Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FAC 802.1x with dynamic VLAN assignment

Hello all,


Maybe someone could advise me on 802.1x implementation with FAC and Microsoft LDAP. All the cookbooks basically show FAC as the only authentication server and demonstrates VLAN attribute assignment per-user (which is a total nonsense, when you have hundreds of users). So, what is the correct workflow here? As per my imagination, brief steps should be as following:

1. Microsoft NPS must be configured with policies assigning user groups a Tunnel-Type "VLAN" attribute along with Tunnel-PVT-Group-ID "vlan_number".

2. Remote LDAP user group must configured on FAC with added RADIUS attribute Tunnel-Type "VLAN". 

3. Remote user sync rule must be configured based on created user group, with users being automatically assigned to it. 

4. Add network device as a RADIUS client.

5. Configure network device for authentication using FAC and enabling 802.1x on ports. 


Could someone confirm, that this is the correct thinking? Thanks in advance!

Top Kudoed Authors