I have a small lab setup consisting of a Fortigate 40F-3G4G (7.2.8), a FortiSwitch 108E-POE (7.2.7) and a FortiAP 221E (7.2.3). They are being managed by FortiManager Cloud (ADOM Version 7.2).
I am trying to configure some basic NAC policies for both the wired and wireless network. I have been able to get the wired network NAC working, but am having issues with the wireless NAC. I understand that with these Switch and Gate models connected directly NAC VLAN Segmentation is a no go, but I was able to still get NAC working on the wired LAN by disabling this.
With the wireless NAC, I am following this guide here (page 41). All the commands can be entered without issue, however step 4 (Enable NAC on the SSID and select the configured policy), just doesn't stick. If I enter it directly via CLI or via the CLI Configurations section of FortiManager, you do not seeing any errors. But, then, when I check either via the CLI or on the CLI Configurations section of the GUI, the NAC is disabled.
My question is whether what I'm trying to do actually impossible in this setup (due to NAC VLAN Segmentation limitations) or do I potentially have another issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi Anthony,
I have also logged this with TAC, and the FortiManager team are looking into it. I'll update this post with any of their findings.
Just to clarify the issue. I can follow the guide, get everything working using CLI. The config will sync back to FortiManager ok. But, as soon as I go through the install wizard from FortiManager back to the Gate (even without making any further changes to actually install), FortiManager installs CLI commands that disable NAC on the VAP and deletes any manually added NAC-Policies (see Install Preview)
Like I say, I think this might be some limitation with NAC with this particular combo of devices, but it does work fine when set up using CLI so I'm not sure. Could be me just doing something wrong. This setup is just part of a little lab I'm using for training. I'll update as soon as I know more.
Thanks a lot for your help on it. We leave this topic open then.
Just to keep this post updated.
To answer my own question, no, there are no limitations with this combination of hardware. I had a call with TAC, and even though we couldn't get it working on the call, they did point me in the right direction as to where I was going wrong. The problem was down to me configuring this at the Device Manager level, directly on the CLI. Even though the Config was in sync, the Policy & Objects weren't. Whenever I then subsequently pushed any config down to the firewall, the FMG policy's were overwriting anything I had configured on the CLI. Super obvious in hindsight.
We still couldn't find any specific step-by-step guide for setting this up via FortiManager, but for anyone who might be having an issue (and for my own future reference), here's the procedure. If any of this is wrong, I'm happy to be corrected. This is just working on my little lab network. Following the guide linked above for configuring this on CLI, then actually doing an 'Import Configuration' from the firewall might suffice, but to do it entirely within FortiManager: -
The Wired NAC wasn't an issue and I was able to get this working without any problems, but for completion, here's the procedure I followed (again, happy to be corrected on anything): -
That should be it. Plug a device into the NAC port and it should go into the 'wired_onboarding' VLAN. Create a NAC Policy in the same place you create them for the wireless devices - Policy & Packages > "Your-Policy" > NAC Policy and it should work.
Further update. See here - Technical Tip: How to create and apply NAC Policy into SSID.
Turns out there was a guide (for a part of it) created in May.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.