Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chami
New Contributor

Created on ‎09-27-2024 12:00 PM

Radius Authentication with Dynamic VLAN Assignment

I have a question regarding Radius Server with Dynamic Vlan Assignment for SSD profiles. 

Basically I would like to have Dynamic VLAN Assignment and VLAN pooling enabled. I am running 7.4.5 code version and whenever I enable Dynamic VLAN Assignment, it disabled the VLAN pooling. I did find a documentation that it is possible 7.4.1 version came that both dynamic vlan assignment and vlan pooling is possible, reference: 

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/924614/support-dynamic-vlan-assignme...

However; this is not working in code 7.4.5 code version. I would really like to have this feature that support vlan pooling with Radius because this setting in Cisco called RADIUS Server Overwrite interface, Meru called Radius With VLAN Pooling, allows us to have restricted access and unrestricted access at the same time based on the Network Policy server rules. This makes it easier to have users in groups tied to authentication where if a user is not allowed, will still have restricted access and allowed to have unrestricted access where server send a tag or called vlan id back to the controller to designate user in to a specific vlan. 

I would like this as a feature request if any engineer see this if this is not possible or if it is possible, how to achieve it. 

 

Thank You. 

 

Labels:
454
0 Kudos
2 Solutions
scitlak
Staff
Staff

Created on ‎10-01-2024 07:44 AM

Hi,

 

According to the referred guide/method by you at the beginning of the conversation, you do not need to enable this option.

Please look at my config.
01.10.2024_16.33.42_REC.png

 01.10.2024_16.34.03_REC.png

 

01.10.2024_16.34.39_REC.png

 

 

01.10.2024_16.32.48_REC.png

 

However, if you would like to use "VLAN assignment by FortiAP group" or "VLAN assignment by VLAN pool", you will need it. Please look at the below docs.
https://docs.fortinet.com/document/fortiap/7.6.0/fortiwifi-and-fortiap-configuration-guide/153336/vl...
https://docs.fortinet.com/document/fortiap/7.6.0/fortiwifi-and-fortiap-configuration-guide/84238/vla...


 

View solution in original post

85
0 Kudos
ebilcari
Staff
Staff
In response to chami

Created on ‎10-01-2024 08:56 AM

Just by having 'Dynamic VLAN assignment' enabled is enough to move hosts to the desired VLANs based on the policies in the RADIUS server. All the necessary host grouping is done through the RADIUS server policies. VLAN pooling is some basic technique to share the hosts in different VLANs just randomly to distribute the load.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

137
14 REPLIES 14
johnathan
Staff
Staff

Created on ‎09-27-2024 01:02 PM

Are you able to elaborate a bit more on what is not working when you have  Dynamic VLAN assignment enabled? As per the document, it should assign clients round-robin to the VLANs just like in VLAN Pooling. 

"Never trust a computer you can't throw out a window."
379
0 Kudos
chami
New Contributor

Created on ‎09-27-2024 01:21 PM

So, basically when I enable the Dynamic VLAN assignment, it turns off the VLAN pooling.

According to the link I pasted, you see for SSID interface, where we can enable dynamic vlan assignment and then specify the vlan pool which is not possible in 7.4.5 code version. 

 

This commands below is not possible in the code version 7.4.5 
config wireless-controller vap 
edit "wifi.fap.02" 
set ssid "Example_SSID"    
set dynamic-vlan enable
    config vlan-name
      edit "data"
        set vlan-id 100 200 300
      next
      edit "voip"
        set vlan-id 100
      next
    end
  next
end

 To elaborate what is trying to accomplish that: there are two groups, Group A and Group B users in the windows server. Group A (Filtered Group with restriction, Group B Unfiltered) , When a user connect to 802.x , server will look at users in group and identify that this specific users is in filtered group and send the tag for example vlan 200 back to the controller, then controller process it and put the user in to vlan 200. Another example when a user connect who has full access, user connect to radius server and then the server looks up the policy and decide this user does have full access and then put in to vlan 300. 

Instead of user put in to one vlan, I need multiple filtered vlans that a user have limited right to be placed on by the Radius server. That is the question, what configuration would accomplish this both to have multiple restricted vlans that a user can be placed on based based on the Radius server NPS policy defined to pass a tag called 300 if user found to be unfiltered. 

 

 

374
0 Kudos
ebilcari
Staff
Staff
In response to chami

Created on ‎10-01-2024 08:56 AM

Just by having 'Dynamic VLAN assignment' enabled is enough to move hosts to the desired VLANs based on the policies in the RADIUS server. All the necessary host grouping is done through the RADIUS server policies. VLAN pooling is some basic technique to share the hosts in different VLANs just randomly to distribute the load.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
138
chami
New Contributor
In response to ebilcari

Created on ‎10-01-2024 10:23 AM Edited on ‎10-01-2024 10:24 AM

When radius server sends the override tag let's say place a user to filtered vlan, controller has to place the client in to the desired vlan which vlan-pooling will full fill the function. So, as it is without using VLAN Pooling, suppose we have filtered vlans 100,200,300, 400 vlans and does this mean that user will be always placed only in vlan 100 , not 200, 300, 400 filtered vlans if according to the policy of radius server put a client to filtered vlan? Therefore; like you said the load balancing option is not available. 

98
0 Kudos
ebilcari
Staff
Staff
In response to chami

Created on ‎10-02-2024 06:10 AM

The new feature you are mentioning 'Dynamic VLAN assignment with multiple VLAN IDs per Name Tag' isn't related to the 'VLAN pooling' and for now seems configurable only from the CLI.

As shown in the guide, if the RADIUS server is configured to respond with a tag, it will round robing to up to 8 different VLANs:
This update allows for multiple VLAN IDs to be configured per name tag, up to a maximum of 8 VLAN IDs. Once wireless clients connect to the SSID, the FortiGate wireless controller can assign the VLAN ID by a Round-robin method from the pool to ensure optimal utilization of VLAN resources.

 

and with the pool it refers to:

config vlan-name

  edit "data"

    set vlan-id 100 200 300

 

not to:

set vlan-pooling round-robin
config vlan-pool
   edit 3
   next

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
47
0 Kudos
scitlak
Staff
Staff

Created on ‎09-29-2024 09:03 AM Edited on ‎09-29-2024 09:06 AM

Hi,

 

I have tested the below-explained configuration in my lab with FOS 7.4.5 and it works properly.

FGT 60 F  Version 7.4.5

Radius FortiNAC

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/924614/support-dynamic-vlan-assignme...

 

The below part of the configuration is just to assign the VLAN ID by a Round-robin method from the pool to ensure optimal utilization of VLAN resources.

29.09.2024_17.42.24_REC.png

config vlan-name
      edit "data"
        set vlan-id 100 200 300
      next
      edit "voip"
        set vlan-id 100
      next

When you use the configuration, you need to send from the Radius server "data" or "VoIP" values with the "tunnel-private-group-id" attribute instead of sending a VLAN ID.

 

On the other hand, you do not have to use "config vlan-name" configuration. In that case, you just need to send a VLAN ID with "tunnel-private-group-id", the host will have the VLAN ID directly sent by Radius "tunnel-private-group-id".

 

266
0 Kudos
chami
New Contributor
In response to scitlak

Created on ‎09-29-2024 09:12 PM Edited on ‎09-29-2024 09:21 PM

Hello!

 

        You do not have this command defined- 

set dynamic-vlan enable

In GUI, if I enable dyamic vlan, it disables vlan pooling. So, without defining set dynamic vlan enable and have vlan ids define like you tested, would send radius override tag still  work? Also, set vlan id 100 200 300 , does this enable vlan pooling or if not where to enable vlan pooling? My understanding is set dynamic-vlan enable will enable radius to send the tag id and select any vlan defined by set vlan-id 100 200 300 command. 

242
0 Kudos
scitlak
Staff
Staff

Created on ‎09-30-2024 07:30 AM

Hi,

I have configured "set dynamic-vlan enable" and "config vlan-name". I checked it again and disabled and enabled "set dynamic-vlan enable" option via GUI but it did not remove any config under SSID.
If you have only "set dynamic-vlan enable", you need to send the VLAN ID directly from your Radius with "Tunnel-private-group-ID".
If you have "set dynamic-vlan enable" and "config vlan-name", you need to send tag like "data" or whatever you configured.
When you use the "config vlan-name", FGT should assign the next VLAN to the next client like below.
Client 1 --> VLAN 100

Client 2 --> VLAN 200

Client 3 -->VLAN 300

Client 4--> VLAN 100

 

However when you set just "set dynamic-vlan enable", you need to send VLAN ID directly and it should be assigned to the client.

 

 

 

213
0 Kudos
chami
New Contributor
In response to scitlak

Created on ‎09-30-2024 09:46 AM

What I am saying is if you enable dynamic-vlan enable in the GUI, it disable vlan pooling slider. That prevents assign multiple vlans in the 7.4.5 code version. Have you tried that?

198
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.