Fortinet black logo

Administration Guide

NAC policies on switch ports

NAC policies on switch ports

Network access control (NAC) helps administrators implement policies to control the devices and users that have access to their networks. A NAC policy can use user or detected device information, such as device type or OS, to put traffic into a specific VLAN or apply specific port settings.

The NAC function can be enabled on all FortiSwitches, or on specific FortiSwitch ports.

Initially, devices connected to ports with the NAC function enabled are put into an onboarding VLAN. The onboarding VLAN usually has a restrictive security policy, device identification enabled, a DHCP server, and captive portal enabled. The device identification feature collects device information. When the device matches the patterns that are defined in a NAC policy, an action is applied to the device, such as moving it to a specific VLAN or having a security policy applied.

Note

The list of managed FortiSwitches that a NAC policy can be applied on can contain a reference to a managed FortiSwitch device. When this reference is set by an administrator, it must be removed before the managed switch can be deleted.

To remove a switch from the list:
config user nac-policy
    edit <name>
        unselect switch-scope <switch>
    next
end

Example

In this example, NAC settings are enabled and configured so that a Linux PC is automatically moved into a VLAN dedicated to Linux PCs after it comes online and gets identified.

To configure a NAC policy on a switch in the GUI:
  1. Use the wizard to enable the NAC feature and configure basic settings:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies. If FortiSwitch options are not visible, see Feature visibility for instructions on making them visible.
    2. Click Configure NAC Settings in the message box.

    3. Specify the switch ports that NAC access mode will be enabled on, or enable it on all of them.
    4. Select the onboarding VLAN. If no VLAN exists, click Create in the drop down menu to create a new NAC VLAN interface.

    5. Click Next.
    6. Create or modify NAC VLANs (also known as FortiSwitch VLANs) that can be used in NAC policies.

    7. Create or edit NAC VLANs as needed. See FortiLink setup for details.
    8. Click Submit.

      The NAC settings can be edited in WiFi & Switch Controller > FortiLink Interface.

      The NAC VLANs can be edited in WiFi & Switch Controller > FortiSwitch VLANs.

    The access mode of the switch ports is changed to NAC and the native VLAN is set to the onboarding VLAN.

  2. Create a NAC VLAN for all Linux PCs:
    1. Go to WiFi & Switch Controller > FortiSwitch VLANs and click Create New.
    2. Set Name to vlan_Linux.

    3. Configure the remaining settings as required.
    4. Click OK.
  3. Create a NAC policy to match all Linux PCs and assign them to the specific VLAN:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
    2. Enter a name for the policy, such as Linux_to_VLAN.
    3. Enable Operating system and enter Linux* in the field.
    4. Select the Assign VLAN card and set VLAN to vlan_Linux.

    5. Click OK.
  4. After the Linux PC connects, check that it is matched to the policy:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
    2. Select the Linux_to_VLAN policy and click View Matched Devices.

      The Matched Devices pane opens, showing the devices that matched the policy.

    3. Go to WiFi & Switch Controller > FortiSwitch Ports.

      The port that the Linux PC is connected to will include vlan_Linux in the Allowed VLANs column.

To configure a NAC policy on a switch in the CLI:
  1. Configure the FortiLink interface:
    config system interface
        edit "fortilink"
            set vdom "root"
            set fortilink enable
            set ip 169.254.1.1 255.255.255.0
            set allowaccess ping fabric
            set type aggregate
            set member "internal11"
            set lldp-reception enable
            set lldp-transmission enable
            set snmp-index 8
            set auto-auth-extension-device enable
            set switch-controller-nac "fortilink" 
        next
    end
  2. Configure the integrated NAC settings:
    config switch-controller nac-settings
        edit "fortilink"
            set mode global
            set onboarding-vlan "onboarding"
        next
    end
  3. Configure the NAC policy matching pattern to identify matching NAC devices:
    config user nac-policy
        edit "Linux_to_VLAN"
            set os "Linux*"
            set switch-fortilink "fortilink"
            set switch-mac-policy "Linux_to_VLAN"
        next
    end
  4. Configure the MAC policy to be applied on the managed FortiSwitch devices through the NAC device:
    config switch-controller mac-policy
        edit "Linux_to_VLAN"
            set fortilink "fortilink"
            set vlan "vlan_Linux"
        next
    end
  5. View the NAC devices learned on the managed FortiSwitch ports that match the NAC policy:
    show switch-controller nac-device
        config switch-controller nac-device
            edit 1
                set description "auto detected @ 2020-04-01 15:36:24"
                set mac 00:0c:29:a9:12:74
                set last-known-switch "S124EP5918000276"
                set last-known-port "port6"
                set matched-nac-policy "Linux_to_VLAN"
                set mac-policy "Linux_to_VLAN"
            next
        end

Related Videos

sidebar video

Support NAC Policies on SwitchPorts in FortiOS 6.4

  • 2,004 views
  • 3 years ago

NAC policies on switch ports

Network access control (NAC) helps administrators implement policies to control the devices and users that have access to their networks. A NAC policy can use user or detected device information, such as device type or OS, to put traffic into a specific VLAN or apply specific port settings.

