Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

FortiNAC auto configure IP-Phone port

Hi FortiNAC admins

Usually my Cisco switch-ports are pre-configured by network admin to accept voice VLAN, like this:

switchport voice vlan 20

Now assume that my ports are not configured so, I mean they are access ports with only DATA VLAN.

In that case, is there a possibility to tell FortiNAC to auto-configure switch-ports with voice VLAN when I plug the IP-Phone? (if possible without CLI in device modeling).

AEK
AEK
5 REPLIES 5
atakannatak
New Contributor III

Hi @AEK ,

 

FortiNAC can automatically configure switch ports to include the voice VLAN when an IP phone is connected, without needing to manually configure each port via CLI. Ensure you have the necessary permissions and configurations on your network devices for FortiNAC to apply these changes. 

 

You can configure the Voice VLAN using Radius and FlexCLI. I think you can find all details which you need on the below links:

 

https://docs.fortinet.com/document/fortinac-f/7.2.0/ip-phone-integration/519915/steps

 

https://docs.fortinet.com/document/fortinac-f/7.2.0/ip-phone-integration/065140/appendix#_Automated_...

 

https://docs.fortinet.com/document/fortinac-f/7.2.0/ip-phone-integration/065140/appendix#_RADIUS

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
AEK

Hi Atakan

Thanks for your feedback.

I hoped there was a way to do it without CLI Config (FlexCLI), since I prefer leave it as last resort.

But does the integration guide mean we can configure it using "RADIUS and FlexCLI" or using "RADIUS or FlexCLI"?

AEK
AEK
atakannatak
New Contributor III

Hi @AEK ,

 

The integration guide indicates that you can configure automated Voice VLAN provisioning using either RADIUS or FlexCLI. The key point to pay attention to is as follows:

 

Using FlexCLI
Configure FortiNAC to assign Voice VLAN via RADIUS as IP Phones connect.

 

Using RADIUS
This configuration is required when the device model is set for Proxy RADIUS mode. It is not required for Local RADIUS mode.

 

BR.

Atakan Atak
Atakan Atak
AEK

Thanks Atakan, I'll try this.

AEK
AEK
ebilcari
Staff
Staff

By default FNAC will not treat the IP Phones as normal hosts. As shown also in the guide "IP phone MAC address is ignored when determining the appropriate untagged VLAN for a port: The untagged VLAN on a given port (data VLAN) will not be switched based upon the presence of a device with the IP Phone device type. The untagged VLAN will only switch based upon a device connecting behind the phone". This 'special treatment' is tied to this device type and the icon. By default it's expected that the switch and the phone will relay on CDP/LLDP to communicate the voice VLAN.

If a different icon is used when the device is classified than custom VSA (Cisco-AVPair = device-traffic-class=voice) can be sent via RADIUS or a tagged VLAN like this example here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors