Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Extend NAC matching condition to include EMS tags 6.4.2

The EMS server can now generate a dynamic address with a MAC address. A MAC-based EMS tag can be used as a matching condition in a switch controller NAC policy. The EMS server must be running version 6.4.1 or later.

The following example uses synchronized FortiClient EMS tags from the EMS server. For more information, see Synchronizing FortiClient EMS tags and configurations.

To use an EMS tag in a NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
  2. Enter a policy name.
  3. For Category, select EMS Tag.
  4. In the FortiClient EMS Tag dropdown, select a MAC-based tag.

  5. Configure the other settings as needed.
  6. Click OK.
To use an EMS tag in a NAC policy in the CLI:
  1. Configure the firewall address:
    config firewall address
        edit "MAC_FCTEMS0000100000_ems134_vulner_critical_tag"
            set type dynamic
            set sub-type ems-tag
            set comment ''
            set associated-interface ''
            set color 0
            set obj-type mac
        next
    end
  2. Configure the NAC policy:
    config user nac-policy
        edit "nac01"
            set description ''
            set category ems-tag
            set status enable
            set ems-tag "MAC_FCTEMS0000100000_ems134_win10_tag"
            set switch-fortilink "FortiLink01"
            set switch-auto-auth global
            set switch-port-policy ''
            set switch-mac-policy "nac01"
        next
    end

Extend NAC matching condition to include EMS tags 6.4.2

The EMS server can now generate a dynamic address with a MAC address. A MAC-based EMS tag can be used as a matching condition in a switch controller NAC policy. The EMS server must be running version 6.4.1 or later.

The following example uses synchronized FortiClient EMS tags from the EMS server. For more information, see Synchronizing FortiClient EMS tags and configurations.

To use an EMS tag in a NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
  2. Enter a policy name.
  3. For Category, select EMS Tag.
  4. In the FortiClient EMS Tag dropdown, select a MAC-based tag.

  5. Configure the other settings as needed.
  6. Click OK.
To use an EMS tag in a NAC policy in the CLI:
  1. Configure the firewall address:
    config firewall address
        edit "MAC_FCTEMS0000100000_ems134_vulner_critical_tag"
            set type dynamic
            set sub-type ems-tag
            set comment ''
            set associated-interface ''
            set color 0
            set obj-type mac
        next
    end
  2. Configure the NAC policy:
    config user nac-policy
        edit "nac01"
            set description ''
            set category ems-tag
            set status enable
            set ems-tag "MAC_FCTEMS0000100000_ems134_win10_tag"
            set switch-fortilink "FortiLink01"
            set switch-auto-auth global
            set switch-port-policy ''
            set switch-mac-policy "nac01"
        next
    end