Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JLpanda
New Contributor II

Wireless NAC limitations with FortiGate 40F & FAP-221E

I have a small lab setup consisting of a Fortigate 40F-3G4G (7.2.8), a FortiSwitch 108E-POE (7.2.7) and a FortiAP 221E (7.2.3). They are being managed by FortiManager Cloud (ADOM Version 7.2).

 

I am trying to configure some basic NAC policies for both the wired and wireless network. I have been able to get the wired network NAC working, but am having issues with the wireless NAC. I understand that with these Switch and Gate models connected directly NAC VLAN Segmentation is a no go, but I was able to still get NAC working on the wired LAN by disabling this.

 

With the wireless NAC, I am following this guide here (page 41). All the commands can be entered without issue, however step 4 (Enable NAC on the SSID and select the configured policy), just doesn't stick. If I enter it directly via CLI or via the CLI Configurations section of FortiManager, you do not seeing any errors. But, then, when I check either via the CLI or on the CLI Configurations section of the GUI, the NAC is disabled.

 

My question is whether what I'm trying to do actually impossible in this setup (due to NAC VLAN Segmentation limitations) or do I potentially have another issue?

6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
JLpanda
New Contributor II

Hi Anthony,

 

I have also logged this with TAC, and the FortiManager team are looking into it. I'll update this post with any of their findings.

 

Just to clarify the issue. I can follow the guide, get everything working using CLI. The config will sync back to FortiManager ok. But, as soon as I go through the install wizard from FortiManager back to the Gate (even without making any further changes to actually install), FortiManager installs CLI commands that disable NAC on the VAP and deletes any manually added NAC-Policies (see Install Preview)

 

FMG Install Preview.png

 

Like I say, I think this might be some limitation with NAC with this particular combo of devices, but it does work fine when set up using CLI so I'm not sure. Could be me just doing something wrong. This setup is just part of a little lab I'm using for training. I'll update as soon as I know more.

Anthony_E
Community Manager
Community Manager

Thanks a lot for your help on it. We leave this topic open then.

Anthony-Fortinet Community Team.
JLpanda
New Contributor II

Just to keep this post updated.

 

To answer my own question, no, there are no limitations with this combination of hardware. I had a call with TAC, and even though we couldn't get it working on the call, they did point me in the right direction as to where I was going wrong. The problem was down to me configuring this at the Device Manager level, directly on the CLI. Even though the Config was in sync, the Policy & Objects weren't.  Whenever I then subsequently pushed any config down to the firewall, the FMG policy's were overwriting anything I had configured on the CLI. Super obvious in hindsight. 

 

We still couldn't find any specific step-by-step guide for setting this up via FortiManager, but for anyone who might be having an issue (and for my own future reference), here's the procedure. If any of this is wrong, I'm happy to be corrected. This is just working on my little lab network. Following the guide linked above for configuring this on CLI, then actually doing an 'Import Configuration' from the firewall might suffice, but to do it entirely within FortiManager: -  

 

  1. Create an SSID - No IP, just a name (My SSID), SSID (my-ssid) and password.
  2. Add the SSID to the Operation Profile used by the APs.
  3. Install.
  4. From Device Manager, create two new interfaces (eg, 'wifi_onboarding' & 'wifi_access'). Make them a sub interface of the 'My SSID' interface.  Give them an IP and enable DHCP and Device Detection.
  5. Attach to a newly created Normalized Interface with the same names ('wifi_onboarding' & 'wifi_access').
  6. Install.
  7. Under Policy & Objects > Advanced > CLI Configurations > wireless-controller > nac-profile, create a new nac-profile ('my-nac-profile'), making the onboarding VLAN 'wifi_onboarding'.
  8. Under Policy & Objects > Advanced > CLI Configurations > wireless-controller > vap, enable nac and choose the nac-profile in the drop-down box.
  9. Install.
  10. Testing the SSID works and the client device is added to the 'wifi_onboarding' VLAN.
  11. Under Policy & Objects > Policy Packages > "Your-Policy" > NAC Policy, create a new NAC policy for the test client. Set the device to go into the 'wifi_access' VLAN.
  12. Install (note this creates an ssid-policy under Advanced > CLI Configurations specifically for this device, unlike when configuring this locally using the CLI were you create a single SSID policy and apply it to multiple devices?).
  13. Retest the client. It should now work and will go onto the 'wifi_access' VLAN.

The Wired NAC wasn't an issue and I was able to get this working without any problems, but for completion, here's the procedure I followed (again, happy to be corrected on anything): - 

 

  1. FortiSwitch Manager > FortiSwitch VLANs, Create an onboarding VLAN (e.g. 'wired_onboarding' and one or more access access VLANs e.g. 'wired_access'). Enable Device Detection but don't configure any IP or DHCP settings.
  2. For each VLAN, add a Per-Device Mapping. Select your FortiGate, give it a VLAN ID, IP address & DHCP settings. (For both the wired and wireless onboarding VLAN, I've set the DHCP lease time down to the minimum of 300's. Not sure if that’s recommended or not).
  3. FortiSwitch Manager > FortiLink Settings, Create a new record. Give it a name ('my-fortilink-settings') and select the onboarding VLAN to 'wired_onboarding'. In my lab, I've disabled NAC VLAN segmentation. I know there is some limitation using this with my particular switch (108E-POE) and Gate (40F) connected directly, so I've not even bothered to play around with this.
  4. FortiSwitch Manager > VDOM Settings, Edit the VDOM Settings for your Fortigate. Change the NAC Settings to 'my-fortilink-settings' you've just created.
  5. Install.
  6. Change the FortiSwitch Template for your switch so that one of the ports is set in NAC mode.
  7. Install.

That should be it. Plug a device into the NAC port and it should go into the 'wired_onboarding' VLAN. Create a NAC Policy in the same place you create them for the wireless devices - Policy & Packages > "Your-Policy" > NAC Policy and it should work.

 

 

JLpanda
New Contributor II

Further update. See here - Technical Tip: How to create and apply NAC Policy into SSID.

Turns out there was a guide (for a part of it) created in May.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors