Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tmcgov62
Staff
Staff

Created on ‎11-19-2024 07:26 AM

FortiNAC and Dynamic VLAN assignment for WPA2 Personal SSIDs

I have IOT devices that can only connect to an SSID using a PSK so using WPA2 Personal. I'm trying create NAC profile rule/access policy to move them to a different vlan on that SSID (Tunnel mode). I have two sub-interfaces under the SSID for dynamic assignment.

Config #1 - My FortiAP SSID config is WPA2 personal with NO RADIUS server defined. On NAC, the connected device is properly profiled, hits the correct Profile/Policy with the desired new VLAN. However, the vlan on the SSID is not changed. 

 

Config #2 - My FortiAP SSID config is WPA2 personal AND I assign the NAC Radius server and select "Dynamic VLAN Assignment". With this config, I can no longer even connect to the AP. I get the error message like "STA denied by Radius based MAC authentication". Here's a config snippet.

 

config wireless-controller vap
edit "iot_devices"
set ssid "iot"
set broadcast-ssid enable
set security wpa2-only-personal
set radius-mac-auth enable
set radius-mac-auth-server "fnac_radius"
set radius-mac-auth-block-interval 0
set dynamic-vlan enable

 

Maybe I'm missing some kind of MAB config on the AP or NAC.

 

Any ideas ?

 

 

Labels:
399
0 Kudos
4 REPLIES 4
Hatibi
Staff
Staff

Created on ‎11-19-2024 07:38 AM

Is FortiNAC responding with Access-Reject to the authentication attempts sent?

Check if the "Registration" Logical network in the SSID model in FortiNAC is enforced and has a Access Value. If that is left to "Deny", FortiNAC will reject any rogue connections.

 

https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/151724/model-configuration

 

Access Enforcement

This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.
388
0 Kudos
tmcgov62
Staff
Staff
In response to Hatibi

Created on ‎11-21-2024 03:57 PM

@Hatibi - thanks for the help

I have have corrected the Radius issue, but running into a different issue now.

 

The goal is connect to tunnel mode ssid.

The main ssid interface is where the device connects initially and will be assigned a DHCP address.

There is a sub interface off the main interface.

If the device passes the DPR, it should be assigned to the vlan of the sub-interface and it gets a new IP.

The host connects to the wifi, passed the DPR and hits the correct access policy. The access value/vlan shows the correct VLAN_215 but it does not get changed.

 

Attached is the ssid model config.

 

any ideas ?

 

 

Preview file
71 KB
300
0 Kudos
Hatibi
Staff
Staff
In response to tmcgov62

Created on ‎11-22-2024 12:59 AM

Hello tmcgov62,

 

in the SSID model config i would suggest to you to make these changes:

 

1. Add "RFC VLAN" in the default Radius attribute group.

2. Set a VLAN for "Default" logical network.

3. Enforce "Registration" and set an Access VLAN.

 

The host in this case will automatically register through 802.1x that you have enabled in the SSID model config. So no need for DPR in this case.

 

Once the host registers and it matches the correct policy, FortiNAC will send a "Disconnect Request" in order to terminate the session and trigger a new auth request in order to assign the new VLAN.

 

In order to verify this part you can run tcpdump in FortiNAC cli and filter for port 3799. 

 

FortiNAC-F cli command:

 

execute tcpdump -i any host X.X.X.X and port 3799 -v  <---- Replace X.X.X.X with the WLC IP.

 

You should see a Disconnect Request sent from FortiNAC and the WLC should acknowledge it by responding with Disconnect ACK

289
0 Kudos
Hatibi
Staff
Staff
In response to tmcgov62

Created on ‎11-22-2024 01:28 AM

In addition to my previous update also be aware that the SSID interface should be left with no dhcp or specific subnet cofniguration. Leave that as 0.0.0.0/0.

Under the SSID interface, configure the Isolation and your other VLANs where you want to put the registered hosts.

 

Example:

Wireless_SSID_Config.png

In this case "Wireless_Isol" is the isolation VLAN where Rogue hosts will be put once FortiNAC detects them. This VLAN should have a DHCP relay pointing to FortiNAC eth1/port2.

The "Wireless_Access" is the production VLAN where the registered host is moved once FortiNAC registers it. This VLAN has FortiGate acting as a DHCP server.

282
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.