Last year we purchased Fortinac for our boarding school. After being raked over the coals for Professional Services, Fortinet was not able to get our system working with the Aruba wireless configuration we had. Since that time we have switched to a Ruckus wireless controller which I am told is an easier configuration with Fortinac.
The question to anyone... Does anyone have step-by-step documentation somewhere that can be shared on how to configure the Fortinac with a Ruckus integration from start to finsh?
I have reviewed all videos I can find but no help I have reviewed all documentation out there but again no step-by-step walkthrough to getting the system working. I'm not in a budget position to throw away another 6 grand for Professional Services for the Fortinet team to bail again.
Here is the current plan I had for Fortinac
Student Production Vlan 100
Faculty Production Vlan 30
Guest Production Vlan 90
Isolation Vlan 110
Guest Registration Vlan 120
All student's devices would be directed to Isolation VLAN 110
Student devices would be forced to download the agent to the device, if no agent is installed, the device returns to isolation until the agent installation has been done.
The student is authenticated with their Google credentials through the agent and then with scanning for required software policies. Once the scanning is done with the agent the student's devices are placed in production Vlan 100.
If the agent is removed from the student's device, The device will return to isolation or quarantine.
Persistent Agent: I am not sure if this will work with Google as backend (didn't see it before).
If you have the Persistent Agent you want the agent's presence and endpoint scan results to be used, you need a user host profile (UHP) that includes the agent. When it is matching, you can set a network access policy for it, to match a logical network. On an initial implementation, I'd skip the endpoint scan and get the implementation running first.
The logical network has to be set on the model configuration of the controller on FortiNAC for the respective use "Student" for example.
Typically, Students are not on domain joined PCs, so they might be downloading the PA from the Portal, web page hosted on FNAC. I do not recognize a portal in your planned setup.
- If the Agent is downloaded, the FNAC connection must be manually specified by registry settings. Otherwise, the FNAC policies (UHP based) will not match the Hosts.
- If the Agent is pushed via domain GPO, the settings can and should be pushed as well.
For the VLANs, they need to be ordered, understood and defined as what they are and how a client is supposed to match it. Here is my guesswork on your set:
Isolation Vlan 110 - The client is new. Not registered, not sponsored, Rogue.
Student Production Vlan 100 - I guess this is normal production, Students have an agent. Endpoint scanning would recognize it.
Google Authentication - Is this a backend or a VLAN?
- If VLAN, it would sound like a user registration? Is there a portal that the user has to authenticate to, or receive the agent from? Is every user supposed to do this?
- If Backend - then you want to make sure the end user can authenticate to somehow through FNAC (Portal, Agent) and FNAC can see that in order to understand that the user has successfully authenticated.
Faculty Production Vlan 30 - What is the criterion for matching this, different to Student, Guest Prod and Guest Reg)?
Guest Production Vlan 90 - What is the criterion for matching this, different to Faculty, Student and Guest Reg)?
Guest Registration Vlan 120 - What is the criterion for matching this, different to Faculty, Student and Guest Prod)?
If the criterion is defined, and FNAC can discern this from the others, you should be able to have several different UHP based on the criterion. Network Access policies are to map the UHP to the Logical Networks (as further mapped in the Model configuration on the controller).
Another question to be cleared:
- Are users supposed to be registering themselves manually, getting a role assigned? The role can be used in the User&Host profiles.
- Are devices to be profiled and getting the role assigned, then authenticate?
- Last but not least: If this is an SSID it is likely that this is a WPA2 Enterprise SSID, that ties in with RADIUS.
If so, you need to clear how the RADIUS server is authenticating the user. If FNAC is supposed to be the proxy to another RADIUS server (again, to see that the user authenticated successfully) or is the FNAC supposed to BE the RADIUS server. In that case Google will need to be the backend for the user credentials. I am not sure that authentication flow WPA > RADIUS > Google works, as I did not see it before.
This guide shows a rough overview of how to integrate SSID/Wireless generally.
- If the SSID is just with a PSK, you may have a hard time with VLAN switching and user experience.
VLAN switching is done on Wireless with disconnecting the client from the SSID. This is not a FNAC behaviour, but has to be done this way. On Enterprise SSIDs, this is often done via CoA Disconnect. The user disconnects, reconnects directly and receives a different DHCP address from the DHCP server of the newly assigned VLAN.
I wrote a lot, it will not cover everything either, and half of it does not apply to your network. But I hope it helps to understand how to set it up.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.