The guide is actually containing the steps for the integration of Ruckus only.
So I would think that part is working, as you didn't clarify where you are stuck.
There is no step-by-step guide as the integration will strongly depend on the network, surroundings, and set of clients, usage for clients.
A step-by-step guide you amy find will likely omit half of your network and not work in parts for your set of requirements.
"Authenticated with their google credentials", so google is a backend server for the end users? - as in https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/778431/google-authentication
Persistent Agent: I am not sure if this will work with Google as backend (didn't see it before).
If you have the Persistent Agent you want the agent's presence and endpoint scan results to be used, you need a user host profile (UHP) that includes the agent. When it is matching, you can set a network access policy for it, to match a logical network. On an initial implementation, I'd skip the endpoint scan and get the implementation running first.
The logical network has to be set on the model configuration of the controller on FortiNAC for the respective use "Student" for example.
Typically, Students are not on domain joined PCs, so they might be downloading the PA from the Portal, web page hosted on FNAC. I do not recognize a portal in your planned setup.
- If the Agent is downloaded, the FNAC connection must be manually specified by registry settings. Otherwise, the FNAC policies (UHP based) will not match the Hosts.
- If the Agent is pushed via domain GPO, the settings can and should be pushed as well.
For the VLANs, they need to be ordered, understood and defined as what they are and how a client is supposed to match it. Here is my guesswork on your set:
Isolation Vlan 110 - The client is new. Not registered, not sponsored, Rogue.
Student Production Vlan 100 - I guess this is normal production, Students have an agent. Endpoint scanning would recognize it.
Google Authentication - Is this a backend or a VLAN?
- If VLAN, it would sound like a user registration? Is there a portal that the user has to authenticate to, or receive the agent from? Is every user supposed to do this?
- If Backend - then you want to make sure the end user can authenticate to somehow through FNAC (Portal, Agent) and FNAC can see that in order to understand that the user has successfully authenticated.
Faculty Production Vlan 30 - What is the criterion for matching this, different to Student, Guest Prod and Guest Reg)?
Guest Production Vlan 90 - What is the criterion for matching this, different to Faculty, Student and Guest Reg)?
Guest Registration Vlan 120 - What is the criterion for matching this, different to Faculty, Student and Guest Prod)?
If the criterion is defined, and FNAC can discern this from the others, you should be able to have several different UHP based on the criterion. Network Access policies are to map the UHP to the Logical Networks (as further mapped in the Model configuration on the controller).
Another question to be cleared:
- Are users supposed to be registering themselves manually, getting a role assigned? The role can be used in the User&Host profiles.
- Are devices to be profiled and getting the role assigned, then authenticate?
- Last but not least: If this is an SSID it is likely that this is a WPA2 Enterprise SSID, that ties in with RADIUS.
If so, you need to clear how the RADIUS server is authenticating the user. If FNAC is supposed to be the proxy to another RADIUS server (again, to see that the user authenticated successfully) or is the FNAC supposed to BE the RADIUS server. In that case Google will need to be the backend for the user credentials. I am not sure that authentication flow WPA > RADIUS > Google works, as I did not see it before.
This guide shows a rough overview of how to integrate SSID/Wireless generally.
- If the SSID is just with a PSK, you may have a hard time with VLAN switching and user experience.
VLAN switching is done on Wireless with disconnecting the client from the SSID. This is not a FNAC behaviour, but has to be done this way. On Enterprise SSIDs, this is often done via CoA Disconnect. The user disconnects, reconnects directly and receives a different DHCP address from the DHCP server of the newly assigned VLAN.
I wrote a lot, it will not cover everything either, and half of it does not apply to your network. But I hope it helps to understand how to set it up.