Hi Guys,
I having some issues understanding how to configure FortiNAC to authenticate and grant access to guest/contractor users connecting via a guest ssid created on fortiGate.
This is what i have setup already:
I simply want guest users connecting to the SSID to be authenticated by FortiNAC and be granted access to the wireless network so they can browse the internet. I cant seem to find any configuration examples for this. I see documents speaking to creating Logical Networks etc. The term Model Configuration also comes up, but I dont see this tab for the FortiGate in the Network -> Inventory view. I'm been struggling with this for months. Please help.
Had to turn on 'Open SSID' feature in 'Feature Visibility' section.
In order to use an open SSID you have to enable it as a feature in FGT: System> Feature Visibility> [ Wireless Open Security ].
You can also manually set the security for a specific SSID from the CLI (# set security open), but the GUI is the easiest step.
So I was able to set the SSID as open, I set the Optional VLAN ID to the isolation VLAN created on the fortilink, which is on the same network as the Fortinac eth1 interface. So when the user associates they get an IP from FortiNAC and redirects to the portal. Client is able to self register and sponsor gets request and approves successfully. Credentials are sent to user on the portal page and they authenticate successfully, getting the success message.
However, after the progress bar reaches 100%, a message pops up saying Failed to detect a Change in Your network Settings, Retrying...'. Can someone walk me through an example Network Access Policy for this scenario I'm trying to achieve.
PS. I did find this document. https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Captive-Portal-Registration-Failed-to-detec...
Made the changes but it doesn't seem to have any effect
This error is related to VLAN change and CoA. The SSID should have been configured in advance with the registration and production VLANs. After successful user login, FNAC should respond with the production VLAN and a CoA request to bounce the end host to the new VLAN, done via RADIUS.
For this on FGT you have to add this command under RADIUS server configuration:
config user radius
edit "FNAC"
set radius-coa enable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.