Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Hi Anthony,

I have also logged this with TAC, and the FortiManager team are looking into it. I'll update this post with any of their findings.

Just to clarify the issue. I can follow the guide, get everything working using CLI. The config will sync back to FortiManager ok. But, as soon as I go through the install wizard from FortiManager back to the Gate (even without making any further changes to actually install), FortiManager installs CLI commands that disable NAC on the VAP and deletes any manually added NAC-Policies (see Install Preview)

Like I say, I think this might be some limitation with NAC with this particular combo of devices, but it does work fine when set up using CLI so I'm not sure. Could be me just doing something wrong. This setup is just part of a little lab I'm using for training. I'll update as soon as I know more.

Thanks a lot for your help on it. We leave this topic open then.

Just to keep this post updated.

To answer my own question, no, there are no limitations with this combination of hardware. I had a call with TAC, and even though we couldn't get it working on the call, they did point me in the right direction as to where I was going wrong. The problem was down to me configuring this at the Device Manager level, directly on the CLI. Even though the Config was in sync, the Policy & Objects weren't.  Whenever I then subsequently pushed any config down to the firewall, the FMG policy's were overwriting anything I had configured on the CLI. Super obvious in hindsight. 

We still couldn't find any specific step-by-step guide for setting this up via FortiManager, but for anyone who might be having an issue (and for my own future reference), here's the procedure. If any of this is wrong, I'm happy to be corrected. This is just working on my little lab network. Following the guide linked above for configuring this on CLI, then actually doing an 'Import Configuration' from the firewall might suffice, but to do it entirely within FortiManager: -  

1. Create an SSID - No IP, just a name (My SSID), SSID (my-ssid) and password.
2. Add the SSID to the Operation Profile used by the APs.
3. Install.
4. From Device Manager, create two new interfaces (eg, 'wifi_onboarding' & 'wifi_access'). Make them a sub interface of the 'My SSID' interface.  Give them an IP and enable DHCP and Device Detection.
5. Attach to a newly created Normalized Interface with the same names ('wifi_onboarding' & 'wifi_access').
6. Install.
7. Under Policy & Objects > Advanced > CLI Configurations > wireless-controller > nac-profile, create a new nac-profile ('my-nac-profile'), making the onboarding VLAN 'wifi_onboarding'.
8. Under Policy & Objects > Advanced > CLI Configurations > wireless-controller > vap, enable nac and choose the nac-profile in the drop-down box.
9. Install.
10. Testing the SSID works and the client device is added to the 'wifi_onboarding' VLAN.
11. Under Policy & Objects > Policy Packages > "Your-Policy" > NAC Policy, create a new NAC policy for the test client. Set the device to go into the 'wifi_access' VLAN.
12. Install (note this creates an ssid-policy under Advanced > CLI Configurations specifically for this device, unlike when configuring this locally using the CLI were you create a single SSID policy and apply it to multiple devices?).
13. Retest the client. It should now work and will go onto the 'wifi_access' VLAN.

The Wired NAC wasn't an issue and I was able to get this working without any problems, but for completion, here's the procedure I followed (again, happy to be corrected on anything): - 

1. FortiSwitch Manager > FortiSwitch VLANs, Create an onboarding VLAN (e.g. 'wired_onboarding' and one or more access access VLANs e.g. 'wired_access'). Enable Device Detection but don't configure any IP or DHCP settings.
2. For each VLAN, add a Per-Device Mapping. Select your FortiGate, give it a VLAN ID, IP address & DHCP settings. (For both the wired and wireless onboarding VLAN, I've set the DHCP lease time down to the minimum of 300's. Not sure if that’s recommended or not).
3. FortiSwitch Manager > FortiLink Settings, Create a new record. Give it a name ('my-fortilink-settings') and select the onboarding VLAN to 'wired_onboarding'. In my lab, I've disabled NAC VLAN segmentation. I know there is some limitation using this with my particular switch (108E-POE) and Gate (40F) connected directly, so I've not even bothered to play around with this.
4. FortiSwitch Manager > VDOM Settings, Edit the VDOM Settings for your Fortigate. Change the NAC Settings to 'my-fortilink-settings' you've just created.
5. Install.
6. Change the FortiSwitch Template for your switch so that one of the ports is set in NAC mode.
7. Install.

That should be it. Plug a device into the NAC port and it should go into the 'wired_onboarding' VLAN. Create a NAC Policy in the same place you create them for the wireless devices - Policy & Packages > "Your-Policy" > NAC Policy and it should work.

Further update. See here - Technical Tip: How to create and apply NAC Policy into SSID.

Turns out there was a guide (for a part of it) created in May.