Description
This article describes an example of how to set up FortiNAC in a simplified network. It additionally covers how to connect the ports and how to handle IP addressing. This is an example of Stage 2 from this article: Technical Tip: Comprehensive guide for a simple FortiNAC deployment.
The same schema can be also used for larger setups as long as the network provides routing and IP connectivity between the nodes.
Scope
All FortiNAC and FortiGate/FortiSwitch (VLAN change without RADIUS).
Solution
- Network design and IP planning.
The recommended and most used type of deployment for FortiNAC is L3 deployment. Below is an example:
FortiNAC will need two separate interfaces in two different subnets that need to be routed in the network. Usually, the management interface (eth0/port1) should be reachable by network devices (SSH/SNMP/API/RADIUS) and from users that are in the production network (Agent, notifications, and scans).
The Isolation interface (eth1/port2) should be reachable from the managed network devices (DHCP relay) and directly from isolated hosts (DHCP/DNS/Portal access/Agent).
Routing and firewall policies on the network devices in between need to be implemented to allow this type of traffic.
FortiNAC will apply these network configurations while following the ConfigWizard steps:
- Configuring eth0 (management interface):
- Configuring eth1 (isolation interface) and DHCP pools with network details for isolations networks:
ISOL:
REG:
REM:
- Routes for these isolation networks (DHCP pools) are automatically created and can be checked in Additional Routes section:
From the CLI, it is possible to check the configuration after applying ConfigWizard:
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.5 netmask 255.255.255.0 broadcast 10.0.0.255
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.5.0.11 netmask 255.255.255.0 broadcast 10.5.0.255
eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.5.0.12 netmask 255.255.255.0 broadcast 10.5.0.255
eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.5.0.13 netmask 255.255.255.0 broadcast 10.5.0.255
and the routes:
> ip route
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.5
10.5.0.0/24 dev eth1 proto kernel scope link src 10.5.0.11
10.5.11.0/24 via 10.5.0.1 dev eth1
10.5.12.0/24 via 10.5.0.1 dev eth1
10.5.13.0/24 via 10.5.0.1 dev eth1
This configurations are described in the FortiNAC deployment guide: FortiNAC deployment guide.
-
Adding FortiGate in FortiNAC.
After adding a switch to FortiGate or making other changes like adding VLAN interface resynchronization is needed, 'right-click' on the FortiGate and 'Resync Interfaces'. In model configuration (Virtualized Devices) the VLANs need to be tied to the isolation network:
Group membership at the port level to enforce Registration and VLAN assignments:
When a host connects to the switch in port3 and the host is unknown to FortiNAC (Rogue) it will be put in registration VLAN:
-
Configuring FortiGate/FortiSwitch and following the network changes.
In this example, RADIUS is not configured on the switch so no security policy is applied in the ports of the switch. All the configurations are done in FortiGate only.
In order to have a high response time on VLAN changes and better visibility, Syslog is recommended to be configured as a quick and effective solution. The configuration is done via FortiGate CLI:
config log syslogd setting
set status enable
set server "fnac.eb.eu"
set source-ip "10.0.0.1"
...
config switch-controller global
set mac-event-logging enable
...
config log syslogd filter
config free-style
edit 1
set category event
set filter "(logid 0115032615 0115032616 0115032617)"
If syslogd is already configured for another syslog server than syslogd2 or syslogd3 can be configured for FortiNAC.
Configuring the isolation VLAN in FortiGate for the managed Switch (port5 is the FortiLink port in this setup):
In order for the portal redirection to happen smoothly DHCP server must be configured as relay.
Here it is possible to see that FortiNAC has enforced Registration VLAN (512) on the switch port (as Native) when an unknown device is connected to that port:
A firewall policy needs to be created to allow communications with FortiNAC eth1 interface only and block other access.
Here is shown the screen of the Guest host: '> ipconfig /all' output and browser page redirection (done via DNS) to the Registration portal page:
After successful login the host is redirected to the Guest VLAN (enforced by FortiNAC ) and the port of the switch is bounced to trigger an IP release on the end host:
The host now will receive an IP from VLAN 560 and the browser will be redirected to the custom success page.
These configurations are also explained in the integration guide for FortiLink mode: FortiSwitch Integration.
Port changes history as seen from FortiNAC, from Default to Registration and Guest VLAN:
Additional configurations are required in FortiNAC to do the portal login or guest self-registration.
Related article:
Technical Tip: FortiNAC Guest Captive Portal configuration and workflow.
