Hi Guys,
I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.
This is what i have setup already:
I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.
the model configuration from FortiNAC can be found in Virtualized Devices, like:
From FGT you have to enable MAC address filtering on that SSID and the RADIUS server pointing to FortiNAC and enable Dynamic VLAN:
For the captive portal to work you need to configure the DHCP server relay to point to FNAC eth1 interface. Portal redirection is done through DNS only. There is no need to enable captive portal on FGT or put an url, it will not work like that
The SSID should include at least two VLANs, registration and access:
You can also take a look at this step by step guide, it's for wired but share the same logic steps: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-FortiNAC-Guest-Captive-Portal-configuration...
A couple of things:
I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either
1. I don's see a 'Virtualized Devices' Tab - You have to check FGT modeling, something is wrong there, r-click Set Device Mapping
2. Are you sure Dynamic VLAN assignment is available for an SSID in Bridge mode? - Yes they are, basically the AP will tag the user traffic directly and put it on the switch port, you don't have to configure it under SSID.
3. If I don't configure the SSID to use captive Portal in the FGT, which Authentication scheme should be selected when configuring the SSID? - Just leave it open or PSK if you want but put FNAC as DHCP and DNS server, it will put the users in registration VLAN that you can limit access to FNAC only. Registration VLAN should include the network configurations and dhcp relay.
4. I think the 'Logical Network' is associated with the 'Model Configuration' which I mentioned I am not able to see from before. I am not seeing the 'Virtualized Devices' tab either - Yes, but it looks like your FGT is not properly modeled, you should also see the SSID tab
How do I 'Check FGT Modeling'? This is what I see when I r-click and 'Set Device Mapping':
Dynamic VLAN assignment is only available when 'RADIUS Server' is enabled under 'Client MAC Address Filtering' for tunnel mode SSIDs. The option is not there for Bridge Mode SSIDs. Are you saying I dont need to configure it at all now?
I have a VLAN created on the FGT for registration. It uses DHCP relay to point the FNAC. Should I then configure the 'Optional VLAN ID' field in the SSID to this VLAN so that when clients associate to the SSID they a placed in this VLAN?
Is there not a cookbook example specifically showing how to do this with a FGT, starting from modeling right through to configuring the SSID and captive portal?
I just blew away the device from the inventory and re-added it. I'm seeing the tabs you mentioned now:
It should be available for both Bridge or tunnel mode:
In bridge mode you still need to configure every other step apart from the VLANs inside the SSID.
From FortiNAC in model configuration you have to add this:
than continue following the logic of the wired guest authentication article.
Thanks for you help so far.
Question: If I configure the SSID using WPA personal, what will happen when the user connects to the SSID? Will they not be prompted for a passphrase? Or will this be overridden by the FortiNAC captive portal once I have the isolation VLAN configured in the optional VLAN ID field in the SSID configuration?
Please bear with me. A lot of things don't make sense to me when in comes to this configuration.
Created on 03-20-2023 01:38 AM Edited on 03-20-2023 01:50 AM
No worries, WPA personal or open SSID is the same from FNAC perspective and the authentication, this is just a choice. If you use WPA the users should enter the password first access the SSID than do the authentication via the portal, it's more like for encryption part. I don't want to leave the Wi-Fi traffic unencrypted.
VLAN assignment will come from RADIUS server (FNAC) there is no need to use "Optional VLAN ID".
You can read more about VLAN assignment by RADIUS here:
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/451754/dynamic-vlan-name-assignment-from...
I am not seeing an option for open security. I just testing it with the WPA and I see where it asks for a a passphrase. This workflow won't be acceptable since it requires providing guests with a passphrase outside of providing them with a sponsor email address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.