I have IOT devices that can only connect to an SSID using a PSK so using WPA2 Personal. I'm trying create NAC profile rule/access policy to move them to a different vlan on that SSID (Tunnel mode). I have two sub-interfaces under the SSID for dynamic assignment.
Config #1 - My FortiAP SSID config is WPA2 personal with NO RADIUS server defined. On NAC, the connected device is properly profiled, hits the correct Profile/Policy with the desired new VLAN. However, the vlan on the SSID is not changed.
Config #2 - My FortiAP SSID config is WPA2 personal AND I assign the NAC Radius server and select "Dynamic VLAN Assignment". With this config, I can no longer even connect to the AP. I get the error message like "STA denied by Radius based MAC authentication". Here's a config snippet.
config wireless-controller vap
edit "iot_devices"
set ssid "iot"
set broadcast-ssid enable
set security wpa2-only-personal
set radius-mac-auth enable
set radius-mac-auth-server "fnac_radius"
set radius-mac-auth-block-interval 0
set dynamic-vlan enable
Maybe I'm missing some kind of MAB config on the AP or NAC.
Any ideas ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is FortiNAC responding with Access-Reject to the authentication attempts sent?
Check if the "Registration" Logical network in the SSID model in FortiNAC is enforced and has a Access Value. If that is left to "Deny", FortiNAC will reject any rogue connections.
https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/151724/model-configuration
Access Enforcement |
This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:
|
@Hatibi - thanks for the help
I have have corrected the Radius issue, but running into a different issue now.
The goal is connect to tunnel mode ssid.
The main ssid interface is where the device connects initially and will be assigned a DHCP address.
There is a sub interface off the main interface.
If the device passes the DPR, it should be assigned to the vlan of the sub-interface and it gets a new IP.
The host connects to the wifi, passed the DPR and hits the correct access policy. The access value/vlan shows the correct VLAN_215 but it does not get changed.
Attached is the ssid model config.
any ideas ?
Hello tmcgov62,
in the SSID model config i would suggest to you to make these changes:
1. Add "RFC VLAN" in the default Radius attribute group.
2. Set a VLAN for "Default" logical network.
3. Enforce "Registration" and set an Access VLAN.
The host in this case will automatically register through 802.1x that you have enabled in the SSID model config. So no need for DPR in this case.
Once the host registers and it matches the correct policy, FortiNAC will send a "Disconnect Request" in order to terminate the session and trigger a new auth request in order to assign the new VLAN.
In order to verify this part you can run tcpdump in FortiNAC cli and filter for port 3799.
FortiNAC-F cli command:
execute tcpdump -i any host X.X.X.X and port 3799 -v <---- Replace X.X.X.X with the WLC IP.
You should see a Disconnect Request sent from FortiNAC and the WLC should acknowledge it by responding with Disconnect ACK
In addition to my previous update also be aware that the SSID interface should be left with no dhcp or specific subnet cofniguration. Leave that as 0.0.0.0/0.
Under the SSID interface, configure the Isolation and your other VLANs where you want to put the registered hosts.
Example:
In this case "Wireless_Isol" is the isolation VLAN where Rogue hosts will be put once FortiNAC detects them. This VLAN should have a DHCP relay pointing to FortiNAC eth1/port2.
The "Wireless_Access" is the production VLAN where the registered host is moved once FortiNAC registers it. This VLAN has FortiGate acting as a DHCP server.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.