Manual switchport/SSID changes when using FortiNAC

doncacciatoconsuting · ‎08-16-2024

Let's say I have a switch/AP that is being managed by a platform like FortiManager or Mist (Juniper). If changes are made with these tools, I'm assuming that:

- NAC will poll the switch/AP as usual and get the new parameters like VLAN ID, etc.

- Run policies as usual and make changes to switchports accordingly.

Is this correct ?

Any best practices for NAC when using such management tools ?

Don

AEK · ‎08-17-2024

As per my knowledge FortiManager manages FortiSwitches and FortiAPs only if they are managed by FortiGate.

In that case, NAC will pol FortiGate to read the switch port status, VLAN ID and so, it will not poll the AP and switch directly, but through FGT
NAC runs policies as usual and make changes to switch-ports and AP through FortiGate, not directly

FortiNAC also manages standalone FortiSwitch.

Check the below docs for both cases.

https://docs.fortinet.com/document/fortinac-f/7.2.0/fortiswitch-fortilink-integration-guide/365563/o...

https://docs.fortinet.com/document/fortinac-f/7.2.0/fortiswitch-standalone-integration-guide/222669/...

Hope it helps.

AEK

ebilcari · ‎08-19-2024

Technically, each time a device configuration is done outside of FNAC, a manual 'Resync Interfaces' need to be performed (it can also be scheduled like shown here). Depending on the type and the frequency of the configuration changes done externally, it may have undesired results for the integration with FNAC.

I would suggest to use RADIUS and dynamic VLAN assignments in order to not relay on configuration changes for changing VLANs or enforce policies.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Manual switchport/SSID changes when using FortiNAC

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website