Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kdot
New Contributor II

Created on ‎06-21-2024 02:11 PM

Can FortiNAC identify where I connect a FortiAP and dynamically assign a management VLAN?

Hi All,

 

I have FortiAP's connected to FortiSwitches, both of which are managed by FortiGates and I am trying to figure out if it's possible for FortiNAC to identify a FortiAP when I connect to any port on the FortiSwitch and then dynamically set the VLAN on that switchport to be our AP management VLAN. If this is possible, any information about how to do it would be greatly appreciated.

 

All of my FortiAP's appear (correctly) under the FortiGate in the Network > Inventory list in FortiNAC. I'm guessing that if the AP's were unmanaged, or classified as "Hosts", this would be possible (or easier).

Labels:
846
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎06-24-2024 12:42 AM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
777
ebilcari
Staff
Staff

Created on ‎06-24-2024 06:14 AM

FNAC by default will treat APs as network device (WAP Uplink) and will not push/enforce any policy on the switch port.
This can be changed on the global config shown below:

ap-policy.PNG

Using tunneled SSID is preferred since the switch will see only the MAC address of the AP, user traffic will be encapsulated in CAPWAP tunnel.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
748
kdot
New Contributor II
In response to ebilcari

Created on ‎07-02-2024 01:54 PM

Hi ebilcari,

Thank you for your reply and the information you provided. Based on the description, the "Enable Network Access Policy for Wireless Access Points" option should do exactly what I was looking for. Unfortunately, I can't get it working. As soon as I add the switchport where the AP is connected to the Role Based Access group, FNAC changes the Vlan to Default. The reason it gives for the port change is simply "default". Maybe I'm missing something simple, but it seems like it's not even evaluating my Network Access Policy. Do you know of any additional requirements to make this work? 

 

649
ebilcari
Staff
Staff
In response to kdot

Created on ‎07-03-2024 04:43 AM

Kindly take a look at this article, basically it should cover all FNAC behaviors related to WAP uplink. Scenario 2 may be relevant, I haven't tested myself.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
599
EdwinCandelario
New Contributor II

Created on ‎07-02-2024 05:48 PM Edited on ‎07-02-2024 07:31 PM

Hi!     advance config real enterprise solution

I use dynamic port policy on the fortigate,   Create one and based on mac or device family FortiAp  assign a 8021X policy.  Then the 8021X policy has to be port based, then assign the dynamic port policy to all ports, the port will require authentication from FortiAp.  The FortiAp will send  a username and password for validation(because now fortiap support 8021x). The Forti switch will contact the radius server ( i use microsoft nps network policy server role base free addon on windows) or fortinac and they will send all the vlans necessary in a tag or untag form, so in that way you can connect the FortiAp in whatever port it will be configured automatically. Create a second rule inside the dynamic port policy to match any other devices using mac wildcard **:**:**:**.  This second rule will match all other devices , and assigned a policy that is mac based , so you can  authenticate 20 different pc, ip phones, printers etc and based on user/mac or user name, the radius will send the configured vlan on its rules or policy. I did this for everything all ports on the switch are configured equally.  The radius and windows ad do all the job. You need 8021x on each domain pc, you need a username (mac type) for devices that can not send usernames to be create on windows Ad. You need a domain certificate , windows Certicate Ca role. This certificate will be uploaded on a printer that support 8021x, also upload this domain certificate to each FortiAp or ip phone. Radius will use eap/peap for secure authentication. Then add FortiEms to your enterprise and use tags on each  fortigate policy to validate the posture of the pc/server and you are done 90% + security enable cheers.

one.pngone.pngone.pngone.pngone.png

634
kdot
New Contributor II
In response to EdwinCandelario

Created on ‎07-09-2024 03:01 PM

Hi EdwinCandelario,

First, thank for taking the time to reply, explaining your comprehensive solution, and providing guidance; it's much appreciated. 

My deployment is way less elaborate, and I don't think we're ready to go full 802.1x yet. That said, the information you provided will be a huge help if we decide to venture down that road.

 

462
0 Kudos
EdwinCandelario
New Contributor II
In response to kdot

Created on ‎07-24-2024 07:53 PM

Ok.

If yours ssid are tunnel mode, is basic. You use the dpp to look for the mac add of your fortiap and assign a vlan.  If yours ssid are bridge mode you will need a radius server to send all the vlan need it.

308
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.