This article explains additional information when configuring a user Network Access Control (NAC) firewall policy in FortiSwitch. A test client is used as an example for clarity.
FortiOS and FortiSwitch versions 6.4 and above.
Read more about Network Access Control in FortiSwitch here.
1) Specify a port to enable NAC access mode on. Normally, this is done with the method in this document. In this article, a different method will be used:
Go to Wifi & Switch Controller -> Managed Fortiswitches -> Fortiswitch ports and select the desired FortiSwitch. Right-click on the port and set the mode as 'NAC'.
Note that when NAC is enabled on ports, the native VLAN is set to the onboarding VLAN.
2) Configure the onboarding VLAN. The Onboarding VLAN is one of the default VLANs created on the Firewall when the FortiSwitch is online on the Firewall.
Go to Wifi & Switch Controller > Managed FortiSwitches -> FortiSwitch VLANs and select the onboarding VLAN. Select Edit and set an IP range, set Security mode to 'Captive Portal', and set Authentication portal to 'Local', as shown below:
3) In this example, a user has already been created locally on the firewall and mapped to a user group that was also created on the firewall. To create a user or user group, see the FortiSwitch documentation.
4) Create a 'User' NAC policy as explained under the 'Creating a user policy' section in the documentation (select 'User' for the category/device pattern). Map the policy to the user group containing the credentials and assign the switch controller action to the VLAN used earlier in the optional Assign VLAN step.
5) Create a Firewall policy (under Policy & Objects -> Firewall Policy) from the onboarding VLAN to the WAN1 (internet facing interface). For the Source, – select 'All' and 'User group' as shown below:
A) When the client is connected on the switch port, a Splash page will open on the browser with a prompt to enter user credentials. The splash page URL will show the onboarding VLAN IP and the client will have an IP from the onboarding VLAN during this time.
Enter the credentials which were created in step 3.
B) When the device is authenticated after entering the credentials, it will be shown in the matched policy (which can be seen under Wifi & Switch Controller -> Managed Forti Switches -> NAC policy -> select the Policy -> select Matched policy) and the client’s IP will be changed from the onboarding VLAN IP to the Assigned VLAN as per the NAC policy.
This can also be confirmed from the FortiSwitch CLI (The client is connected on port 2, which is in NAC mode):
# diagnose switch mac-address list | grep port2
# sh switch vlan 10
set description "Manxxx AP" <--- VLAN of the client.
# config member-by-mac
set mac a0:29:19:48:ee:74 <--- Mac address of the client.