Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring wireless NAC support

Copy Link
Copy Doc ID f39c7021-8ec7-11ec-9fd1-fa163e15d75b:585594
Download PDF

Configuring wireless NAC support

The wireless controller can support Network Access Control (NAC) profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups, or EMS tags, and then assign the clients to specific VLANs. VLAN subinterfaces based on VAP interfaces are used for the VLAN assignments.

When a wireless client first connects, it is assigned to the default VLAN per the NAC profile. After the client information is captured, if it matches a NAC policy, the client is disconnected and, when it reconnects, assigned to the VLAN that is specified by the SSID policy.

The device properties that can be matched include: MAC address, hardware vendor, type, family, operating system, hardware version, software version, host, user, and source.

Example

When both clients first connect, they are onboarded into the vap_v100 VLAN. The client information is captured after up to two minutes and, if it matches the NAC policy, the wireless controller disconnects the client. When the client reconnects, it is assigned to the VLAN specified by the policy.

In this example, NAC profiles are configured to onboard wireless Client-1 into default VLANs based on the device's MAC address, user group, or EMS tag.

To configure the VAP, interfaces, profiles, and SSID policy in the GUI
  1. Go to WiFi & and Switch Controller> NAC Policies and click Create New to create a NAC policy.

  2. Enter a Name for the NAC policy and select what Category you want to base the NAC policy on (Device, User, EMS Tag).
  3. Configure the policy device patterns based on the Category you selected.
  4. In the Wireless Controller Action section, enable Assign VLAN and select which VLAN you want to apply to the policy.
  5. When you are finished, click OK.
  6. Go to WiFi and Switch Controller > SSIDs and select the SSID you want to apply the NAC policy to.
  7. Enable NAC profile and select the NAC policy you want to apply.
  8. Click OK to apply the changes.
To configure the VAP, interfaces, profiles, and SSID policy in the CLI
  1. Create the VAP SSID:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set passphrase **********
            set schedule "always"
        next
    end
  2. Create two VLAN interfaces under the VAP:

    config system interface
        edit "vap_v100"
            set vdom "vdom1"
            set ip 10.100.1.1 255.255.255.0
            set allowaccess ping
            set device-identification enable
            set role lan
            set snmp-index 37
            set interface "wifi.fap.01"
            set vlanid 100
        next
        edit "vap_v200"
            set vdom "vdom1"
            set ip 10.101.1.1 255.255.255.0
            set allowaccess ping
            set device-identification enable
            set role lan
            set snmp-index 40
            set interface "wifi.fap.01"
            set vlanid 200
        next
    end
  3. Create the wireless NAC profile:

    config wireless-controller nac-profile
        edit "wifi-nac-profile-1"
            set onboarding-vlan "vap_v100"
        next
    end
  4. Select the wireless NAC profile in the VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set nac enable
            set nac-profile "wifi-nac-profile-1"
        next
    end
  5. Create the SSID policy:

    config wireless-controller ssid-policy
        edit "wifi-ssid-policy-1"
            set vlan "vap_v200"
        next
    end
  6. Create NAC policies to match clients based on Device properties, User groups, or EMS tags.

Device properties

This policy matches clients with the MAC address f8:e4:e3:d8:5e:af.

To match a wireless client based on its MAC address
  1. Create a NAC policy that matches wireless clients with a specific MAC address:

    config user nac-policy
        edit "wifi-nac-policy-1"
            set category device
            set mac "f8:e4:e3:d8:5e:af"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=14 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2

    After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-24 noise=-95 idle=0 bw=7 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=0 bw=4 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  2. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-1

User groups

This policy matches clients that are authenticated in the group_local user group.

To match a wireless client based on its user group
  1. Change the security mode to WPA2 enterprise only and add a user group in the VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set security wpa2-only-enterprise
            set auth usergroup
            set usergroup "group_local" "group_radius"
            set schedule "always"
        next
    end
  2. Create a NAC policy that matches wireless clients that are authenticated in a specific user group:

    config user nac-policy
        edit "wifi-nac-policy-2"
            set category firewall-user
            set user-group "group_local"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=27 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2

    After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-20 noise=-95 idle=1 bw=9 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=35 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  3. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-2

EMS tags

This policy matches clients that have the specified EMS tag. EMS control must already be configured, see Synchronizing FortiClient EMS tags and configurations for details.

To match a wireless client based on its EMS tag
  1. Find the EMS tag:

    # diagnose firewall dynamic list
    MAC_FCTEMSTA20002318_ems135_winOS_tag(total-addr: 2): ID(62)
            MAC(F0:B4:D2:AB:E0:09)
            MAC(10:C3:7B:9C:46:AA)
  2. Create a NAC policy that matches a wireless client with that tag:

    config user nac-policy
        edit "wifi-nac-policy-3"
            set category ems-tag
            set ems-tag "MAC_FCTEMSTA20002318_ems135_winOS_tag"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN. After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
      wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.11 ip6=fe80::add7:9b4a:cd39:e65c mac=f0:b4:d2:ab:e0:09 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user= group= signal=-52 noise=-95 idle=6 bw=0 use=6 chan=40 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
                    ip6=*fe80::add7:9b4a:cd39:e65c,256,
  3. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-3

Configuring wireless NAC support

The wireless controller can support Network Access Control (NAC) profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups, or EMS tags, and then assign the clients to specific VLANs. VLAN subinterfaces based on VAP interfaces are used for the VLAN assignments.

