Group-ID' to the Switch after authentication and it is noticeable that FortiSwitch will apply the LLDP profile and ignore that VLAN (in the article it is marked the VLAN sent by FortiNAC as green and the one assigned by LLDP as red).

 

If FortiNAC does not register the IP-Phone (Meaning the phone remains Rogue), the switch will NOT apply any LLDP profile.


Related document:

https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/110505/dynamic-vlan-assign...

 

2334
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.