I now use a vm fac to achieve 802.1x authentication on the network (Machine authentication) It is the FAC that sends the vlan ID when the authentication succeeds. Is it possible to make a filter on computers and to apply a different vlan depending on the computer
Example: The pc of the marketing department must be in the vlan 2 and the pc of the IT department must be in vlan 3
Today all the pc are in the same vlan, I can not configure the fac with different vlans, I do not see how to make a filter on computers
Thank you for your help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I haven't gotten this setup yet on my network but want to.
It would involve a few main things:
[ul]you are on the right track. Remote user sync rules can sync LDAP users to "remote users" storage (known to FAC but authentication is proxied to LDAP/AD as FAC do not have user's LDAP password) and automatically assign them to groups.
In the RADIUS Client profile set auth to that LDAP (assume that all the users are from same AD/Domain/LDAP) and choose those two remote groups (one group VLAN-2 one groups VLAN-3. And assign proper RADIUS AVP (the one you are using to pass the VLAN to NAS) containing proper VLAN to each group.
FAC side done.
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello
Thank you for your reply. I managed to create two groups and assign one vlan per group. I use machine authentication. In the Radius Service Client, I do not see how to specify multiple groups. (Check machine authentication / Override group membership when only machine authenticated) Thank you
Someone else may know better, but I am not sure you want to override group membership in that bottom section.
I notice you already have multiple groups selected and mapped to that realm. As long as a given machine is only a member of a single group, I believe that will do what you need.
Let us know how goes, very interested to see someone get this working on FAC!
Hello,
I managed to create rules in the user groups Depending on the name of the machine, a specific vlan is applied. (radius attribute)
the problem is that in the configuration part of the client, I can not select multiple groups to perform a machine authentication.
Thanks for your help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1466 | |
1006 | |
748 | |
443 | |
206 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.