The NAC function can be enabled on all FortiSwitches, or on specific FortiSwitch ports.

Initially, devices connected to ports with the NAC function enabled are put into an onboarding VLAN. The onboarding VLAN usually has a restrictive security policy, device identification enabled, a DHCP server, and captive portal enabled. The device identification feature collects device information. When the device matches the patterns that are defined in a NAC policy, an action is applied to the device, such as moving it to a specific VLAN or having a security policy applied.

Note

The list of managed FortiSwitches that a NAC policy can be applied on can contain a reference to a managed FortiSwitch device. When this reference is set by an administrator, it must be removed before the managed switch can be deleted.

To remove a switch from the list:
config user nac-policy
    edit <name>
        unselect switch-scope <switch>
    next
end

Example

In this example, NAC settings are enabled and configured so that a Linux PC is automatically moved into a VLAN dedicated to Linux PCs after it comes online and gets identified.

To configure a NAC policy on a switch in the GUI:
  1. Use the wizard to enable the NAC feature and configure basic settings:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies. If FortiSwitch options are not visible, see Feature visibility for instructions on making them visible.
    2. Click Configure NAC Settings in the message box.

    3. Specify the switch ports that NAC access mode will be enabled on, or enable it on all of them.
    4. Select the onboarding VLAN. If no VLAN exists, click Create in the drop down menu to create a new NAC VLAN interface.

    5. Click Next.
    6. Create or modify NAC VLANs (also known as FortiSwitch VLANs) that can be used in NAC policies.

    7. Create or edit NAC VLANs as needed. See FortiLink setup for details.
    8. Click Submit.

      The NAC settings can be edited in WiFi & Switch Controller > FortiLink Interface.

      The NAC VLANs can be edited in WiFi & Switch Controller > FortiSwitch VLANs.

    The access mode of the switch ports is changed to NAC and the native VLAN is set to the onboarding VLAN.

  2. Create a NAC VLAN for all Linux PCs:
    1. Go to WiFi & Switch Controller > FortiSwitch VLANs and click Create New.
    2. Set Name to vlan_Linux.

    3. Configure the remaining settings as required.
    4. Click OK.
  3. Create a NAC policy to match all Linux PCs and assign them to the specific VLAN:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
    2. Enter a name for the policy, such as Linux_to_VLAN.
    3. Enable Operating system and enter Linux* in the field.
    4. Select the Assign VLAN card and set VLAN to vlan_Linux.

    5. Click OK.
  4. After the Linux PC connects, check that it is matched to the policy:
    1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
    2. Select the Linux_to_VLAN policy and click View Matched Devices.

      The Matched Devices pane opens, showing the devices that matched the policy.

    3. Go to WiFi & Switch Controller > FortiSwitch Ports.

      The port that the Linux PC is connected to will include vlan_Linux in the Allowed VLANs column.

To configure a NAC policy on a switch in the CLI:
  1. Configure the FortiLink interface:
    config system interface
        edit "fortilink"
            set vdom "root"
            set fortilink enable
            set ip 169.254.1.1 255.255.255.0
            set allowaccess ping fabric
            set type aggregate
            set member "internal11"
            set lldp-reception enable
            set lldp-transmission enable
            set snmp-index 8
            set auto-auth-extension-device enable
            set switch-controller-nac "fortilink" 
        next
    end
  2. Configure the integrated NAC settings:
    config switch-controller nac-settings
        edit "fortilink"
            set mode global
            set onboarding-vlan "onboarding"
        next
    end
  3. Configure the NAC policy matching pattern to identify matching NAC devices:
    config user nac-policy
        edit "Linux_to_VLAN"
            set os "Linux*"
            set switch-fortilink "fortilink"
            set switch-mac-policy "Linux_to_VLAN"
        next
    end
  4. Configure the MAC policy to be applied on the managed FortiSwitch devices through the NAC device:
    config switch-controller mac-policy
        edit "Linux_to_VLAN"
            set fortilink "fortilink"
            set vlan "vlan_Linux"
        next
    end
  5. View the NAC devices learned on the managed FortiSwitch ports that match the NAC policy:
    show switch-controller nac-device
        config switch-controller nac-device
            edit 1
                set description "auto detected @ 2020-04-01 15:36:24"
                set mac 00:0c:29:a9:12:74
                set last-known-switch "S124EP5918000276"
                set last-known-port "port6"
                set matched-nac-policy "Linux_to_VLAN"
                set mac-policy "Linux_to_VLAN"
            next
        end