Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JoergChmiel
New Contributor

MAC Address based VLAN assignment via NAC

I currently try to achieve following use-case:   Using my Fortigate, Fortiswitch and FortiAP, I want to assign VLAN based on MAC addresses of clients. Means in detail: All unknown devices should be automatically moved to a specific VLAN and known devices based on their MAC address to a different VLAN. Using NAC I can assign a SINGLE MAC to accomplish this but I don't get how I use a BATCH of MAC address to create a single NAC policy? It would be crazy to assign for every single MAC address a unique NAC rule?   Can someone help me with this?

1 REPLY 1
ozkanaltas
Contributor III

I think there is no different option from NAC policies. If you want to use a Mac-based dynamic VLAN, you should do this.

 

But I think you can use CLI configuration to create batch NAC policies. For example;

 

config user nac-policy
edit "nacpolicy-John"
set mac "xx:xx:xx:xx:xx:xx"
set switch-fortilink "fortilink"
set switch-mac-policy "nacpolicy-Vlan100"
next
edit "nacpolicy-Alice"
set mac "xx:xx:xx:xx:xx:xx"
set switch-fortilink "fortilink"
set switch-mac-policy "nacpolicy-Vlan100"
next
end

 

But if it is possible, you can use username and password authentication for users. You can authenticate a user with their username and password. Also if you use this, you can use the user group in the NAC policy. In this way, you can handle all users with two policies. In my opinion, this is the best option for dynamic VLAN mapping.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
Labels
Top Kudoed Authors