Configuring wireless NAC support
The wireless controller can support Network Access Control (NAC) profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups, or EMS tags, and then assign the clients to specific VLANs. VLAN subinterfaces based on VAP interfaces are used for the VLAN assignments.
When a wireless client first connects, it is assigned to the default VLAN per the NAC profile. After the client information is captured, if it matches a NAC policy, the client is disconnected and, when it reconnects, assigned to the VLAN that is specified by the SSID policy.
The device properties that can be matched include: MAC address, hardware vendor, type, family, operating system, hardware version, software version, host, user, and source.
Example
When both clients first connect, they are onboarded into the vap_v100 VLAN. The client information is captured after up to two minutes and, if it matches the NAC policy, the wireless controller disconnects the client. When the client reconnects, it is assigned to the VLAN specified by the policy.
In this example, NAC profiles are configured to onboard wireless Client-1 into default VLANs based on the device's MAC address, user group, or EMS tag.
To configure the VAP, interfaces, profiles, and SSID policy in the GUI
-
Go to WiFi & and Switch Controller> NAC Policies and click Create New to create a NAC policy.
- Enter a Name for the NAC policy and select what Category you want to base the NAC policy on (Device, User, EMS Tag).
- Configure the policy device patterns based on the Category you selected.
- In the Wireless Controller Action section, enable Assign VLAN and select which VLAN you want to apply to the policy.
- When you are finished, click OK.
- Go to WiFi and Switch Controller > SSIDs and select the SSID you want to apply the NAC policy to.
- Enable NAC profile and select the NAC policy you want to apply.
- Click OK to apply the changes.
To configure the VAP, interfaces, profiles, and SSID policy in the CLI
-
Create the VAP SSID:
config wireless-controller vap edit "wifi.fap.01" set ssid "wifi-ssid.fap.01" set passphrase ********** set schedule "always" next end
-
Create two VLAN interfaces under the VAP:
config system interface edit "vap_v100" set vdom "vdom1" set ip 10.100.1.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 37 set interface "wifi.fap.01" set vlanid 100 next edit "vap_v200" set vdom "vdom1" set ip 10.101.1.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 40 set interface "wifi.fap.01" set vlanid 200 next end
-
Create the wireless NAC profile:
config wireless-controller nac-profile edit "wifi-nac-profile-1" set onboarding-vlan "vap_v100" next end
-
Select the wireless NAC profile in the VAP:
config wireless-controller vap edit "wifi.fap.01" set nac enable set nac-profile "wifi-nac-profile-1" next end
-
Create the SSID policy:
config wireless-controller ssid-policy edit "wifi-ssid-policy-1" set vlan "vap_v200" next end
-
Create NAC policies to match clients based on Device properties, User groups, or EMS tags.
Device properties
This policy matches clients with the MAC address f8:e4:e3:d8:5e:af
.
To match a wireless client based on its MAC address
-
Create a NAC policy that matches wireless clients with a specific MAC address:
config user nac-policy edit "wifi-nac-policy-1" set category device set mac "f8:e4:e3:d8:5e:af" set ssid-policy "wifi-ssid-policy-1" next end
When both clients first connect, they are onboarded into the vap_v100 VLAN:
# diagnose wireless-controller wlac -d sta online vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2 vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=14 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:
# diagnose wireless-controller wlac -d sta online vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user= group= signal=-24 noise=-95 idle=0 bw=7 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2 vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user= group= signal=-25 noise=-95 idle=0 bw=4 use=6 chan=157 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
-
Verify that Client-1 matched the policy, and Client-2 did not:
# diagnose wireless-controller wlac_hlp -c sta-nac STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1 ip : 10.100.1.11 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 100/100 matched nac-policy : N/A STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af ip : 10.101.1.10 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 200/100 matched nac-policy : wifi-nac-policy-1
User groups
This policy matches clients that are authenticated in the group_local
user group.
To match a wireless client based on its user group
-
Change the security mode to WPA2 enterprise only and add a user group in the VAP:
config wireless-controller vap edit "wifi.fap.01" set security wpa2-only-enterprise set auth usergroup set usergroup "group_local" "group_radius" set schedule "always" next end
-
Create a NAC policy that matches wireless clients that are authenticated in a specific user group:
config user nac-policy edit "wifi-nac-policy-2" set category firewall-user set user-group "group_local" set ssid-policy "wifi-ssid-policy-1" next end
When both clients first connect, they are onboarded into the vap_v100 VLAN:
# diagnose wireless-controller wlac -d sta online vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-45 noise=-95 idle=1 bw=2 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2 vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=27 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:
# diagnose wireless-controller wlac -d sta online vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.10 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=local group=group_local signal=-20 noise=-95 idle=1 bw=9 use=6 chan=157 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2 vf=1 wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=100 ip=10.100.1.11 ip6=:: mac=48:ee:0c:23:43:d1 vci= host=wifi-qa-01 user=tester group=group_radius signal=-24 noise=-95 idle=35 bw=0 use=6 chan=157 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
-
Verify that Client-1 matched the policy, and Client-2 did not:
# diagnose wireless-controller wlac_hlp -c sta-nac STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1 ip : 10.100.1.11 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 100/100 matched nac-policy : N/A STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af ip : 10.101.1.10 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 200/100 matched nac-policy : wifi-nac-policy-2
EMS tags
This policy matches clients that have the specified EMS tag. EMS control must already be configured, see Synchronizing FortiClient EMS tags and configurations for details.
To match a wireless client based on its EMS tag
-
Find the EMS tag:
# diagnose firewall dynamic list MAC_FCTEMSTA20002318_ems135_winOS_tag(total-addr: 2): ID(62) MAC(F0:B4:D2:AB:E0:09) MAC(10:C3:7B:9C:46:AA)
-
Create a NAC policy that matches a wireless client with that tag:
config user nac-policy edit "wifi-nac-policy-3" set category ems-tag set ems-tag "MAC_FCTEMSTA20002318_ems135_winOS_tag" set ssid-policy "wifi-ssid-policy-1" next end
When both clients first connect, they are onboarded into the vap_v100 VLAN. After the client information is collected, Client-1 matches the policy. It is disconnected, then reconnects and is assigned to the vap_v200 VLAN in accordance with the NAC policy:
# diagnose wireless-controller wlac -d sta online wtp=1 rId=2 wlan=wifi.fap.01 vlan_id=200 ip=10.101.1.11 ip6=fe80::add7:9b4a:cd39:e65c mac=f0:b4:d2:ab:e0:09 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user= group= signal=-52 noise=-95 idle=6 bw=0 use=6 chan=40 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2 ip6=*fe80::add7:9b4a:cd39:e65c,256,
-
Verify that Client-1 matched the policy, and Client-2 did not:
# diagnose wireless-controller wlac_hlp -c sta-nac STA (001/002) vfid,mac: 1, 48:ee:0c:23:43:d1 ip : 10.100.1.11 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 100/100 matched nac-policy : N/A STA (002/002) vfid,mac: 1, f8:e4:e3:d8:5e:af ip : 10.101.1.10 wlan : wifi.fap.01(tunnel) vlan-id(oper/dflt) : 200/100 matched nac-policy : wifi-nac-policy-3