When a wireless client first connects, it is assigned to the default VLAN per the NAC profile. After the client information is captured, if it matches a NAC policy, the client is disconnected and, when it reconnects, assigned to the VLAN that is specified by the SSID policy.

The device properties that can be matched include: MAC address, hardware vendor, type, family, operating system, hardware version, software version, host, user, and source.

Example

When both clients first connect, they are onboarded into the vap_v100 VLAN. The client information is captured after up to two minutes and, if it matches the NAC policy, the wireless controller disconnects the client. When the client reconnects, it is assigned to the VLAN specified by the policy.

In this example, NAC profiles are configured to onboard wireless Client-1 into default VLANs based on the device's MAC address, user group, or EMS tag.

To configure the VAP, interfaces, profiles, and SSID policy in the GUI
  1. Go to WiFi & and Switch Controller> NAC Policies and click Create New to create a NAC policy.

  2. Enter a Name for the NAC policy and select what Category you want to base the NAC policy on (Device, User, EMS Tag).
  3. Configure the policy device patterns based on the Category you selected.
  4. In the Wireless Controller Action section, enable Assign VLAN and select which VLAN you want to apply to the policy.
  5. When you are finished, click OK.
  6. Go to WiFi and Switch Controller > SSIDs and select the SSID you want to apply the NAC policy to.
  7. Enable NAC profile and select the NAC policy you want to apply.
  8. Click OK to apply the changes.
To configure the VAP, interfaces, profiles, and SSID policy in the CLI
  1. Create the VAP SSID:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set passphrase **********
            set schedule "always"
        next
    end
  2. Create two VLAN interfaces under the VAP:

    config system interface
        edit "vap_v100"
            set vdom "vdom1"
            set ip 10.100.1.1 255.255.255.0
            set allowaccess ping
            set device-identification enable
            set role lan
            set snmp-index 37
            set interface "wifi.fap.01"
            set vlanid 100
        next
        edit "vap_v200"
            set vdom "vdom1"
            set ip 10.101.1.1 255.255.255.0
            set allowaccess ping
            set device-identification enable
            set role lan
            set snmp-index 40
            set interface "wifi.fap.01"
            set vlanid 200
        next
    end
  3. Create the wireless NAC profile:

    config wireless-controller nac-profile
        edit "wifi-nac-profile-1"
            set onboarding-vlan "vap_v100"
        next
    end
  4. Select the wireless NAC profile in the VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set nac enable
            set nac-profile "wifi-nac-profile-1"
        next
    end
  5. Create the SSID policy:

    config wireless-controller ssid-policy
        edit "wifi-ssid-policy-1"
            set vlan "vap_v200"
        next
    end
  6. Create NAC policies to match clients based on Device properties, User groups, or EMS tags.

Device properties

This policy matches clients with the MAC address f8:e4:e3:d8:5e:af.

To match a wireless client based on its MAC address
  1. Create a NAC policy that matches wireless clients with a specific MAC address:

    config user nac-policy
        edit "wifi-nac-policy-1"
            set category device
            set mac "f8:e4:e3:d8:5e:af"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=14 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2

    After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-24 noise=-95 idle=0 bw=7 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=0 bw=4 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  2. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-1

User groups

This policy matches clients that are authenticated in the group_local user group.

To match a wireless client based on its user group
  1. Change the security mode to WPA2 enterprise only and add a user group in the VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set security wpa2-only-enterprise
            set auth usergroup
            set usergroup "group_local" "group_radius"
            set schedule "always"
        next
    end
  2. Create a NAC policy that matches wireless clients that are authenticated in a specific user group:

    config user nac-policy
        edit "wifi-nac-policy-2"
            set category firewall-user
            set user-group "group_local"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=27 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2

    After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-20 noise=-95 idle=1 bw=9 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
       vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=35 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
  3. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-2

EMS tags

This policy matches clients that have the specified EMS tag. EMS control must already be configured, see Synchronizing FortiClient EMS tags and configurations for details.

To match a wireless client based on its EMS tag
  1. Find the EMS tag:

    # diagnose firewall dynamic list
    MAC_FCTEMSTA20002318_ems135_winOS_tag(total-addr: 2): ID(62)
            MAC(F0:B4:D2:AB:E0:09)
            MAC(10:C3:7B:9C:46:AA)
  2. Create a NAC policy that matches a wireless client with that tag:

    config user nac-policy
        edit "wifi-nac-policy-3"
            set category ems-tag
            set ems-tag "MAC_FCTEMSTA20002318_ems135_winOS_tag"
            set ssid-policy "wifi-ssid-policy-1"
        next
    end

    When both clients first connect, they are onboarded into the vap_v100 VLAN. After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:

    # diagnose wireless-controller wlac -d sta online
      wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.11 ip6=fe80::add7:9b4a:cd39:e65c mac=f0:b4:d2:ab:e0:09 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user= group= signal=-52 noise=-95 idle=6 bw=0 use=6 chan=40 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
                    ip6=*fe80::add7:9b4a:cd39:e65c,256,
  3. Verify that Client-1 matched the policy, and Client-2 did not:

    # diagnose wireless-controller wlac_hlp -c sta-nac
    
    STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1
        ip                    : 10.100.1.11
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 100/100
        matched nac-policy    : N/A
    STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af
        ip                    : 10.101.1.10
        wlan                  : wifi.fap.01(tunnel)
        vlan-id(oper/dflt)    : 200/100
        matched nac-policy    : wifi-nac-policy-3