Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
0x1337
New Contributor

Policy for not assigning IP in LAN

Hello,

 

all clients are in the 192/24 network, and the DHCP is installed on a Windows Server. I want all new clients to not receive an IP address initially or immediately access the internal network, but instead be released through a policy. WLAN devices should be exempted from this, as they are connected to Ubiquity APs and the 'Client Device Isolation' setting is activated. These clients do not enter the internal local network anyway and should therefore not be released separately. Is there a way to solve this without VLAN?

4 REPLIES 4
sw2090
Honored Contributor

that has afaik to be done on the windows dhcp then. It must be configured to not give anyone an ip unless permitted to. The FortiGate can only relay DHCP Requests to the windows DHCP.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
0x1337
New Contributor

Thank you for your response. I tried this on our Windows Server and activated the MAC Filter "Allow" and "Deny". Clients only receive an IP if they are in the "Allow" folder; otherwise, they are denied. The issue here is that all new Wi-Fi clients should be able to access the internet regardless without needing explicit permissions, as they are already isolated. For example, if a customer visits our company and wants to connect, they should be able to reach the internet. However, if someone comes with a notebook and tries to plug in a LAN cable, that should be denied.

AEK
Honored Contributor II

Hi

But if the client set a static IP he will be able to connect, right?

If so then this is not good setup and you should do it otherwise. I think you have two choices:

  • VLAN separation + MAC filtering: provides average/acceptable security 
  • NAC: gives you maximum access security
AEK
AEK
saleha
Staff
Staff

Hi,

I think what you are looking for is a guest wifi where users would still be assigned an ip but from a different subnet and policies will allow them access to the internet only and you can have the added security of a captive portal for example:

https://docs.fortinet.com/document/fortiap/7.0.0/fortigate-cloud-wlan-deployment-guide/542337/guest-...

Otherwise, I suggest NAC segmentation but that would be using vlans and assuming you have managed fortiswitches in the environment:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments-7-0-1

 

saleha

Labels
Top Kudoed Authors