Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiNac Installation Help Request



Last year we purchased Fortinac for our boarding school. After being raked over the coals for Professional Services, Fortinet was not able to get our system working with the Aruba wireless configuration we had. Since that time we have switched to a Ruckus wireless controller which I am told is an easier configuration with Fortinac. 


The question to anyone... Does anyone have step-by-step documentation somewhere that can be shared on how to configure the Fortinac with a Ruckus integration from start to finsh?


I have reviewed all videos I can find but no help I have reviewed all documentation out there but again no step-by-step walkthrough to getting the system working.  I'm not in a budget position to throw away another 6 grand for Professional Services for the Fortinet team to bail again.


Here is the current plan I had for Fortinac


Student Production Vlan 100

Google Authentication

Faculty Production Vlan 30

Guest Production Vlan 90

Isolation Vlan 110

Guest Registration Vlan 120


All student's devices would be directed to Isolation VLAN 110

Student devices would be forced to download the agent to the device, if no agent is installed, the device returns to isolation until the agent installation has been done.


The student is authenticated with their Google credentials through the agent and then with scanning for required software policies. Once the scanning is done with the agent the student's devices are placed in production Vlan 100.


If the agent is removed from the student's device, The device will return to isolation or quarantine.



Any help will be greatly appreciated.



Timothy Bradley
Timothy Bradley



Thank you for using the Community Forum. Please visit the following link for Ruckus integration with Fortinac.


Could you please have a look and let us know if helped.



Waqas Arshad

This does not help.  I need a step by step

Timothy Bradley
Timothy Bradley

Hi Timothy,


The guide is actually containing the steps for the integration of Ruckus only.

So I would think that part is working, as you didn't clarify where you are stuck.


There is no step-by-step guide as the integration will strongly depend on the network, surroundings, and set of clients, usage for clients.

A step-by-step guide you amy find will likely omit half of your network and not work in parts for your set of requirements.



"Authenticated with their google credentials", so google is a backend server for the end users? - as in


Persistent Agent: I am not sure if this will work with Google as backend (didn't see it before).


If you have the Persistent Agent you want the agent's presence and endpoint scan results to be used, you need a user host profile (UHP) that includes the agent. When it is matching, you can set a network access policy for it, to match a logical network. On an initial implementation, I'd skip the endpoint scan and get the implementation running first.

The logical network has to be set on the model configuration of the controller on FortiNAC for the respective use "Student" for example.


Typically, Students are not on domain joined PCs, so they might be downloading the PA from the Portal, web page hosted on FNAC. I do not recognize a portal in your planned setup.

- If the Agent is downloaded, the FNAC connection must be manually specified by registry settings. Otherwise, the FNAC policies (UHP based) will not match the Hosts.

- If the Agent is pushed via domain GPO, the settings can and should be pushed as well.


For the VLANs, they need to be ordered, understood and defined as what they are and how a client is supposed to match it. Here is my guesswork on your set:


Isolation Vlan 110 - The client is new. Not registered, not sponsored, Rogue.

Student Production Vlan 100 - I guess this is normal production, Students have an agent. Endpoint scanning would recognize it.

Google Authentication - Is this a backend or a VLAN?

- If VLAN, it would sound like a user registration? Is there a portal that the user has to authenticate to, or receive the agent from? Is every user supposed to do this?

- If Backend - then you want to make sure the end user can authenticate to somehow through FNAC (Portal, Agent) and FNAC can see that in order to understand that the user has successfully authenticated.

Faculty Production Vlan 30 - What is the criterion for matching this, different to Student, Guest Prod and Guest Reg)?

Guest Production Vlan 90 - What is the criterion for matching this, different to Faculty, Student and Guest Reg)?

Guest Registration Vlan 120 - What is the criterion for matching this, different to Faculty, Student and Guest Prod)?


If the criterion is defined, and FNAC can discern this from the others, you should be able to have several different UHP based on the criterion. Network Access policies are to map the UHP to the Logical Networks (as further mapped in the Model configuration on the controller).


Another question to be cleared:

- Are users supposed to be registering themselves manually, getting a role assigned? The role can be used in the User&Host profiles.

- Are devices to be profiled and getting the role assigned, then authenticate?

- Last but not least: If this is an SSID it is likely that this is a WPA2 Enterprise SSID, that ties in with RADIUS.

If so, you need to clear how the RADIUS server is authenticating the user. If FNAC is supposed to be the proxy to another RADIUS server (again, to see that the user authenticated successfully) or is the FNAC supposed to BE the RADIUS server. In that case Google will need to be the backend for the user credentials. I am not sure that authentication flow WPA > RADIUS > Google works, as I did not see it before.



This guide shows a rough overview of how to integrate SSID/Wireless generally.


- If the SSID is just with a PSK, you may have a hard time with VLAN switching and user experience.

VLAN switching is done on Wireless with disconnecting the client from the SSID. This is not a FNAC behaviour, but has to be done this way. On Enterprise SSIDs, this is often done via CoA Disconnect. The user disconnects, reconnects directly and receives a different DHCP address from the DHCP server of the newly assigned VLAN.


I wrote a lot, it will not cover everything either, and half of it does not apply to your network. But I hope it helps to understand how to set it up.


Best regards,



Not applicable

I would like to add to this thread that for better integration with Ruckus Controller FNAC should be 9.1.4 or above for improved compatibility 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors