Hi All,
I have FortiAP's connected to FortiSwitches, both of which are managed by FortiGates and I am trying to figure out if it's possible for FortiNAC to identify a FortiAP when I connect to any port on the FortiSwitch and then dynamically set the VLAN on that switchport to be our AP management VLAN. If this is possible, any information about how to do it would be greatly appreciated.
All of my FortiAP's appear (correctly) under the FortiGate in the Network > Inventory list in FortiNAC. I'm guessing that if the AP's were unmanaged, or classified as "Hosts", this would be possible (or easier).
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
FNAC by default will treat APs as network device (WAP Uplink) and will not push/enforce any policy on the switch port.
This can be changed on the global config shown below:
Using tunneled SSID is preferred since the switch will see only the MAC address of the AP, user traffic will be encapsulated in CAPWAP tunnel.
Hi ebilcari,
Thank you for your reply and the information you provided. Based on the description, the "Enable Network Access Policy for Wireless Access Points" option should do exactly what I was looking for. Unfortunately, I can't get it working. As soon as I add the switchport where the AP is connected to the Role Based Access group, FNAC changes the Vlan to Default. The reason it gives for the port change is simply "default". Maybe I'm missing something simple, but it seems like it's not even evaluating my Network Access Policy. Do you know of any additional requirements to make this work?
Kindly take a look at this article, basically it should cover all FNAC behaviors related to WAP uplink. Scenario 2 may be relevant, I haven't tested myself.
Hi! advance config real enterprise solution
I use dynamic port policy on the fortigate, Create one and based on mac or device family FortiAp assign a 8021X policy. Then the 8021X policy has to be port based, then assign the dynamic port policy to all ports, the port will require authentication from FortiAp. The FortiAp will send a username and password for validation(because now fortiap support 8021x). The Forti switch will contact the radius server ( i use microsoft nps network policy server role base free addon on windows) or fortinac and they will send all the vlans necessary in a tag or untag form, so in that way you can connect the FortiAp in whatever port it will be configured automatically. Create a second rule inside the dynamic port policy to match any other devices using mac wildcard **:**:**:**. This second rule will match all other devices , and assigned a policy that is mac based , so you can authenticate 20 different pc, ip phones, printers etc and based on user/mac or user name, the radius will send the configured vlan on its rules or policy. I did this for everything all ports on the switch are configured equally. The radius and windows ad do all the job. You need 8021x on each domain pc, you need a username (mac type) for devices that can not send usernames to be create on windows Ad. You need a domain certificate , windows Certicate Ca role. This certificate will be uploaded on a printer that support 8021x, also upload this domain certificate to each FortiAp or ip phone. Radius will use eap/peap for secure authentication. Then add FortiEms to your enterprise and use tags on each fortigate policy to validate the posture of the pc/server and you are done 90% + security enable cheers.
Hi EdwinCandelario,
First, thank for taking the time to reply, explaining your comprehensive solution, and providing guidance; it's much appreciated.
My deployment is way less elaborate, and I don't think we're ready to go full 802.1x yet. That said, the information you provided will be a huge help if we decide to venture down that road.
Ok.
If yours ssid are tunnel mode, is basic. You use the dpp to look for the mac add of your fortiap and assign a vlan. If yours ssid are bridge mode you will need a radius server to send all the vlan need it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.